Skip to content

chore(deps): bump ws, engine.io, socket.io-adapter and engine.io-client#160

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-801e4935c0
Open

chore(deps): bump ws, engine.io, socket.io-adapter and engine.io-client#160
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-801e4935c0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps ws to 8.21.1 and updates ancestor dependencies ws, engine.io, socket.io-adapter and engine.io-client. These dependencies need to be updated together.

Updates ws from 8.19.0 to 8.21.1

Release notes

Sourced from ws's releases.

8.21.1

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c0).
  • The default values of the maxBufferedChunks and maxFragments options have been reduced (f197ac65).

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

... (truncated)

Commits
  • ae1de54 [dist] 8.21.1
  • 8e9511b [ci] Trust Coveralls Homebrew tap
  • f197ac6 [fix] Lower default values of maxBufferedChunks and maxFragments
  • 8df8265 [ci] Update actions/checkout action to v7
  • a2f4e7c [fix] Count empty fragments toward the limit (#2329)
  • e79f912 [pkg] Approve install scripts for bufferutil and utf-8-validate
  • 4ea355d [doc] Document 32-bit signed integer coercion for option values
  • 2120f4c [example] Remove uuid dependency
  • 4c534a6 [security] Add latest vulnerability to SECURITY.md
  • bca91ad [dist] 8.21.0
  • Additional commits viewable in compare view

Updates engine.io from 6.6.5 to 6.6.9

Release notes

Sourced from engine.io's releases.

engine.io@6.6.9

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

Dependencies

Commits
  • 9dbec81 chore(release): engine.io@6.6.9
  • 3ad4e1f docs: improve example with PM2
  • 0e5afee docs: add example with PM2
  • eab9623 docs(eio): correct maxHttpBufferSize default in JSDoc (#5508)
  • c17890c docs: add documentation about WebTransport
  • 20df6ae docs(examples): add client-side load balancing example
  • 16d1923 ci(publish): enable staged publishing
  • ad48a9b docs(examples): add example with HTTP/2
  • 190572d refactor(eio-client): remove XMLHttpRequest from the definition file
  • fad463c docs(examples): fix duplicate self messages (#5341)
  • Additional commits viewable in compare view

Updates socket.io-adapter from 2.5.6 to 2.5.8

Release notes

Sourced from socket.io-adapter's releases.

socket.io-adapter@2.5.8

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

socket.io-adapter@2.5.7

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Bug Fixes

  • do not skip local broadcast when publishAndReturnOffset throws (#5457) (f630158)
Commits
  • ac83bfa chore(release): socket.io-adapter@2.5.8
  • 22cc483 chore(release): engine.io-client@6.6.6
  • 9dbec81 chore(release): engine.io@6.6.9
  • 3ad4e1f docs: improve example with PM2
  • 0e5afee docs: add example with PM2
  • eab9623 docs(eio): correct maxHttpBufferSize default in JSDoc (#5508)
  • c17890c docs: add documentation about WebTransport
  • 20df6ae docs(examples): add client-side load balancing example
  • 16d1923 ci(publish): enable staged publishing
  • ad48a9b docs(examples): add example with HTTP/2
  • Additional commits viewable in compare view

Updates engine.io-client from 6.6.4 to 6.6.6

Release notes

Sourced from engine.io-client's releases.

engine.io-client@6.6.6

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

Bug Fixes

Dependencies

engine.io-client@6.6.5

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Dependencies

Commits
  • 22cc483 chore(release): engine.io-client@6.6.6
  • 9dbec81 chore(release): engine.io@6.6.9
  • 3ad4e1f docs: improve example with PM2
  • 0e5afee docs: add example with PM2
  • eab9623 docs(eio): correct maxHttpBufferSize default in JSDoc (#5508)
  • c17890c docs: add documentation about WebTransport
  • 20df6ae docs(examples): add client-side load balancing example
  • 16d1923 ci(publish): enable staged publishing
  • ad48a9b docs(examples): add example with HTTP/2
  • 190572d refactor(eio-client): remove XMLHttpRequest from the definition file
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 23, 2026
Bumps [ws](https://github.com/websockets/ws) to 8.21.1 and updates ancestor dependencies [ws](https://github.com/websockets/ws), [engine.io](https://github.com/socketio/socket.io), [socket.io-adapter](https://github.com/socketio/socket.io) and [engine.io-client](https://github.com/socketio/socket.io). These dependencies need to be updated together.


Updates `ws` from 8.19.0 to 8.21.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.19.0...8.21.1)

Updates `engine.io` from 6.6.5 to 6.6.9
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/engine.io@6.6.5...engine.io@6.6.9)

Updates `socket.io-adapter` from 2.5.6 to 2.5.8
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/socket.io-adapter@2.5.6...socket.io-adapter@2.5.8)

Updates `engine.io-client` from 6.6.4 to 6.6.6
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketio/socket.io/compare/engine.io-client@6.6.4...engine.io-client@6.6.6)

---
updated-dependencies:
- dependency-name: engine.io
  dependency-version: 6.6.9
  dependency-type: indirect
- dependency-name: engine.io-client
  dependency-version: 6.6.6
  dependency-type: indirect
- dependency-name: socket.io-adapter
  dependency-version: 2.5.8
  dependency-type: indirect
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-801e4935c0 branch from 57c21d4 to ceec7f3 Compare July 15, 2026 08:35
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants