chore(deps): update dependency ws to v8.20.1 #6

Merged

rosa merged 1 commit from renovate/ws-8.x-lockfile into v4

2026-05-28 08:01:57 +00:00

rosa commented

2026-05-28 08:01:56 +00:00

Owner

This PR contains the following updates:

Package	Change	Age	Confidence
ws	`8.20.0` → `8.20.1`

Release Notes

websockets/ws (ws)

`v8.20.1`

Compare Source

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close()
(c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [ws](https://github.com/websockets/ws) | [`8.20.0` → `8.20.1`](https://renovatebot.com/diffs/npm/ws/8.20.0/8.20.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.20.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.20.0/8.20.1?slim=true) | --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.20.1`](https://github.com/websockets/ws/releases/tag/8.20.1) [Compare Source](https://github.com/websockets/ws/compare/8.20.0...8.20.1) ### Bug fixes - Fixed an uninitialized memory disclosure issue in `websocket.close()` ([`c0327ec`](https://github.com/websockets/ws/commit/c0327ec1)). Providing a `TypedArray` (e.g. `Float32Array`) as the `reason` argument for `websocket.close()`, rather than the supported string or `Buffer` types, caused uninitialized memory to be disclosed to the remote peer. ```js import { deepStrictEqual } from 'node:assert'; import { WebSocket, WebSocketServer } from 'ws'; const wss = new WebSocketServer( { port: 0, skipUTF8Validation: true }, function () { const { port } = wss.address(); const ws = new WebSocket(`ws://localhost:${port}`, { skipUTF8Validation: true }); ws.on('close', function (code, reason) { deepStrictEqual(reason, Buffer.alloc(80)); }); } ); wss.on('connection', function (ws) { ws.close(1000, new Float32Array(20)); }); ``` The issue was privately reported by [Nikita Skovoroda](https://github.com/ChALkeR). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

rosa added 1 commit

2026-05-28 08:01:56 +00:00