undici - npm Package Compare versions
@@ -23,3 +23,2 @@ # Class: WebSocket | ||
| * **headers** `HeadersInit` (optional) - Custom headers to include in the WebSocket handshake request. | ||
| * **maxDecompressedMessageSize** `number` (optional) - Maximum allowed size in bytes for decompressed messages when using the `permessage-deflate` extension. **Default:** `4194304` (4 MB). | ||
@@ -49,16 +48,2 @@ ### Example: | ||
| ### Example with custom decompression limit: | ||
| To protect against decompression bombs (small compressed payloads that expand to very large sizes), you can set a custom limit: | ||
| ```mjs | ||
| import { WebSocket } from 'undici' | ||
| const ws = new WebSocket('wss://echo.websocket.events', { | ||
| maxDecompressedMessageSize: 1 * 1024 * 1024 | ||
| }) | ||
| ``` | ||
| > ⚠️ **Security Note**: The `maxDecompressedMessageSize` option protects against memory exhaustion attacks where a malicious server sends a small compressed payload that decompresses to an extremely large size. If you increase this limit significantly above the default, ensure your application can handle the increased memory usage. | ||
| ## Read More | ||
@@ -65,0 +50,0 @@ |
@@ -20,5 +20,2 @@ 'use strict' | ||
| /** @type {number} */ | ||
| #maxDecompressedSize | ||
| /** @type {boolean} */ | ||
@@ -32,8 +29,6 @@ #aborted = false | ||
| * @param {Map<string, string>} extensions | ||
| * @param {{ maxDecompressedMessageSize?: number }} [options] | ||
| */ | ||
| constructor (extensions, options = {}) { | ||
| constructor (extensions) { | ||
| this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover') | ||
| this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits') | ||
| this.#maxDecompressedSize = options.maxDecompressedMessageSize ?? kDefaultMaxDecompressedSize | ||
| } | ||
@@ -80,3 +75,3 @@ | ||
| if (this.#inflate[kLength] > this.#maxDecompressedSize) { | ||
| if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) { | ||
| this.#aborted = true | ||
@@ -83,0 +78,0 @@ this.#inflate.removeAllListeners() |
@@ -40,11 +40,7 @@ 'use strict' | ||
| /** @type {{ maxDecompressedMessageSize?: number }} */ | ||
| #options | ||
| /** | ||
| * @param {import('./websocket').WebSocket} ws | ||
| * @param {Map<string, string>|null} extensions | ||
| * @param {{ maxDecompressedMessageSize?: number }} [options] | ||
| */ | ||
| constructor (ws, extensions, options = {}) { | ||
| constructor (ws, extensions) { | ||
| super() | ||
@@ -54,6 +50,5 @@ | ||
| this.#extensions = extensions == null ? new Map() : extensions | ||
| this.#options = options | ||
| if (this.#extensions.has('permessage-deflate')) { | ||
| this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions, options)) | ||
| this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions)) | ||
| } | ||
@@ -60,0 +55,0 @@ } |
@@ -47,5 +47,2 @@ 'use strict' | ||
| /** @type {{ maxDecompressedMessageSize?: number }} */ | ||
| #options | ||
| /** | ||
@@ -124,7 +121,2 @@ * @param {string} url | ||
| // Store options for later use (e.g., maxDecompressedMessageSize) | ||
| this.#options = { | ||
| maxDecompressedMessageSize: options.maxDecompressedMessageSize | ||
| } | ||
| // 11. Let client be this's relevant settings object. | ||
@@ -448,3 +440,3 @@ const client = environmentSettingsObject.settingsObject | ||
| const parser = new ByteParser(this, parsedExtensions, this.#options) | ||
| const parser = new ByteParser(this, parsedExtensions) | ||
| parser.on('drain', onParserDrain) | ||
@@ -552,15 +544,2 @@ parser.on('error', onParserError.bind(this)) | ||
| converter: webidl.nullableConverter(webidl.converters.HeadersInit) | ||
| }, | ||
| { | ||
| key: 'maxDecompressedMessageSize', | ||
| converter: webidl.nullableConverter((V) => { | ||
| V = webidl.converters['unsigned long long'](V) | ||
| if (V <= 0) { | ||
| throw webidl.errors.exception({ | ||
| header: 'WebSocket constructor', | ||
| message: 'maxDecompressedMessageSize must be greater than 0' | ||
| }) | ||
| } | ||
| return V | ||
| }) | ||
| } | ||
@@ -567,0 +546,0 @@ ]) |
+1
-1
| { | ||
| "name": "undici", | ||
| "version": "6.24.0", | ||
| "version": "6.24.1", | ||
| "description": "An HTTP/1.1 client, written from scratch for Node.js", | ||
@@ -5,0 +5,0 @@ "homepage": "https://undici.nodejs.org", |
@@ -149,10 +149,3 @@ /// <reference types="node" /> | ||
| dispatcher?: Dispatcher, | ||
| headers?: HeadersInit, | ||
| /** | ||
| * Maximum size in bytes for decompressed WebSocket messages. | ||
| * When a message exceeds this limit during decompression, the connection | ||
| * will be closed with status code 1009 (Message Too Big). | ||
| * @default 4194304 (4 MB) | ||
| */ | ||
| maxDecompressedMessageSize?: number | ||
| headers?: HeadersInit | ||
| } |
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 3 instances in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 10 instances in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 3 instances in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 10 instances in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
1184934
-0.18%- Lines of code
25175
-0.13%