build(deps): bump websocket-extensions from 0.1.3 to 0.1.4 in /docs #1

dependabot · 2020-06-28T04:43:44Z

Bumps websocket-extensions from 0.1.3 to 0.1.4.

Changelog

Sourced from websocket-extensions's changelog.

0.1.4 / 2020-06-02

Remove a ReDoS vulnerability in the header parser (CVE-2020-7662, reported by Robert McLaughlin)

Change license from MIT to Apache 2.0

Commits

8efd0cd Bump version to 0.1.4
3dad4ad Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser
4a76c75 Add Node versions 13 and 14 on Travis
44a677a Formatting change: {...} should have spaces inside the braces
f6c50ab Let npm reformat package.json
2d211f3 Change markdown formatting of docs.
0b62083 Update Travis target versions.
729a465 Switch license to Apache 2.0.
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

https://www.jsonrpc.org/specification What is done in this PR: JSONRPCClient: validate that Response.ID matches Request.ID I wanted to do the same for the WSClient, but since we're sending events as responses, not notifications, checking IDs would require storing them in memory indefinitely (and we won't be able to remove them upon client unsubscribing because ID is different then). Request.ID is now optional. Notification is a Request without an ID. Previously "" or 0 were considered as notifications Remove #event suffix from ID from an event response (partially fixes #2949) ID must be either string, int or null AND must be equal to request's ID. Now, because we've implemented events as responses, WS clients are tripping when they see Response.ID("0#event") != Request.ID("0"). Implementing events as requests would require a lot of time (~ 2 days to completely rewrite WS client and server) generate unique ID for each request switch to integer IDs instead of "json-client-XYZ" id=0 method=/subscribe id=0 result=... id=1 method=/abci_query id=1 result=... > send events (resulting from /subscribe) as requests+notifications (not responses) this will require a lot of work. probably not worth it * rpc: generate an unique ID for each request in conformance with JSON-RPC spec * WSClient: check for unsolicited responses * fix golangci warnings * save commit * fix errors * remove ID from responses from subscribe Refs #2949 * clients are safe for concurrent access * tm-bench: switch to int ID * fixes after my own review * comment out sentIDs in WSClient see commit body for the reason * remove body.Close it will be closed automatically * stop ws connection outside of write/read routines also, use t.Rate in tm-bench indexer when calculating ID fix gocritic issues * update swagger.yaml * Apply suggestions from code review * fix stylecheck and golint linter warnings * update changelog * update changelog2

* fix logo in footer * readme and version * fix logo in footer * rpc link

Refs #3262

Co-Authored-By: Marko <marbar3778@yahoo.com>

Fixes #4143

*libs/common/errors: remove package - remove errors file from cmn pkg - use errorf instead of wrap in async function - add changelog entry - closes #3862

- update master with changelog from v0.32.8 - bump `tm-version` in `version.go` Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Refs #4053 ## Commits: * Create adr-050-improved-trusted-peering.md * Modify `maximum_dial_period` Modify `maximum_dial_period` to `persistent_peers_maximum_dial_period` * Update adr-050-improved-trusted-peering.md * Update docs/architecture/adr-050-improved-trusted-peering.md Co-Authored-By: Tess Rinearson <tess.rinearson@gmail.com> * Update docs/architecture/adr-050-improved-trusted-peering.md Co-Authored-By: Tess Rinearson <tess.rinearson@gmail.com> * Update docs/architecture/adr-050-improved-trusted-peering.md Co-Authored-By: Tess Rinearson <tess.rinearson@gmail.com> * Update docs/architecture/adr-050-improved-trusted-peering.md Co-Authored-By: Tess Rinearson <tess.rinearson@gmail.com> * wildcard -> unconditional wildcard -> unconditional * Remove blank lines * fix spelling * add quotes

- tm-bench has a deprecation warning for 5 releases now, with the major release coming I removed the file and updated the docs to point to `tm-load-test` located in the interchainio repo Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Closes #4164

- change link for bounties for different lang abci servers to interchainio funding repo - link awesome repo ecosystem section in main docs readme - closes #4110 - closes #4125 Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* docs: update wording - change grants to funding for abci server Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Fixes #4069

Fixes #3986 This pull request is prefixing all the types in proto to avoid conflict. When a go application is using Tendermint as a library and also define similar types in gogo proto some conflicts might occur (as types is a common package in go). By prefixing the types with tendermint, this highly reduces the risk of conflicts. BREAKING CHANGE. This modification breaks the ABCI Application endpoint. What was accessible before with `/types.ABCIApplication/Flush` is now accessible with `/tendermint.abci.types.ABCIApplication/Flush`.

and EventDataNewBlockHeader

- works only for Linux / Mac 64bit - you need to call it manually - make protoc - on Mac, brew install protoc might be favorable

tendermint/tendermint#4153 (comment)

replaces https://tendermint.com/docs" with "https://docs.tendermint.com/master"

* docs: remove specs, they live in spec repo (#4172) * docs: remove specs, they live in spec repo - moving specs to spec repo - tendermint/spec#62 PR for updating them Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * add makefile command to copy in sepcs from specREPO - move cloning of spec repo to pre and post scripts Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Refs #1771 ADR: https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-044-lite-client-with-weak-subjectivity.md ## Commits: * add Verifier and VerifyCommitTrusting * add two more checks make trustLevel an option * float32 for trustLevel * check newHeader time * started writing lite Client * unify Verify methods * ensure h2.Header.bfttime < h1.Header.bfttime + tp * move trust checks into Verify function * add more comments * more docs * started writing tests * unbonding period failures * tests are green * export ErrNewHeaderTooFarIntoFuture * make golangci happy * test for non-adjusted headers * more precision * providers and stores * VerifyHeader and VerifyHeaderAtHeight funcs * fix compile errors * remove lastVerifiedHeight, persist new trusted header * sequential verification * remove TrustedStore option * started writing tests for light client * cover basic cases for linear verification * bisection tests PASS * rename BisectingVerification to SkippingVerification * refactor the code * add TrustedHeader method * consolidate sequential verification tests * consolidate skipping verification tests * rename trustedVals to trustedNextVals * start writing docs * ValidateTrustLevel func and ErrOldHeaderExpired error * AutoClient and example tests * fix errors * update doc * remove ErrNewHeaderTooFarIntoFuture This check is unnecessary given existing a) ErrOldHeaderExpired b) h2.Time > now checks. * return an error if we're at more recent height * add comments * add LastSignedHeaderHeight method to Store I think it's fine if Store tracks last height * copy over proxy from old lite package * make TrustedHeader return latest if height=0 * modify LastSignedHeaderHeight to return an error if no headers exist * copy over proxy impl * refactor proxy and start http lite client * Tx and BlockchainInfo methods * Block method * commit method * code compiles again * lite client compiles * extract updateLiteClientIfNeededTo func * move final parts * add placeholder for tests * force usage of lite http client in proxy * comment out query tests for now * explicitly mention tp: trusting period * verify nextVals in VerifyHeader * refactor bisection * move the NextValidatorsHash check into updateTrustedHeaderAndVals + update the comment * add ConsensusParams method to RPC client * add ConsensusParams to rpc/mock/client * change trustLevel type to a new cmn.Fraction type + update SkippingVerification comment * stress out trustLevel is only used for non-adjusted headers * fixes after Fede's review Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> * compare newHeader with a header from an alternative provider * save pivot header Refs tendermint/tendermint#3989 (comment) * check header can still be trusted in TrustedHeader Refs tendermint/tendermint#3989 (comment) * lite: update Validators and Block endpoints - Block no longer contains BlockMeta - Validators now accept two additional params: page and perPage * make linter happy

* types: change `Commit` to consist of just signatures These are final changes towards removing votes from commit and leaving only signatures (see ADR-25) Fixes #1648 * bring back TestCommitToVoteSetWithVotesForAnotherBlockOrNilBlock + add absent flag to Vote to indicate that it's for another block * encode nil votes as CommitSig with BlockIDFlagAbsent + make Commit#Precommits array of non-pointers because precommit will never be nil * add NewCommitSigAbsent and Absent() funcs * uncomment validation in CommitSig#ValidateBasic * add comments to ValidatorSet funcs * add a changelog entry * break instead of continue continue does not make sense in these cases * types: rename Commit#Precommits to Signatures * swagger: fix /commit response * swagger: change block_id_flag type * fix merge conflicts

p2p: ban bad peers

p2p: Update Changelog with ban list PR - #4548

Co-authored-by: Marko <marbar3778@yahoo.com>

Bumps [github.com/golang/protobuf](https://github.com/golang/protobuf) from 1.3.4 to 1.3.5. - [Release notes](https://github.com/golang/protobuf/releases) - [Commits](golang/protobuf@v1.3.4...v1.3.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

- remove tools/build folder Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

* update theme * Update version * Updated Questions section in the footer * Remove links to Riot chat * Typo * Add Discord link * Update docs theme to the latest version * Use docs-staging branch for staging website * Resolve merge conflicts * Update version * Add google analytics Co-authored-by: Marko <marbar3778@yahoo.com>

- :P Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/master/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.5.0...v1.5.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

but HTTP client is not running. `Subscribe`, `Unsubscribe(All)` methods return an error now. Closes #4568

…4584) Bumps [github.com/gorilla/websocket](https://github.com/gorilla/websocket) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/gorilla/websocket/releases) - [Commits](gorilla/websocket@v1.4.1...v1.4.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

Signed-off-by: Marko Baricevic <marbar3778@yahoo.com>

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Bumps [websocket-extensions](https://github.com/faye/websocket-extensions-node) from 0.1.3 to 0.1.4. - [Release notes](https://github.com/faye/websocket-extensions-node/releases) - [Changelog](https://github.com/faye/websocket-extensions-node/blob/master/CHANGELOG.md) - [Commits](faye/websocket-extensions-node@0.1.3...0.1.4) Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2020-06-28T04:57:11Z