undici - npm Package Compare versions
@@ -21,3 +21,2 @@ # Class: WebSocket | ||
| * **headers** `HeadersInit` (optional) - Custom headers to include in the WebSocket handshake request. | ||
| * **maxDecompressedMessageSize** `number` (optional) - Maximum allowed size in bytes for decompressed messages when using the `permessage-deflate` extension. **Default:** `4194304` (4 MB). | ||
@@ -47,22 +46,2 @@ ### Example: | ||
| ### Example with custom decompression limit: | ||
| To protect against decompression bombs (small compressed payloads that expand to very large sizes), you can set a custom limit: | ||
| ```mjs | ||
| import { WebSocket } from 'undici' | ||
| // Limit decompressed messages to 1 MB | ||
| const ws = new WebSocket('wss://echo.websocket.events', { | ||
| maxDecompressedMessageSize: 1 * 1024 * 1024 | ||
| }) | ||
| ws.addEventListener('error', (event) => { | ||
| // Connection will be closed if a message exceeds the limit | ||
| console.error('WebSocket error:', event.error) | ||
| }) | ||
| ``` | ||
| > ⚠️ **Security Note**: The `maxDecompressedMessageSize` option protects against memory exhaustion attacks where a malicious server sends a small compressed payload that decompresses to an extremely large size. If you increase this limit significantly above the default, ensure your application can handle the increased memory usage. | ||
| ### Example with HTTP/2: | ||
@@ -69,0 +48,0 @@ |
@@ -20,5 +20,2 @@ 'use strict' | ||
| /** @type {number} */ | ||
| #maxDecompressedSize | ||
| /** @type {boolean} */ | ||
@@ -32,8 +29,6 @@ #aborted = false | ||
| * @param {Map<string, string>} extensions | ||
| * @param {{ maxDecompressedMessageSize?: number }} [options] | ||
| */ | ||
| constructor (extensions, options = {}) { | ||
| constructor (extensions) { | ||
| this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover') | ||
| this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits') | ||
| this.#maxDecompressedSize = options.maxDecompressedMessageSize ?? kDefaultMaxDecompressedSize | ||
| } | ||
@@ -80,3 +75,3 @@ | ||
| if (this.#inflate[kLength] > this.#maxDecompressedSize) { | ||
| if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) { | ||
| this.#aborted = true | ||
@@ -83,0 +78,0 @@ this.#inflate.removeAllListeners() |
@@ -42,11 +42,7 @@ 'use strict' | ||
| /** @type {{ maxDecompressedMessageSize?: number }} */ | ||
| #options | ||
| /** | ||
| * @param {import('./websocket').Handler} handler | ||
| * @param {Map<string, string>|null} extensions | ||
| * @param {{ maxDecompressedMessageSize?: number }} [options] | ||
| */ | ||
| constructor (handler, extensions, options = {}) { | ||
| constructor (handler, extensions) { | ||
| super() | ||
@@ -56,6 +52,5 @@ | ||
| this.#extensions = extensions == null ? new Map() : extensions | ||
| this.#options = options | ||
| if (this.#extensions.has('permessage-deflate')) { | ||
| this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions, options)) | ||
| this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions)) | ||
| } | ||
@@ -62,0 +57,0 @@ } |
@@ -112,4 +112,2 @@ 'use strict' | ||
| #parser | ||
| /** @type {{ maxDecompressedMessageSize?: number }} */ | ||
| #options | ||
@@ -160,7 +158,2 @@ /** | ||
| // Store options for later use (e.g., maxDecompressedMessageSize) | ||
| this.#options = { | ||
| maxDecompressedMessageSize: options.maxDecompressedMessageSize | ||
| } | ||
| // 6. Let client be this's relevant settings object. | ||
@@ -468,3 +461,3 @@ const client = environmentSettingsObject.settingsObject | ||
| const parser = new ByteParser(this.#handler, parsedExtensions, this.#options) | ||
| const parser = new ByteParser(this.#handler, parsedExtensions) | ||
| parser.on('drain', () => this.#handler.onParserDrain()) | ||
@@ -721,15 +714,2 @@ parser.on('error', (err) => this.#handler.onParserError(err)) | ||
| converter: webidl.nullableConverter(webidl.converters.HeadersInit) | ||
| }, | ||
| { | ||
| key: 'maxDecompressedMessageSize', | ||
| converter: webidl.nullableConverter((V) => { | ||
| V = webidl.converters['unsigned long long'](V) | ||
| if (V <= 0) { | ||
| throw webidl.errors.exception({ | ||
| header: 'WebSocket constructor', | ||
| message: 'maxDecompressedMessageSize must be greater than 0' | ||
| }) | ||
| } | ||
| return V | ||
| }) | ||
| } | ||
@@ -736,0 +716,0 @@ ]) |
+1
-1
| { | ||
| "name": "undici", | ||
| "version": "7.24.1", | ||
| "version": "7.24.2", | ||
| "description": "An HTTP/1.1 client, written from scratch for Node.js", | ||
@@ -5,0 +5,0 @@ "homepage": "https://undici.nodejs.org", |
@@ -150,10 +150,3 @@ /// <reference types="node" /> | ||
| dispatcher?: Dispatcher, | ||
| headers?: HeadersInit, | ||
| /** | ||
| * Maximum size in bytes for decompressed WebSocket messages. | ||
| * When a message exceeds this limit during decompression, the connection | ||
| * will be closed with status code 1009 (Message Too Big). | ||
| * @default 4194304 (4 MB) | ||
| */ | ||
| maxDecompressedMessageSize?: number | ||
| headers?: HeadersInit | ||
| } | ||
@@ -160,0 +153,0 @@ |
Sorry, the diff of this file is too big to display
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 9 instances in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 9 instances in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
1598795
-0.15%- Lines of code
33975
-0.1%