chore(deps): update dependency ws to v8.17.1

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
ws	dependencies	minor	8.13.0 → 8.17.1

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability
High	7.5	CVE-2024-37890

---

Release Notes

websockets/ws (ws)

v8.17.1

Compare Source

Bug fixes

• Fixed a DoS vulnerability (#​2231).

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

The vulnerability was reported by Ryan LaPointe in #​2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the
   --max-http-header-size=size and/or the maxHeaderSize options so
   that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

v8.17.0

Compare Source

Features

• The WebSocket constructor now accepts the createConnection option (#​2219).

Other notable changes

• The default value of the allowSynchronousEvents option has been changed to
  true (#​2221).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

v8.16.0

Compare Source

Features

• Added the autoPong option (01ba54e).

v8.15.1

Compare Source

Notable changes

• The allowMultipleEventsPerMicrotask option has been renamed to
  allowSynchronousEvents (4ed7fe5).

This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn't already been widely used.

v8.15.0

Compare Source

Features

• Added the allowMultipleEventsPerMicrotask option (93e3552).

v8.14.2

Compare Source

Bug fixes

• Fixed an issue that allowed errors thrown by failed assertions to be
  swallowed when running tests (7f4e1a7).

v8.14.1

Compare Source

Bug fixes

• Improved the reliability of two tests for CITGM (fd3c64c).

v8.14.0

Compare Source

Features

• The WebSocket constructor now accepts HTTP(S) URLs (#​2162).
• The socket argument of server.handleUpgrade() can now be a generic
  Duplex stream (#​2165).

Other notable changes

• At most one event per microtask is now emitted (#​2160).

---

• If you want to rebase/retry this PR, check this box

[mend-for-github-com]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json