chore(deps): bump the npm_and_yarn group across 14 directories with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /frontend directory: ws.
Bumps the npm_and_yarn group with 1 update in the /lib/database/local directory: hono.
Bumps the npm_and_yarn group with 1 update in the /lib/database/smdb directory: hono.
Bumps the npm_and_yarn group with 1 update in the /lib/database/ssmdb2 directory: hono.
Bumps the npm_and_yarn group with 2 updates in the /lib/database/tableWatcher directory: ws and hono.
Bumps the npm_and_yarn group with 1 update in the /lib/endpoints directory: qs.
Bumps the npm_and_yarn group with 1 update in the /ranges/log directory: ws.
Bumps the npm_and_yarn group with 2 updates in the /ranges/merge directory: ws and qs.
Bumps the npm_and_yarn group with 2 updates in the /screens/evaluations directory: ws and qs.
Bumps the npm_and_yarn group with 1 update in the /screens/images directory: qs.
Bumps the npm_and_yarn group with 1 update in the /screens/screenCast directory: ws.
Bumps the npm_and_yarn group with 2 updates in the /screens/screenManager directory: ws and qs.
Bumps the npm_and_yarn group with 2 updates in the /serverState/runner directory: ws and qs.
Bumps the npm_and_yarn group with 1 update in the /syncTime directory: ws.

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates hono from 4.12.18 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

Commits

• 83bfb3b 4.12.23
• bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
• c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
• 0265a54 docs(contribution): add AI Usage Policy (#4970)
• c84c5d2 feat(context): export the Context class publicly (#4543)
• 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• Additional commits viewable in compare view

Updates hono from 4.12.18 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

Commits

• 83bfb3b 4.12.23
• bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
• c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
• 0265a54 docs(contribution): add AI Usage Policy (#4970)
• c84c5d2 feat(context): export the Context class publicly (#4543)
• 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• Additional commits viewable in compare view

Updates hono from 4.12.18 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

Commits

• 83bfb3b 4.12.23
• bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
• c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
• 0265a54 docs(contribution): add AI Usage Policy (#4970)
• c84c5d2 feat(context): export the Context class publicly (#4543)
• 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• Additional commits viewable in compare view

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates hono from 4.12.18 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in honojs/hono#4970
• feat(compress): add contentTypeFilter option and COMPRESSIBLE_CONTENT_TYPE_REGEX re-export by @​na-trium-144 in honojs/hono#4961
• fix(utils/ipaddr): do not compress a single 0 group to :: by @​yusukebe in honojs/hono#4971

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

... (truncated)

Commits

• 83bfb3b 4.12.23
• bcd290a fix(utils/ipaddr): do not compress a single 0 group to :: (#4971)
• c968177 feat(compress): add contentTypeFilter option and `COMPRESSIBLE_CONTENT_TYPE_R...
• 0265a54 docs(contribution): add AI Usage Policy (#4970)
• c84c5d2 feat(context): export the Context class publicly (#4543)
• 82dad62 fix(serve-static): normalize all backslashes in file paths, not just the firs...
• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• Additional commits viewable in compare view

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (