[Snyk] Upgrade ws from 8.20.1 to 8.21.0

[dpatsora]

Snyk has created this PR to upgrade ws from 8.20.1 to 8.21.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 1 version ahead of your current version.

• The recommended version was released 21 days ago.

Release notes

Package name: ws

• 8.21.0 - 2026-05-22
  

  Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd4).

  Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd4).

  A high volume of tiny fragments and data chunks could be sent by a peer, using
  modest network traffic, to crash a ws server or client due to OOM.

  import { WebSocket, WebSocketServer } from 'ws';

  const wss = new WebSocketServer({ port: 0 }, function () {
  const data = Buffer.alloc(1);
  const options = { fin: false };
  const { port } = wss.address();
  const ws = new WebSocket(ws://localhost:<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">port</span><span class="pl-kos">}</span></span>);

  ws.on('open', function () {
  (function send() {
  ws.send(data, options, function (err) {
  if (err) return;
  send();
  });
  })();
  });

  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
  console.log(client close - code: <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">code</span><span class="pl-kos">}</span></span> reason: <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">reason</span><span class="pl-kos">.</span><span class="pl-en">toString</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">}</span></span>);
  });
  });

  wss.on('connection', function (ws) {
  ws.on('error', console.error);
  ws.on('close', function (code, reason) {
  console.log(server close - code: <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">code</span><span class="pl-kos">}</span></span> reason: <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">reason</span><span class="pl-kos">.</span><span class="pl-en">toString</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">}</span></span>);
  });
  });

  The vulnerability was responsibly disclosed and fixed by Nadav Magier.

  In vulnerable versions, the issue can be mitigated by lowering the value of the
  maxPayload option if possible.

• 8.20.1 - 2026-05-12
  

  Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close()
    (c0327ec).

  Providing a TypedArray (e.g. Float32Array) as the reason argument for
  websocket.close(), rather than the supported string or Buffer types, caused
  uninitialized memory to be disclosed to the remote peer.

  import { deepStrictEqual } from 'node:assert';
  import { WebSocket, WebSocketServer } from 'ws';

  const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
  const { port } = wss.address();
  const ws = new WebSocket(ws://localhost:<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">port</span><span class="pl-kos">}</span></span>, {
  skipUTF8Validation: true
  });

  <span class="pl-s1">ws</span><span class="pl-kos">.</span><span class="pl-en">on</span><span class="pl-kos">(</span><span class="pl-s">'close'</span><span class="pl-kos">,</span> <span class="pl-k">function</span> <span class="pl-kos">(</span><span class="pl-s1">code</span><span class="pl-kos">,</span> <span class="pl-s1">reason</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>
    <span class="pl-en">deepStrictEqual</span><span class="pl-kos">(</span><span class="pl-s1">reason</span><span class="pl-kos">,</span> <span class="pl-v">Buffer</span><span class="pl-kos">.</span><span class="pl-en">alloc</span><span class="pl-kos">(</span><span class="pl-c1">80</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
  <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span>
  

  }
  );

  wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
  });

  The issue was privately reported by Nikita Skovoroda.

from ws GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e648bec6-85e4-40af-874c-91e302195004

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-upgrade-079052eed861bf3e2944427eb3d9f3c2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}