[Snyk] Upgrade: commander, koa-compress, ws #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade:
- commander from 5.1.0 to 12.1.0.
See this package in npm: https://www.npmjs.com/package/commander
- koa-compress from 4.0.1 to 5.1.1.
See this package in npm: https://www.npmjs.com/package/koa-compress
- ws from 7.5.10 to 8.18.0.
See this package in npm: https://www.npmjs.com/package/ws
See this project in Snyk:
https://app.snyk.io/org/sherfeyinv/project/1ee3de87-4a5c-4c40-a9b5-93d890a45e7b?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯 The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
commander
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
⚠️ This is a major version upgrade, and may be a breaking change | a year ago
⚠️ This is a major version upgrade, and may be a breaking change | 3 months ago
from 5.1.0 to 12.1.0 | 35 versions ahead of your current version
on 2024-05-18
koa-compress
from 4.0.1 to 5.1.1 | 4 versions ahead of your current version
on 2023-04-09
ws
from 7.5.10 to 8.18.0 | 30 versions ahead of your current version
on 2024-07-03
Release notes
Package name: commander
-
12.1.0 - 2024-05-18
- auto-detect special node flags
- prefix require of Node.js core modules with
- format source files with Prettier (#2180)
- switch from StandardJS to directly calling ESLint for linting (#2153)
- extend security support for previous major version of Commander (#2150)
- removed unimplemented Option.fullDescription from TypeScript definition (#2191)
-
12.0.0 - 2024-02-03
- Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
- Breaking: check
- Breaking: Commander 12 requires Node.js v18 or higher (#2027)
- Breaking: throw an error if add an option with a flag which is already in use (#2055)
- Breaking: throw an error if add a command with name or alias which is already in use (#2059)
- Breaking: throw error when calling
- replace non-standard JSDoc of
- refactor internal implementation of built-in help option (#2006)
- refactor internal implementation of built-in help command (#2087)
- Breaking: removed default export of a global Command instance from CommonJS (use the named
- adding an option which uses the same flag as a previous option
- adding a command which uses the same name or alias as a previous command
-
12.0.0-1 - 2024-01-19
- refactor internal implementation of built-in help option (#2006)
- refactor internal implementation of built-in help command (#2087)
-
12.0.0-0 - 2023-11-11
- Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
- Breaking: check
- Breaking: Commander 12 requires Node.js v18 or higher (#2027)
- Breaking: throw an error if add an option with a flag which is already in use (#2055)
- Breaking: throw an error if add a command with name or alias which is already in use (#2059)
- Breaking: throw error when calling
- replace non-standard JSDoc of
- Breaking: removed default export of a global Command instance from CommonJS (use the named
- adding an option which uses the same flag as a previous option
- adding a command which uses the same name or alias as a previous command
-
11.1.0 - 2023-10-13
- TypeScript: update
- TypeScript: add that
- TypeScript: add null return type to
- subcommands with an executable handler and only a short help flag are now handled correctly by the parent's help command (#1930)
- TypeScript declarations for Option properties:
- TypeScript declarations for Argument properties:
- example file which shows how to configure help to display any custom usage in the list of subcommands (#1896)
- (developer) refactor TypeScript configs for multiple use-cases, and enable checks in JavaScript files in supporting editors (#1969)
-
11.0.0 - 2023-06-16
- help command works when help option is disabled (#1864)
- leading and trailing spaces are now ignored by the .arguments() method (#1874)
- refine "types" exports for ESM to follow TypeScript guidelines (#1886)
- Breaking: Commander 11 requires Node.js v16 or higher
-
10.0.1 - 2023-04-15
- improvements to documentation (#1858, #1859, #1860)
- remove unused
- assume boolean option intended if caller passes string instead of hash to
-
10.0.0 - 2023-01-14
- wrap command description in help (#1804)
- Breaking: Commander 10 requires Node.js v14 or higher
-
9.5.0 - 2023-01-07
-
9.4.1 - 2022-09-30
- TypeScript: add
- TypeScript : add
- additions to README
-
9.4.0 - 2022-07-15
-
9.3.0 - 2022-05-28
-
9.2.0 - 2022-04-15
-
9.1.0 - 2022-03-18
-
9.0.0 - 2022-01-29
-
9.0.0-1 - 2022-01-14
-
9.0.0-0 - 2021-12-22
-
8.3.0 - 2021-10-22
-
8.2.0 - 2021-09-10
-
8.1.0 - 2021-07-27
-
8.0.0 - 2021-06-25
-
8.0.0-2 - 2021-06-06
-
8.0.0-1 - 2021-05-31
-
8.0.0-0 - 2021-05-22
-
7.2.0 - 2021-03-21
-
7.1.0 - 2021-02-15
-
7.0.0 - 2021-01-15
-
7.0.0-2 - 2020-12-14
-
7.0.0-1 - 2020-11-21
-
7.0.0-0 - 2020-10-25
-
6.2.1 - 2020-12-14
-
6.2.0 - 2020-10-25
-
6.1.0 - 2020-08-28
-
6.0.0 - 2020-07-19
-
6.0.0-0 - 2020-06-20
-
5.1.0 - 2020-04-25
from commander GitHub release notesAdded
node --evalandnode --printwhen call.parse()with no arguments (#2164)Changed
node:(#2170)Removed
Added
.addHelpOption()as another way of configuring built-in help option (#2006).helpCommand()for configuring built-in help command (#2087)Fixed
passThroughOptionsconstraints when using.addCommandand throw if parent command does not have.enablePositionalOptions()enabled (#1937)Changed
.storeOptionsAsProperties()after setting an option value (#1928)@ api privatewith documented@ private(#1949).addHelpCommand()now takes a Command (passing string or boolean still works as before but deprecated) (#2087)Deprecated
.addHelpCommand()passing string or boolean (use.helpCommand()or pass a Command) (#2087)Removed
programexport instead) (#2017)Migration Tips
global program
If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new
Command).option and command clashes
A couple of configuration problems now throw an error, which will pick up issues in existing programs:
Added
.addHelpOption()as another way of configuring built-in help option (#2006).helpCommand()for configuring built-in help command (#2087)Changed
.addHelpCommand()now takes a Command (passing string or boolean still works as before but deprecated) (#2087)Deprecated
.addHelpCommand()passing string or boolean (use.helpCommand()or pass a Command) (#2087)Fixed
passThroughOptionsconstraints when using.addCommandand throw if parent command does not have.enablePositionalOptions()enabled (#1937)Changed
.storeOptionsAsProperties()after setting an option value (#1928)@ api privatewith documented@ private(#1949)Removed
programexport instead) (#2017)Migration Tips
global program
If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new
Command).option and command clashes
A couple of configuration problems now throw an error, which will pick up issues in existing programs:
Fixed
OptionValueSourceto allow any string, to match supported use of custom sources (#1983)Command.version()can also be used as getter (#1982)Commands.executableDir(), for when not configured (#1965)Added
registeredArgumentsproperty onCommandwith the array of definedArgument(likeCommand.optionsforOption) (#2010)envVar,presetArg(#2019)argChoices,defaultValue,defaultValueDescription(#2019)Changed
Deprecated
Command._argswas private anyway, but now available asregisteredArguments(#2010)Fixed
Changed
Added
Fixed
Option.optionFlagsproperty from TypeScript definition (#1844)Changed
.implies()(#1854)Added
Changed
Added
.getOptionValueSourceWithGlobals()(#1832)showGlobalOptionsfor.configureHelp{}andHelp(#1828)Fixed
.setOptionValue()now also clears option source (#1795)impliedtoOptionValueSourcefor option values set by using.implies()(#1794)undefinedto return type of.getOptionValueSource()(#1794)Changed
Package name: koa-compress
-
5.1.1 - 2023-04-09
-
5.1.0 - 2021-08-18
-
5.0.1 - 2020-07-06
- fix: fixed test usage to use constants 7b14215
- zlib deprecation prevention (#119) 22c434c
-
5.0.0 - 2020-07-06
- PR 110: new default (#120) da9833d
- Revert "Use identity as default value for Accept-Encoding if it is blank or not provided (#110)" 0139443
- Use identity as default value for Accept-Encoding if it is blank or not provided (#110) 3d4c0ac
-
4.0.1 - 2020-04-30
- fix issue with state being preserved between requests
from koa-compress GitHub release notesSee: af3da29
Thanks @ patrickhulce
No content.
v5.0.0...v5.0.1
4.0.1...v5.0.0
Package name: ws
-
8.18.0 - 2024-07-03
- Added support for
-
8.17.1 - 2024-06-16
- Fixed a DoS vulnerability (#2231).
const http = require('http');
- Reduce the maximum allowed length of the request headers using the
- Set
-
8.17.0 - 2024-04-28
- The
- The default value of the
-
8.16.0 - 2023-12-26
- Added the
-
8.15.1 - 2023-12-12
- The
-
8.15.0 - 2023-12-09
- Added the
-
8.14.2 - 2023-09-19
- Fixed an issue that allowed errors thrown by failed assertions to be
-
8.14.1 - 2023-09-08
-
8.14.0 - 2023-09-06
-
8.13.0 - 2023-03-10
-
8.12.1 - 2023-02-13
-
8.12.0 - 2023-01-07
-
8.11.0 - 2022-11-06
-
8.10.0 - 2022-10-24
-
8.9.0 - 2022-09-22
-
8.8.1 - 2022-07-15
-
8.8.0 - 2022-06-09
-
8.7.0 - 2022-05-26
-
8.6.0 - 2022-05-01
-
8.5.0 - 2022-02-07
-
8.4.2 - 2022-01-14
-
8.4.1 - 2022-01-13
-
8.4.0 - 2021-12-20
-
8.3.0 - 2021-11-23
-
8.2.3 - 2021-10-02
-
8.2.2 - 2021-09-08
-
8.2.1 - 2021-08-28
-
8.2.0 - 2021-08-18
-
8.1.0 - 2021-08-11
-
8.0.0 - 2021-07-28
-
7.5.10 - 2024-06-16
- Backported e55e510 to the 7.x release line (22c2876).
from ws GitHub release notesFeatures
Blob(#2229).Bug fixes
A request with a number of headers exceeding the
server.maxHeadersCountthreshold could be used to crash a ws server.
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in #2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
--max-http-header-size=sizeand/or themaxHeaderSizeoptions sothat no more headers than the
server.maxHeadersCountlimit can be sent.server.maxHeadersCountto0so that no limit is applied.Features
WebSocketconstructor now accepts thecreateConnectionoption (#2219).Other notable changes
allowSynchronousEventsoption has been changed totrue(#2221).This is a breaking change in a patch release. The assumption is that the option
is not widely used.
Features
autoPongoption (01ba54e).Notable changes
allowMultipleEventsPerMicrotaskoption has been renamed toallowSynchronousEvents(4ed7fe5).This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.
Features
allowMultipleEventsPerMicrotaskoption (93e3552).Bug fixes
swallowed when running tests (7f4e1a7).
Bug fixes
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: