chore(deps): bump the npm_and_yarn group across 2 directories with 1 update by dependabot[bot] · Pull Request #413 · skanda890/CodePark

dependabot · 2026-05-27T01:18:19Z

Bumps the npm_and_yarn group with 1 update in the /Projects/JavaScript/airtel-voip-client directory: ws.
Bumps the npm_and_yarn group with 1 update in the /Projects/JavaScript/math-calculator directory: ws.

Updates ws from 8.20.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
The issue was privately reported by Nikita Skovoroda.

Commits

5d9b316 [dist] 8.20.1
c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
ce2a3d6 [ci] Test on node 26
58e45b8 [ci] Do not test on node 25
5f26c24 [ci] Run the lint step on node 24
See full diff in compare view

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
The issue was privately reported by Nikita Skovoroda.

Commits

5d9b316 [dist] 8.20.1
c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
ce2a3d6 [ci] Test on node 26
58e45b8 [ci] Do not test on node 25
5f26c24 [ci] Run the lint step on node 24
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…update Bumps the npm_and_yarn group with 1 update in the /Projects/JavaScript/airtel-voip-client directory: [ws](https://github.com/websockets/ws). Bumps the npm_and_yarn group with 1 update in the /Projects/JavaScript/math-calculator directory: [ws](https://github.com/websockets/ws). Updates `ws` from 8.20.0 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.0...8.20.1) Updates `ws` from 8.17.1 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.0...8.20.1) --- updated-dependencies: - dependency-name: ws dependency-version: 8.20.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

netlify · 2026-05-27T01:18:25Z

❌ Deploy Preview for silver-entremet-633411 failed.

Name	Link
🔨 Latest commit	`ce703b1`
🔍 Latest deploy log	https://app.netlify.com/projects/silver-entremet-633411/deploys/6a16465f80230b00075b6767

codeant-ai · 2026-05-27T01:18:25Z

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

skanda890 · 2026-05-27T01:18:32Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

github-actions · 2026-05-27T01:18:42Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

npm/ws

8.20.1

🟢 5.5

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 2/29 approved changesets -- score normalized to 0
Maintained	🟢 10	11 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@types/ws

8.18.1

🟢 6.5

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 8	Found 25/29 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/engine.io

6.6.8

🟢 6.4

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 1	Found 4/30 approved changesets -- score normalized to 1
Maintained	🟢 10	30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 9	binaries present in source code
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1

npm/socket.io-adapter

2.5.7

🟢 6.4

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 1	Found 4/30 approved changesets -- score normalized to 1
Maintained	🟢 10	30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 9	binaries present in source code
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1

npm/ws

8.20.1

🟢 5.5

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 2/29 approved changesets -- score normalized to 0
Maintained	🟢 10	11 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

Scanned Files

Projects/JavaScript/airtel-voip-client/package-lock.json
Projects/JavaScript/math-calculator/package-lock.json

socket-security · 2026-05-27T01:19:01Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	express@4.22.2
	ws@8.20.0 ⏵ 8.20.1	⁺¹	⁺²

View full report

sonarqubecloud · 2026-05-27T01:19:07Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

deepsource-io · 2026-05-27T01:19:25Z

DeepSource Code Review

We reviewed changes in df7f7b8...ce703b1 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade	Security Reliability Complexity Hygiene

Code Review Summary

Analyzer	Updated (UTC)	Details
Code coverage	May 27, 2026 1:18a.m.	Review ↗
Terraform	May 27, 2026 1:18a.m.	Review ↗
Swift	May 27, 2026 1:18a.m.	Review ↗
SQL	May 27, 2026 1:18a.m.	Review ↗
Shell	May 27, 2026 1:18a.m.	Review ↗
Secrets	May 27, 2026 1:18a.m.	Review ↗
Scala	May 27, 2026 1:18a.m.	Review ↗
Ruby	May 27, 2026 1:18a.m.	Review ↗
PHP	May 27, 2026 1:18a.m.	Review ↗
Kotlin	May 27, 2026 1:18a.m.	Review ↗
Go	May 27, 2026 1:18a.m.	Review ↗
Docker	May 27, 2026 1:18a.m.	Review ↗
Ansible	May 27, 2026 1:18a.m.	Review ↗
Rust	May 27, 2026 1:18a.m.	Review ↗
C#	May 27, 2026 1:18a.m.	Review ↗
C & C++	May 27, 2026 1:18a.m.	Review ↗
Java	May 27, 2026 1:18a.m.	Review ↗
JavaScript	May 27, 2026 1:18a.m.	Review ↗
Python	May 27, 2026 1:18a.m.	Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

codacy-production · 2026-05-27T01:21:37Z

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results

Complexity 0

Duplication 0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer}
_{TIP This summary will be updated as you push new changes.}

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 27, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 1 update#413

chore(deps): bump the npm_and_yarn group across 2 directories with 1 update#413
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/Projects/JavaScript/airtel-voip-client/npm_and_yarn-5d1870827d

dependabot Bot commented on behalf of github May 27, 2026

Uh oh!

netlify Bot commented May 27, 2026 •

edited

Loading

Uh oh!

codeant-ai Bot commented May 27, 2026

Uh oh!

skanda890 commented May 27, 2026

Uh oh!

github-actions Bot commented May 27, 2026

Uh oh!

socket-security Bot commented May 27, 2026

Uh oh!

sonarqubecloud Bot commented May 27, 2026

Uh oh!

deepsource-io Bot commented May 27, 2026 •

edited

Loading

Uh oh!

codacy-production Bot commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 27, 2026

8.20.1

Bug fixes

8.20.1

Bug fixes

Uh oh!

netlify Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ Deploy Preview for silver-entremet-633411 failed.

Uh oh!

codeant-ai Bot commented May 27, 2026

Uh oh!

skanda890 commented May 27, 2026

✅ Snyk checks have passed. No issues have been found so far.

Uh oh!

github-actions Bot commented May 27, 2026

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

socket-security Bot commented May 27, 2026

Uh oh!

sonarqubecloud Bot commented May 27, 2026

Quality Gate passed

Uh oh!

deepsource-io Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DeepSource Code Review

PR Report Card

Code Review Summary

Uh oh!

codacy-production Bot commented May 27, 2026

Up to standards ✅

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

netlify Bot commented May 27, 2026 •

edited

Loading

deepsource-io Bot commented May 27, 2026 •

edited

Loading