[dist] Update dependency ws to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ws	devDependencies	major	^0.8.0 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2016-10518

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

CVE-2016-10542

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

GHSA-5v72-xg48-5rpm / WS-2017-0421

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

---

Release Notes

websockets/ws

v3.3.1

Compare Source

Bug fixes

• Fixed a DoS vulnerability (c4fe466).

A specially crafted value of the Sec-WebSocket-Extensions header that
used Object.prototype property names as extension or parameter names
could be used to make a ws server crash.

const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r\n' ].join('\r\n'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); });

The vulnerability has been privately reported by Nick Starke and
Ryan Knell of Sonatype Security Research and promptly fixed. Please
update now!

---

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot. View repository job log here.

[renovate]

PR has been edited

👷 This PR has received other commits, so Renovate will stop updating it to avoid conflicts or other problems. If you wish to abandon your changes and have Renovate start over you may click the "rebase" checkbox in the PR body/description.

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@acdbec0). Click here to learn what that means.
The diff coverage is n/a.

@@ Coverage Diff @@ ## master #1361 +/- ## ========================================= Coverage ? 92.35% ========================================= Files ? 6 Lines ? 314 Branches ? 0 ========================================= Hits ? 290 Misses ? 24 Partials ? 0

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update acdbec0...4241a39. Read the comment docs.