[Snyk] Upgrade ws from 7.4.6 to 7.5.3

[snyk-bot]

Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 1 version ahead of your current version.
• The recommended version was released 22 days ago, on 2021-06-16.

Release notes

Package name: ws

• 7.5.0 - 2021-06-16
  

  Features

  • Some errors now have a code property describing the specific type of error
    that has occurred (#1901).

  Bug fixes

  • A close frame is now sent to the remote peer if an error (such as a data
    framing error) occurs (8806aa9).
  • The close code is now always 1006 if no close frame is received, even if the
    connection is closed due to an error (8806aa9).
• 7.4.6 - 2021-05-25
  

  Bug fixes

  • Fixed a ReDoS vulnerability (00c425e).

  A specially crafted value of the Sec-Websocket-Protocol header could be used
  to significantly slow down a ws server.

  for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ , /);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
  }

  The vulnerability was responsibly disclosed along with a fix in private by
  Robert McLaughlin from University of California, Santa Barbara.

  In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
  allowed length of the request headers using the --max-http-header-size=size
  and/or the maxHeaderSize options.

from ws GitHub release notes

Commit messages

Package name: ws

• e3f0c17 [dist] 7.5.0
• 1d3f4cb [doc] Fix anchor tags for error codes
• 6eea0d4 [doc] Fix typo
• bb5d44b [doc] Sort error codes alphabetically
• c6e3080 [minor] Attach error codes to all receiver errors (Break schemaController dependency. #1901)
• 074e6a8 [fix] Don't call `ws.terminate()` unconditionally in `duplex._destroy()`
• 8806aa9 [fix] Close the connection cleanly when an error occurs
• 05b8ccd [doc] Fix broken link (I am seeing issues accessing data from parse app and dashboard once I migrated the data to mlab and imported directly into mlab #1897)
• 03a7078 [doc] Remove unsafe regex from code snippet
• 7ee3115 [doc] Add logo to coverage badge
• edff6bb [test] Fix nit
• 262e45a [test] Rename certificates and private keys files
• d18c677 [security] Update link to point to published security advisories
• 2f2b3e8 [test] Update certificates and private keys
• c05d51f [security] Add ReDoS vulnerability to SECURITY.md

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[mtrezza]

Currently fails with:

1) ParseLiveQuery handle invalid websocket payload length
  - Uncaught exception: TypeError: Converting circular structure to JSON
      --> starting at object with constructor 'Timeout'
      |     property '_idlePrev' -> object with constructor 'TimersList'
      --- property '_idleNext' closes the circle

2) ParseLiveQuery LiveQuery with ACL
  - Unhandled promise rejection: ParseError: 101 Object not found.

[codecov]

Codecov Report

Merging #7457 (4e8e42b) into master (39f7c83) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #7457      +/-   ##
==========================================
- Coverage   93.93%   93.91%   -0.02%     
==========================================
  Files         181      181              
  Lines       13251    13252       +1     
==========================================
- Hits        12447    12446       -1     
- Misses        804      806       +2     

Impacted Files	Coverage Δ
src/LiveQuery/ParseWebSocketServer.js	93.33% <100.00%> (+0.22%)	⬆️
src/batch.js	91.37% <0.00%> (-1.73%)	⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	92.37% <0.00%> (-0.44%)	⬇️
src/ParseServerRESTController.js	98.50% <0.00%> (+1.49%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 39f7c83...4e8e42b. Read the comment docs.

[mtrezza]

Both errors were due to a circular object, for which JSON.stringify cannot be used --> using util.inspect instead.

Upgraded to 7.5.3 instead of Snyk's suggested 7.5.0 because these follow-up versions fixed some bugs.

[parseplatformorg]

🎉 This change has been released in version 5.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 5.0.0