fix(deps): bump ws from 8.20.0 to 8.21.0

[dependabot]

Bumps ws from 8.20.0 to 8.21.0.

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Jun 30, 2026 4:07pm

[ci-lockfile-regen]

Dependabot Fix Assessment

Package: `ws` `8.20.0` → `8.21.0` (minor — new options added, backwards compatible)
Scope: runtime dependency (`dependencies` in package.json)
Workspace: root only (ws not used in packages/react-web-cli or examples/web-cli)

What changed upstream

• Security fix: Fixed a remote memory exhaustion DoS vulnerability — a peer could send high-volume tiny fragments/chunks to crash a ws server or client via OOM. Reported by Nadav Magier.
• New options: Added maxBufferedChunks and maxFragments options to mitigate the above in older versions.
• No breaking API changes. Full changelog: https://github.com/websockets/ws/blob/master/CHANGELOG.md

Migration concerns checked

• Peer dependencies: OK — no peer dep changes in 8.21.0
• Type changes: OK — @types/ws@8.5.11 is already in devDependencies and compatible
• Config files: OK — no ws config in this repo
• Module format: OK — no ESM/CJS format change
• React compatibility: N/A
• Monorepo impact: OK — ws is only a transitive dependency; no direct import ... from 'ws' calls anywhere in the source (verified via grep). The only direct usage is via the Ably SDK.

What broke

None — the CI failures are not caused by the ws version bump.

E2E Tests failures:

• channel-annotations-e2e.test.ts (5 tests): Mutable messages feature tests (SHOULD_SKIP_MUTABLE_TESTS). Commands return exit code 1 — likely the beforeAll → setupMutableMessagesRule + publishAndGetSerial calls hitting server-side API errors.
• channel-message-ops-e2e.test.ts (5 tests): Same pattern — mutable messages, exit code 1.
• spaces-crud-e2e.test.ts > should list spaces: Ably server returned HTTP 429 error code 42912: "Channel iteration call already in progress. Only 1 call(s) may be executed concurrently" — a server-side rate limit, not a client issue.

Web CLI E2E Tests failures:

• session-resume.test.ts (2 tests): "Too many connection attempts" and "anonymous session limit reached (50/50)" — server-side session throttling on the dev terminal server during a busy CI run.

All failures are infrastructure/flakiness issues that can and do occur independently of any code change.

What was fixed

No code changes needed. The ws 8.20.0 → 8.21.0 bump is a pure security/bugfix upgrade with no breaking changes and no impact on this codebase.

Verification

• Build: ✅ (pnpm prepare succeeds, manifest generated)
• Lint: ✅ (0 errors, pre-existing warnings only)
• Unit tests: ✅ (2534/2534 passing after pnpm prepare)
• Web CLI tests: N/A (browser-based, not runnable locally)

Notes for reviewer

The CI failures are pre-existing flakiness unrelated to this bump — the mutable messages tests and spaces list test appear sensitive to Ably server load/rate limits, and the Web CLI session test is hitting the anonymous session cap on the dev server. Safe to merge.