Bump ws and engine.io-client

[dependabot]

Bumps ws and engine.io-client. These dependencies needed to be updated together.
Updates ws from 8.17.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Updates engine.io-client from 6.6.1 to 6.6.6

Release notes

Sourced from engine.io-client's releases.

engine.io-client@6.6.6

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

Bug Fixes

• preserve transport literal suggestions (#5469) (d8f392e)

Dependencies

• ws@~8.21.0 (diff)

engine.io-client@6.6.5

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Dependencies

• ws@~8.20.1 (diff)

engine.io-client@6.6.4

This release contains a bump of:

• ws from ~8.17.1 to ~8.18.3
• debug from ~4.3.1 to ~4.4.1

Bug Fixes

• properly handle port option (#5241) (1da9cdd)

Dependencies

• ws@~8.18.3 (diff)

engine.io-client@6.6.3

Bug Fixes

• correctly consume the ws package (#5220) (7fcddcb)

Dependencies

• ws@~8.17.1 (no change)

engine.io-client@6.6.2

... (truncated)

Commits

• 22cc483 chore(release): engine.io-client@6.6.6
• 9dbec81 chore(release): engine.io@6.6.9
• 3ad4e1f docs: improve example with PM2
• 0e5afee docs: add example with PM2
• eab9623 docs(eio): correct maxHttpBufferSize default in JSDoc (#5508)
• c17890c docs: add documentation about WebTransport
• 20df6ae docs(examples): add client-side load balancing example
• 16d1923 ci(publish): enable staged publishing
• ad48a9b docs(examples): add example with HTTP/2
• 190572d refactor(eio-client): remove XMLHttpRequest from the definition file
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for engine.io-client since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semgrepcode-auth0]

Medium severity vulnerability may affect your project—review required:
Line 3694 lists a dependency (js-yaml) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.

References: GHSA, CVE

To resolve this comment:
Check if you are using js-yaml on the CLI.

• If you're affected, upgrade this dependency to at least version 3.14.2 at package-lock.json.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrepcode-auth0]

Medium severity vulnerability may affect your project—review required:
Line 3735 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

References: GHSA, CVE

To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..

• If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrepcode-auth0]

👿 Malicious dependency detected—remove immediately

The version 1.1.3 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.

ℹ️ Why this matters

This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.

References: https://osv.dev/vulnerability/MAL-2023-462

To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrepcode-auth0]

High severity vulnerability may affect your project—review required:
Line 43 lists a dependency (acorn) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like /[x-\ud800]/u (an invalid UTF-16 range) causes the parser to spin in an infinite loop. If an application feeds untrusted code directly into Acorn, an attacker can supply such a regex to trigger a CPU-hogging infinite loop and achieve Denial of Service.

References: GHSA

To resolve this comment:
Check if you are using acorn on the CLI.

• If you're affected, upgrade this dependency to at least version 5.7.4 at package-lock.json.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrepcode-auth0]

High severity vulnerability may affect your project—review required:
Line 5314 lists a dependency (tree-kill) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of tree-kill are vulnerable to Improper Control of Generation of Code ('Code Injection'). The tree-kill package is vulnerable to command injection on Windows. An attacker can control the unsanitized input passed to the kill function, potentially leading to arbitrary command execution on the host system.

References: GHSA, CVE

To resolve this comment:
Check if you are using tree-kill Command Line Interface in Windows System.

• If you're affected, upgrade this dependency to at least version 1.2.2 at package-lock.json.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrepcode-auth0]

High severity vulnerability may affect your project—review required:
Line 3735 lists a dependency (jsonwebtoken) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

References: GHSA, CVE

To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.

• If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrepcode-auth0]

Critical severity vulnerability introduced by a package you're using:
Line 2098 lists a dependency (deep-extend) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 0.5.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}