build(deps): bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: mocha, web3, webpack and tough-cookie.

Updates mocha from 7.2.0 to 10.7.3

Release notes

Sourced from mocha's releases.

v10.7.3

10.7.3 (2024-08-09)

🩹 Fixes

• make release-please build work (#5194) (afd66ef)

v10.7.2

10.7.2 (2024-08-06)

📚 Documentation

• improve filtering (#5191) (1ac5b55)

🧹 Chores

• fix failing markdown linting (#5193) (7e7a2ec)

v10.7.1

10.7.1 (2024-08-06)

🩹 Fixes

• crash with --parallel and --retries both enabled (#5173) (d7013dd)

🧹 Chores

• add knip to validate included dependencies (5c2989f)
• more fully remove assetgraph-builder and canvas (#5175) (1883c41)
• replace nps with npm scripts (#5128) (c44653a), closes #5126

v10.7.0

What's Changed

• feat: add option to not fail on failing test suite by @​ilgonmic in mochajs/mocha#4771

New Contributors

• @​ilgonmic made their first contribution in mochajs/mocha#4771

Full Changelog: mochajs/mocha@v10.6.1...v10.7.0

v10.6.1

What's Changed

• fix: do not exit when only unref'd timer is present in test code by @​boneskull in mochajs/mocha#3825
• fix: support canonical module by @​JacobLey in mochajs/mocha#5040

... (truncated)

Changelog

Sourced from mocha's changelog.

10.7.3 (2024-08-09)

🩹 Fixes

• make release-please build work (#5194) (afd66ef)

10.7.2 (2024-08-06)

📚 Documentation

• improve filtering (#5191) (1ac5b55)

🧹 Chores

• fix failing markdown linting (#5193) (7e7a2ec)

10.7.1 (2024-08-06)

🩹 Fixes

• crash with --parallel and --retries both enabled (#5173) (d7013dd)

🧹 Chores

• add knip to validate included dependencies (5c2989f)
• more fully remove assetgraph-builder and canvas (#5175) (1883c41)
• replace nps with npm scripts (#5128) (c44653a), closes #5126

10.7.0 / 2024-07-20

🎉 Enhancements

• #4771 feat: add option to not fail on failing test suite (@​ilgonmic)

10.6.1 / 2024-07-20

🐛 Fixes

• #3825 fix: do not exit when only unref'd timer is present in test code (@​boneskull)
• #5040 fix: support canonical module (@​JacobLey)

10.6.0 / 2024-07-02

🎉 Enhancements

... (truncated)

Commits

• d5766c8 chore(main): release 10.7.3 (#5195)
• afd66ef fix: make release-please build work (#5194)
• 9e0a4bd chore(main): release 10.7.2 (#5192)
• 7e7a2ec chore: fix failing markdown linting (#5193)
• 1ac5b55 docs: improve filtering (#5191)
• 1528c42 chore(main): release 10.7.1 (#5189)
• d7013dd fix: crash with --parallel and --retries both enabled (#5173)
• 5c2989f chore: add knip to validate included dependencies
• a777fd1 ci: automate releases (#5186)
• ac5574e ci: update to windows-latest in actions (#5185)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Updates web3 from 1.2.6 to 1.5.3

Release notes

Sourced from web3's releases.

web3-eth@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-eth@4.0.0-alpha.0

web3-core-requestmanager@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-core-requestmanager@4.0.0-alpha.0

web3-providers-http@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-providers-http@4.0.0-alpha.0

web3-providers-base@1.0.0-alpha.1

Changed

• Update version to 1.0.0-alpha.1 for web3-providers-base
• Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

web3-utils@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-utils@4.0.0-alpha.0

web3-packagetemplate@1.0.0-alpha.0

Initial alpha release

Install with yarn add web3-packagetemplate@1.0.0-alpha.0

Changelog

Sourced from web3's changelog.

[1.2.6]

Added

• Görli testnet ENS registry added to the known registries (#3338)

Changed

• ENS registry addresses updated (#3353, https://medium.com/the-ethereum-name-service/ens-registry-migration-bug-fix-new-features-64379193a5a)

[1.2.7]

Added

• Add revert reason support to sendSignedTransaction (#3345)
• ENS module extended with the possibility to add a custom registry (#3301)
• Missing ENS Registry methods and Resolver.supportsInterface method added (#3325)
• Add optional gas type to AbiItem typescript definitions (for ABIs generated by Vyper) (#3437)
• Add görli testnet ENS registry to the known registries (#3252)
• Add auto-reconnect option for Websockets (#3092, #1085, #1391, #1558, #1852, #1646)

Changed

• Ensure '0x' prefix is existing for Accounts.sign and Accounts.privateKeyToAccount (#3041)
• Repository cleanup (#3443)
  • Removed old docs/_build folder
  • Removed old bower and meteor artifacts
  • Moved logo assets to own folder
  • Moved github assets to own folder
  • Remove @​types/node from (non-dev) dependency tree (#3965, #3227)
• Please note: Geth v1.9.12 contains a breaking change for eth_call that will not default to your first account anymore if from is not set. If a sender is not explicitly defined, the eth_call will be executed from address(0). (#3467)
  • This was done to avoid the same input behaving differently in different environments. You should never do eth_call without explicitly setting a sender.
  • This means that if you're calling view methods that refer to a msg.sender without explicitly setting a from address in your request options, you may see unexpected behavior.
  • In web3.js, the from address can be specified on a per-call basis or by setting the defaultAccount property.

Fixed

• Add missing subscription.on('connected') TS type definition (#3319)
• Add missing bignumber.js dependency for TS types (#3386)
• Upgrade swarm-js to 0.1.40 to remove npm vulnerability warning (#3399)
• Upgrade devDeps to resolve security warnings (#3464)
  • dtslint 0.4.2 => 3.4.1
  • definitelytyped-header-parser 1.0.1 => 3.9.0
• Race-condition when subscribing to historical logs as first client request (#3389)
• Fix crash when using Web-Workers by removing any-promise dependency (#3377 #2211 #1774)
• MaxListenersExceededWarning event emitter warning mitigated (#1648)

[1.2.8]

Added

... (truncated)

Commits

• c82db7a npm i and build for v1.5.3
• 7f525d8 v1.5.3
• 7fcb2ff v1.5.3-rc.0
• ac9aafd Build for 1.5.3-rc.0
• a58173b Update CHANGELOG for 1.5.3 release
• 3f5cb38 signTransaction fix (#4295)
• c70722b EIP-1559 Fix Issue #4258 (#4277)
• 1547b18 Bump maxPriorityFeePerGas to 2.5 Gwei - Closes #4283 (#4284)
• 8e8785e Junaid/1xlibsfix (#4231)
• 44b72f8 Release 1.5.2 (#4242)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by spacesailor, a new releaser for web3 since your current version.

Updates webpack from 3.12.0 to 5.95.0

Release notes

Sourced from webpack's releases.

v5.95.0

Bug Fixes

• Fixed hanging when attempting to read a symlink-like file that it can't read
• Handle default for import context element dependency
• Merge duplicate chunks call after split chunks
• Generate correctly code for dynamically importing the same file twice and destructuring
• Use content hash as [base] and [name] for extracted DataURI's
• Distinguish module and import in module-import for externals import's
• [Types] Make EnvironmentPlugin default values types less strict
• [Types] Typescript 5.6 compatibility

New Features

• Add new optimization.avoidEntryIife option (true by default for the production mode)
• Pass output.hash* options to loader context

Performance

• Avoid unneeded re-visit in build chunk graph

v5.94.0

Bug Fixes

• Added runtime condition for harmony reexport checked
• Handle properly data/http/https protocols in source maps
• Make bigint optimistic when browserslist not found
• Move @​types/eslint-scope to dev deps
• Related in asset stats is now always an array when no related found
• Handle ASI for export declarations
• Mangle destruction incorrect with export named default properly
• Fixed unexpected asi generation with sequence expression
• Fixed a lot of types

New Features

• Added new external type "module-import"
• Support webpackIgnore for new URL() construction
• [CSS] @import pathinfo support

Security

• Fixed DOM clobbering in auto public path

v5.93.0

Bug Fixes

• Generate correct relative path to runtime chunks
• Makes DefinePlugin quieter under default log level
• Fixed mangle destructuring default in namespace import

... (truncated)

Commits

• e20fd63 chore(release): 5.95.0
• 4866b0d feat: added new optimization.entryIife option
• d90f692 fix: merge duplicate chunks after split chunks
• 90dec30 fix(externals): distinguish “module” and “import” in “module-import”
• c1a0a46 fix(externals): distinguish “module” and “import” in “module-import”
• 14d8fa8 fix: all tests cases
• dae16ad feat: pass output.hash* options to loader context
• 75d185d feat: pass output.hash* options to loader context
• 46e0b9c test: update
• 8e62f9f test
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.

Updates json5 from 0.5.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

v1.0.1

This release includes a bug fix and minor change.

• Fix: parse throws on unclosed objects and arrays.

• New: package.json5 has been removed until an easier way to keep it in sync with package.json is found.

v1.0.0

This release includes major internal changes and public API enhancements.

• Major JSON5 officially supports Node.js v4 and later. Support for Node.js v0.10 and v0.12 have been dropped.

• New: Unicode property names and Unicode escapes in property names are supported. (#1)

• New: stringify outputs trailing commas in objects and arrays when a space option is provided. (#66)

• New: JSON5 allows line and paragraph separator characters (U+2028 and U+2029) in strings in order to be compatible with JSON. However, ES5 does not allow these characters in strings, so JSON5 gives a warning when they are parsed and escapes them when they are stringified. (#70)

• New: stringify accepts an options object as its second argument. The supported options are replacer, space, and a new quote option that specifies the quote character used in strings. (#71)

• New: The CLI supports STDIN and STDOUT and adds --out-file, --space, and --validate options. See json5 --help for more information. (#72, #84, and #108)

• New: In addition to the white space characters space \t, \v, \f, \n, \r, and \xA0, the additional white space characters \u2028, \u2029, and all other characters in the Space Separator Unicode category are allowed.

• New: In addition to the character escapes \', \", \\, \b, \f, \n, \r, and \t, the additional character escapes \v and \0, hexadecimal escapes like \x0F, and unnecessary escapes like \a are allowed in string values and string property names.

• New: stringify outputs strings with single quotes by default but intelligently uses double quotes if there are more single quotes than double quotes inside the string. (i.e. stringify('Stay here.') outputs 'Stay here.' while stringify('Let\'s go.') outputs "Let's go.")

... (truncated)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• 072eb40 1.0.1
• e7bdcd1 Update CHANGELOG for v1.0.1
• 342d575 Remove package.json5 file
• 0336c9c Fix unclosed object and array bug
• 25929ab Fix typo in API documentation
• 607c18f Readme: fix typo in attribution. [skip ci]
• 1d64ece 1.0.0
• Additional commits viewable in compare view

Updates braces from 2.3.2 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed

Non-breaking changes

• Caching was removed

Commits

• See full diff in compare view

Updates elliptic from 6.3.3 to 6.5.4

Commits

• 43ac7f2 6.5.4
• f4bc72b package: bump deps
• 441b742 ec: validate that a point before deriving keys
• e71b2d9 lib: relint using eslint
• 8421a01 build(deps): bump elliptic from 6.4.1 to 6.5.3 (#231)
• 8647803 6.5.3
• 856fe4d signature: prevent malleability and overflows
• 6048941 6.5.2
• 9984964 package: bump dependencies
• ec735ed utils: leak less information in getNAF()
• Additional commits viewable in compare view

Updates flat from 4.1.1 to 5.0.2

Commits

• e5ffd66 Release 5.0.2
• fdb79d5 Update dependencies, refresh lockfile, format with standard.
• e52185d Test against node 14 in CI.
• 0189cb1 Avoid arrow function syntax.
• f25d3a1 Release 5.0.1
• 54cc7ad use standard formatting
• 779816e drop dependencies
• 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
• a61a554 Bump acorn from 7.1.0 to 7.4.0
• 20ef0ef Fix prototype pollution on unflatten
• Additional commits viewable in compare view

Updates got from 7.1.0 to 9.6.0

Release notes

Sourced from got's releases.

v9.6.0

• Add init hook (#683) 677d0a4
• Add beforeError hook (#696) 29ffb44

sindresorhus/got@v9.5.1...v9.6.0

v9.5.1

• Fix memory leak when using socket timeout and keepalive agent (#694) 203dadc
• Fix strange timing data for HTTP requests d136e61
• Correctly preserve original status code when returning cached responses d136e61

sindresorhus/got@v9.5.0...v9.5.1

v9.5.0

• Remove error thrown for URLs with auth component (#676) 5d20a43
• Upgrade dependencies a1eadfe

sindresorhus/got@v9.4.0...v9.5.0

v9.4.0

• Add ability to specify which network error codes to retry on. 9f3a099
• Add Got options onto responses and errors. 33b838f
• Correctly clear socket timeout on error. c8e358f

sindresorhus/got@v9.3.2...v9.4.0

v9.3.2

• No new timeouts after an error. sindresorhus/got@d8dd881
• Fix the retry math. sindresorhus/got@07b3ce5

sindresorhus/got@v9.3.1...v9.3.2

v9.3.1

• Don't override headers defined in the url argument when it's an object. 191e00a
• Don't set content-length header when upload body size is null. 311b184

sindresorhus/got@v9.3.0...v9.3.1

v9.3.0

• Add option to allow defaults to be mutable. b392f60
• Add beforeRedirect, beforeRetry, and afterResponse hooks. 325409c
• Retry on a few more errors. fbaaa2a
• Include body property in HTTPError. fdc0fa6
• Transform user set headers to lowercase. a07b2be
• Support Electron renderer timings. 25f18be

sindresorhus/got@v9.2.0...v9.3.0

v9.2.2

• Gracefully handle invalid Location redirect URLs. (#605) 7ae6939

... (truncated)

Commits

• a45e071 9.6.0
• 29ffb44 Add beforeError hook (#696)
• 677d0a4 Add init hook (#683)
• e2d3602 Bump XO
• 6ce603e 9.5.1
• 203dadc Fix memory leak when using socket timeout and keepalive agent (#694)
• 73428f9 Add superagent to the comparison table (#691)
• d136e61 Update dependencies
• 877a6c1 Remove badge labels from the Comparison section
• 5653c1a Add failing test for #687 (#688)
• Additional commits viewable in compare view

Removes tough-cookie

Updates web3 from 1.5.3 to 4.14.0

Release notes

Sourced from web3's releases.

web3-eth@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-eth@4.0.0-alpha.0

web3-core-requestmanager@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-core-requestmanager@4.0.0-alpha.0

web3-providers-http@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-providers-http@4.0.0-alpha.0

web3-providers-base@1.0.0-alpha.1

Changed

• Update version to 1.0.0-alpha.1 for web3-providers-base
• Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

web3-utils@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-utils@4.0.0-alpha.0

web3-packagetemplate@1.0.0-alpha.0

Initial alpha release

Install with yarn add web3-packagetemplate@1.0.0-alpha.0

Changelog

Sourced from web3's changelog.

[1.2.6]

Added

• Görli testnet ENS registry added to the known registries (#3338)

Changed

• ENS registry addresses updated (#3353, https://medium.com/the-ethereum-name-service/ens-registry-migration-bug-fix-new-features-64379193a5a)

[1.2.7]

Added

• Add revert reason support to sendSignedTransaction (#3345)
• ENS module extended with the possibility to add a custom registry (#3301)
• Missing ENS Registry methods and Resolver.supportsInterface method added (#3325)
• Add optional gas type to AbiItem typescript definitions (for ABIs generated by Vyper) (#3437)
• Add görli testnet ENS registry to the known registries (#3252)
• Add auto-reconnect option for Websockets (#3092, #1085, #1391, #1558, #1852, #1646)

Changed

• Ensure '0x' prefix is existing for Accounts.sign and Accounts.privateKeyToAccount (#3041)
• Repository cleanup (#3443)
  • Removed old docs/_build folder
  • Removed old bower and meteor artifacts
  • Moved logo assets to own folder
  • Moved github assets to own folder
  • Remove @​types/node from (non-dev) dependency tree (#3965, #3227)
• Please note: Geth v1.9.12 contains a breaking change for eth_call that will not default to your first account anymore if from is not set. If a sender is not explicitly defined, the eth_call will be executed from address(0). (#3467)
  • This was done to avoid the same input behaving differently in different environments. You should never do eth_call without explicitly setting a sender.
  • This means that if you're calling view methods that refer to a msg.sender without explicitly setting a from address in your request options, you may see unexpected behavior.
  • In web3.js, the from address can be specified on a per-call basis or by setting the defaultAccount property.

Fixed

• Add missing subscription.on('connected') TS type definition (#3319)
• Add missing bignumber.js dependency for TS types (#3386)
• Upgrade swarm-js to 0.1.40 to remove npm vulnerability warning (#3399)
• Upgrade devDeps to resolve security warnings (#3464)
  • dtslint 0.4.2 => 3.4.1
  • definitelytyped-header-parser 1.0.1 => 3.9.0
• Race-condition when subscribing to historical logs as first client request (#3389)
• Fix crash when using Web-Workers by removing any-promise dependency (#3377 #2211 #1774)
• MaxListenersExceededWarning event emitter warning mitigated (#1648)

[1.2.8]

Added

... (truncated)

Commits

• c82db7a npm i and build for v1.5.3
• 7f525d8 v1.5.3
• 7fcb2ff v1.5.3-rc.0
• ac9aafd Build for 1.5.3-rc.0
• a58173b Update CHANGELOG for 1.5.3 release
• 3f5cb38 signTransaction fix (#4295)
• c70722b EIP-1559 Fix Issue #4258 (#4277)
• 1547b18 Bump maxPriorityFeePerGas to 2.5 Gwei - Closes #4283 (#4284)
• 8e8785e Junaid/1xlibsfix (#4231)
• 44b72f8 Release 1.5.2 (#4242)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by spacesailor, a new releaser for web3 since your current version.

Updates yargs-parser from 7.0.0 to 20.2.9

Release notes

Sourced from yargs-parser's releases.

yargs-parser yargs-parser-v20.2.9

Bug Fixes

• build: fixed automated release pipeline (1fe9135)

yargs-parser yargs-parser-v20.2.8

Bug Fixes

• deno: force relese for Deno (6687c97)
• locale: Turkish camelize and decamelize issues with toLocaleLowerCase/toLocaleUpperCase (2617303)
• perf: address slow parse when using unknown-options-as-args (#394) (441f059)
• string-utils: detect [0,1] ranged values as numbers (#388) (efcc32c)

yargs-parser yargs-parser-v15.0.3

Bug Fixes

• build: should use releases_created when using manifest (49ea4ef)

yargs-parser yargs-parser-v15.0.2

Bug Fixes

• perf: address slow parse when using unknown-options-as-args (#400) (bc387ec)

Changelog

Sourced from yargs-parser's changelog.

20.2.9 (2021-06-20)

Bug Fixes

• build: fixed automated release pipeline (1fe9135)

20.2.8 (2021-06-20)

Bug Fixes

• locale: Turkish camelize and decamelize issues with toLocaleLowerCase/toLocaleUpperCase (2617303)
• perf: address slow parse when using unknown-options-as-args (#394) (441f059)
• string-utils: detect [0,1] ranged values as numbers (#388) (efcc32c)

20.2.7 (2021-03-10)

Bug Fixes

• deno: force release for Deno (6687c97)

20.2.6 (2021-02-22)

Bug Fixes

• populate--: -- should always be array (#354) (585ae8f)

20.2.5 (2021-02-13)

Bug Fixes

• do not lowercase camel cased string (#348) (5f4da1f)

20.2.4 (2020-11-09)

Bug Fixes

• deno: address import issues in Deno (#339) (3b54e5e)

20.2.3 (2020-10-16)

Bug Fixes

• exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#336) (3ae7242)

... (truncated)

Commits

• 3859e74 chore: release main (#404)
• 1fe9135 fix(build): fixed automated release pipeline
• 9eb9c2f chore: release main (#398)
• 4b9e134 build: should be releases_created
• 441f059 fix(perf): address slow parse when using unknown-options-as-args (#394)
• fb22816 build: switch from master to main
• a0a0814 build: switch to manifest based releases (#396)
• 088481c docs: fix typos in README.md (#379)
• 6877a2d test: add test for optimized output (#373)
• 2cfab05 refactor: quote properties used for meta-programming
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.

Updates ws from 3.3.3 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits

• 976c53c [dist] 8.18.0
• 59b9629 [feature] Add support for Blob (#2229)
• 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
• 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• `@dependabot unignore <dependency name...

Description has been truncated

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Unstable ownership	npm/call-bound@1.0.3	Author: ljharb	package-lock.json	🚫
New author	npm/diff@5.2.0	New Author: explodingcabbage Previous Author: kpdecker	package-lock.json	🚫
New author	npm/browserify-rsa@4.1.1	New Author: ljharb Previous Author: cwmma	package-lock.json	🚫
New author	npm/hash-base@3.0.5	New Author: ljharb Previous Author: fanatid	package-lock.json	🚫
Unstable ownership	npm/cipher-base@1.0.6	Author: ljharb	package-lock.json	🚫
New author	npm/express@4.21.2	New Author: jonchurch Previous Author: ulisesgascon	package-lock.json	🚫

View full report↗︎

Next steps

What is unstable ownership?

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/call-bound@1.0.3
• @SocketSecurity ignore npm/diff@5.2.0
• @SocketSecurity ignore npm/browserify-rsa@4.1.1
• @SocketSecurity ignore npm/hash-base@3.0.5
• @SocketSecurity ignore npm/cipher-base@1.0.6
• @SocketSecurity ignore npm/express@4.21.2

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@noble/hashes@1.7.0	None	0	924 kB	paulmillr
npm/ansi-colors@4.1.3 🔁 npm/ansi-colors@3.2.3	None	0	26.1 kB	jonschlinkert
npm/browserify-rsa@4.1.1 🔁 npm/browserify-rsa@4.1.0	None	+1	42.8 kB	ljharb
npm/call-bind-apply-helpers@1.0.1	None	0	0 B
npm/call-bound@1.0.3	None	+3	90 kB	ljharb
npm/camelcase@6.3.0 🔁 npm/camelcase@5.3.1	None	0	11.7 kB	sindresorhus
npm/cipher-base@1.0.6 🔁 npm/cipher-base@1.0.4	None	0	17.8 kB	ljharb
npm/cliui@7.0.4 🔁 npm/cliui@5.0.0	None	+5	98.6 kB	oss-bot
npm/cookie@0.7.1 🔁 npm/cookie@0.6.0	None	0	23.3 kB	blakeembrey
npm/debug@4.3.7 🔁 npm/debug@3.2.6	None	+1	48.8 kB	qix
npm/diff@5.2.0 🔁 npm/diff@3.5.0	None	0	429 kB	explodingcabbage
npm/dunder-proto@1.0.1	None	+1	22.9 kB	ljharb
npm/elliptic@6.6.1 🔁 npm/elliptic@6.5.7	None	0	120 kB	indutny
npm/es-define-property@1.0.1 🔁 npm/es-define-property@1.0.0	None	0	10.2 kB	ljharb
npm/ethereum-bloom-filters@1.2.0 🔁 npm/ethereum-bloom-filters@1.0.10	None	0	20.3 kB	joshstevens19
npm/express@4.21.2 🔁 npm/express@4.21.0	None	+1	227 kB	jonchurch
npm/flat@5.0.2 🔁 npm/flat@4.1.1	None	0	26.6 kB	timoxley
npm/get-proto@1.0.1	None	0	10.8 kB	ljharb
npm/is-unicode-supported@0.1.0	None	0	3.54 kB	sindresorhus
npm/log-symbols@4.1.0 🔁 npm/log-symbols@3.0.0	None	+4	68.1 kB	sindresorhus
npm/math-intrinsics@1.1.0	None	0	17.3 kB	ljharb
npm/mocha@10.7.3 🔁 npm/mocha@7.2.0	eval	+12	2.86 MB	voxpelli
npm/nan@2.22.0 🔁 npm/nan@2.20.0	None	0	1.14 MB	kkoopa, rvagg
npm/node-gyp-build@4.8.4 🔁 npm/node-gyp-build@4.8.2	None	0	13.9 kB	mafintosh
npm/path-to-regexp@0.1.12 🔁 npm/path-to-regexp@0.1.10	None	0	6.6 kB	blakeembrey
npm/psl@1.15.0 🔁 npm/psl@1.9.0	None	0	712 kB	lupomontero
npm/secp256k1@4.0.4 🔁 npm/secp256k1@4.0.3	None	+1	2.2 MB	fanatid
npm/serialize-javascript@6.0.2	None	0	16.9 kB	redonkulus
npm/side-channel-list@1.0.0	None	0	14.7 kB	ljharb
npm/side-channel-map@1.0.1	None	0	13.3 kB	ljharb
npm/side-channel-weakmap@1.0.2	None	0	14.7 kB	ljharb
npm/workerpool@6.5.1	eval	0	374 kB	josdejong
npm/wrap-ansi@7.0.0 🔁 npm/wrap-ansi@5.1.0	None	+2	44.5 kB	sindresorhus
npm/y18n@5.0.8 🔁 npm/y18n@4.0.3	None	0	23.4 kB	oss-bot
npm/yargs-parser@20.2.9 🔁 npm/yargs-parser@13.1.2	filesystem	0	124 kB	oss-bot
npm/yargs-unparser@2.0.0 🔁 npm/yargs-unparser@1.6.0	None	+2	21.5 kB	oss-bot
npm/yargs@16.2.0 🔁 npm/yargs@13.3.2	None	0	286 kB	oss-bot
npm/yocto-queue@0.1.0	None	0	6.03 kB	sindresorhus

🚮 Removed packages: npm/array.prototype.reduce@1.0.7, npm/bindings@1.5.0, npm/data-view-buffer@1.0.1, npm/data-view-byte-length@1.0.1, npm/data-view-byte-offset@1.0.0, npm/es-array-method-boxes-properly@1.0.0, npm/file-uri-to-path@1.0.0, npm/growl@1.10.5, npm/is-buffer@2.0.5, npm/is-data-view@1.0.1, npm/node-environment-flags@1.0.6, npm/object.getownpropertydescriptors@2.1.8, npm/possible-typed-array-names@1.0.0, npm/readdirp@3.2.0, npm/require-main-filename@2.0.0, npm/wide-align@1.1.3

View full report↗︎

[mikesposito]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.