Skip to content

Bump ws, web3 and @oasisprotocol/sapphire-paratime #1976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump ws, web3 and @oasisprotocol/sapphire-paratime #1976

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 31, 2025
edited
Loading

Bumps ws to 8.17.1 and updates ancestor dependencies ws, web3 and @oasisprotocol/sapphire-paratime. These dependencies need to be updated together.

Updates ws from 8.5.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view

Updates web3 from 1.10.4 to 4.16.0

Release notes

Sourced from web3's releases.

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Changed

  • Update version to 1.0.0-alpha.1 for web3-providers-base
  • Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Initial alpha release

Install with yarn add [email protected]

Changelog

Sourced from web3's changelog.

[4.16.0]

Fixed

web3

  • Export Web3Account, Wallet and signature related types. (#7374)

web3-utils

  • Make fromWei return "0" when input is 0 (#7387)

Removed

web3-eth-accounts

  • Move signature related types to web3-types. Re-export them for backwards compatibility. (#7374)

Added

web3-types

  • Add signature related types. (#7374)
  • Updated Typescript version 4 -> 5 (#7272)

web3-eth-accounts

  • Updated Typescript version 4 -> 5 (#7272)

web3

  • Updated Typescript version 4 -> 5 (#7272)

web3-core

  • Updated Typescript version 4 -> 5 (#7272)

web3-account-abstraction

  • RC release

web3-errors

  • Updated Typescript version 4 -> 5 (#7272)

web3-eth

  • Updated Typescript version 4 -> 5 (#7272)

web3-eth-contract

... (truncated)

Commits

Updates @oasisprotocol/sapphire-paratime from 1.3.2 to 2.2.0

Commits
  • b3436ea Merge pull request #586 from oasisprotocol/matevz/feature/clients-js-2.2.0
  • 76f5938 clients/js: Prepare 2.2.0 release
  • a150088 Merge pull request #555 from oasisprotocol/matevz/features/eth-compatible-net...
  • 2d460ec clients/js: Make NETWORKS compatible with wallet_addEthereumChain
  • bfc0d00 Merge pull request #584 from oasisprotocol/lw/fix-nonsapphire
  • 01451a2 clients/js: Make it easier to debug fetch error that rainbowkit swallows
  • 6f77a5a clients/js: Improve error on fetch public key from non-sapphire chains
  • 834fe36 clients/js: Don't throw on eth_chainId request on non-sapphire chain
  • 1d91782 Merge pull request #575 from oasisprotocol/matevz/feature/wagmi-v2-2.1.0
  • 89caf0b integrations/wagmi-v2: Prepare 2.1.0 release
  • Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 31, 2025
@dependabot dependabot bot added javascript Pull requests that update Javascript code dependencies Pull requests that update a dependency file labels Jul 31, 2025
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-a50d5c8bba branch 4 times, most recently from fb0ba54 to f4c6a5c Compare August 1, 2025 10:56
@giurgiur99
Copy link
Contributor

giurgiur99 commented Aug 5, 2025

@dependabot recreate

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-a50d5c8bba branch 5 times, most recently from e643ef1 to e6f8d23 Compare August 7, 2025 07:07
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-a50d5c8bba branch from e6f8d23 to 5593e3f Compare August 12, 2025 13:38
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-a50d5c8bba branch 2 times, most recently from 68362a1 to c9f524b Compare August 27, 2025 05:39
@dependabot
Bump ws, web3 and @oasisprotocol/sapphire-paratime
17b42f4 
Bumps [ws](https://github.com/websockets/ws) to 8.17.1 and updates ancestor dependencies [ws](https://github.com/websockets/ws), [web3](https://github.com/ChainSafe/web3.js) and [@oasisprotocol/sapphire-paratime](https://github.com/oasisprotocol/sapphire-paratime). These dependencies need to be updated together.


Updates `ws` from 8.5.0 to 8.17.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.5.0...8.17.1)

Updates `web3` from 1.10.4 to 4.16.0
- [Release notes](https://github.com/ChainSafe/web3.js/releases)
- [Changelog](https://github.com/web3/web3.js/blob/4.x/CHANGELOG.md)
- [Commits](web3/web3.js@v1.10.4...v4.16.0)

Updates `@oasisprotocol/sapphire-paratime` from 1.3.2 to 2.2.0
- [Release notes](https://github.com/oasisprotocol/sapphire-paratime/releases)
- [Commits](oasisprotocol/sapphire-paratime@clients/js/v1.3.2...clients/js/v2.2.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.17.1
  dependency-type: indirect
- dependency-name: web3
  dependency-version: 4.16.0
  dependency-type: indirect
- dependency-name: "@oasisprotocol/sapphire-paratime"
  dependency-version: 2.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-a50d5c8bba branch from c9f524b to 17b42f4 Compare August 28, 2025 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihaisc mihaisc Awaiting requested review from mihaisc mihaisc is a code owner

@alexcos20 alexcos20 Awaiting requested review from alexcos20 alexcos20 is a code owner

@bogdanfazakas bogdanfazakas Awaiting requested review from bogdanfazakas bogdanfazakas is a code owner

@mariacarmina mariacarmina Awaiting requested review from mariacarmina

@giurgiur99 giurgiur99 Awaiting requested review from giurgiur99 giurgiur99 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@giurgiur99