Bump ws from 8.18.0 to 8.20.1 in the npm_and_yarn group across 1 directory by dependabot[bot] · Pull Request #47 · LCSOGthb/Games

dependabot · 2026-05-24T04:27:55Z

User description

Bumps the npm_and_yarn group with 1 update in the / directory: ws.

Updates ws from 8.18.0 to 8.20.1

Release notes

8.20.1

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

Added the closeTimeout option (#2308).

Bug fixes

Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

5d9b316 [dist] 8.20.1
c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
ce2a3d6 [ci] Test on node 26
58e45b8 [ci] Do not test on node 25
5f26c24 [ci] Run the lint step on node 24
8439255 [dist] 8.20.0
d3503c1 [minor] Export the PerMessageDeflate class and header utils
3ee5349 [api] Convert the isServer and maxPayload parameters to options
91707b4 [doc] Add missing space
8b55319 [pkg] Update eslint to version 10.0.1
Additional commits viewable in compare view

CodeAnt-AI Description

Update Cloudflare tooling and websocket handling to current releases

What Changed

Upgraded wrangler and its bundled runtime packages to newer releases
Updated ws to 8.20.1, which fixes a memory disclosure issue when closing websocket connections with unsupported input types
Raised the required Node.js version for these tools to match the newer releases

Impact

✅ Safer websocket shutdowns
✅ Fewer security risks in Cloudflare deploy tooling
✅ Clearer support for current Node.js versions

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

vercel · 2026-05-24T04:27:59Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
games	Error		May 27, 2026 12:33pm

netlify · 2026-05-24T04:28:00Z

✅ Deploy Preview for lsngames ready!

Name	Link
🔨 Latest commit	`d30bb8b`
🔍 Latest deploy log	https://app.netlify.com/projects/lsngames/deploys/6a16e4853f464a0008cd0067
😎 Deploy Preview	https://deploy-preview-47--lsngames.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

difflens · 2026-05-24T04:28:04Z

View changes in DiffLens

difflens · 2026-05-24T04:28:09Z

View changes in DiffLens

socket-security · 2026-05-24T04:28:16Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	wrangler@4.80.0 ⏵ 4.95.0			⁺¹

View full report

what-the-diff · 2026-05-24T04:28:17Z

PR Summary

Upgraded wrangler, @cloudflare/kv-asset-handler, @cloudflare/unenv-preset, workerd, miniflare, undici, and ws packages
The versions of vital development and cloud instructions software have been updated, resulting in more stable, efficient, and enhanced features.
Increased node engine requirement
The minimum requirement for the node engine has been raised, ensuring the compatibility with the latest features and improving the overall security of our software.
Introduced new package rosie-skills
A new package, rosie-skills, has been added along with its different versions for various platforms such as Linux, Darwin, and FreeBSD. This addition expands our software capabilities and makes it more versatile.

devin-ai-integration

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

deepsource-io · 2026-05-24T04:28:32Z

DeepSource Code Review

We reviewed changes in a2f8011...d30bb8b on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade	Security Reliability Complexity Hygiene

Code Review Summary

Analyzer	Updated (UTC)	Details
JavaScript	May 27, 2026 12:33p.m.	Review ↗
Python	May 27, 2026 12:33p.m.	Review ↗
Rust	May 27, 2026 12:33p.m.	Review ↗
Secrets	May 27, 2026 12:33p.m.	Review ↗
Ruby	May 27, 2026 12:33p.m.	Review ↗
Shell	May 27, 2026 12:33p.m.	Review ↗
Scala	May 27, 2026 12:33p.m.	Review ↗
SQL	May 27, 2026 12:33p.m.	Review ↗
Terraform	May 27, 2026 12:33p.m.	Review ↗
Code coverage	May 27, 2026 12:33p.m.	Review ↗
Swift	May 27, 2026 12:33p.m.	Review ↗
C & C++	May 27, 2026 12:33p.m.	Review ↗
C#	May 27, 2026 12:33p.m.	Review ↗
Ansible	May 27, 2026 12:33p.m.	Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

kilo-code-bot · 2026-05-24T04:29:26Z

Code Review Summary

Status: No Issues Found | Recommendation: Merge

This PR updates development dependencies:

wrangler: ^4.80.0 → ^4.95.0
ws: 8.18.0 → 8.20.1 (security fix for uninitialized memory disclosure)
@cloudflare/kv-asset-handler: 0.4.2 → 0.5.0
@cloudflare/unenv-preset: 2.16.0 → 2.16.1
undici: 7.24.4 → 7.24.8
workerd: 1.20260401.1 → 1.20260526.1
Adds new rosie-skills optional dependency

These are routine dependency updates with no application code changes. The ws update includes the security fix mentioned in the original review.

Note: package-lock.json changes are generated file updates and were not reviewed per review guidelines.

Files Reviewed (2 files)

package.json - Dependency version updates only
package-lock.json - Generated file (not reviewed per guidelines)

_{Reviewed by laguna-m.1-20260312:free · 185,120 tokens}

codacy-production · 2026-05-24T04:29:46Z

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results

Complexity 0

Duplication 0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer}
_{TIP This summary will be updated as you push new changes.}

difflens · 2026-05-24T09:29:30Z

View changes in DiffLens

LCSOGthb · 2026-05-24T09:36:15Z

@cubic-dev-ai review this

cubic-dev-ai · 2026-05-24T09:36:20Z

@cubic-dev-ai review this

@LCSOGthb Couldn't start the review: PR author @dependabot[bot] does not have an enabled seat on this installation. Please assign a seat in your subscription settings.

LCSOGthb · 2026-05-24T09:37:01Z

@cubic-dev-ai review this

cubic-dev-ai · 2026-05-24T09:37:05Z

@cubic-dev-ai review this

@LCSOGthb I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai

No issues found across 2 files

_{Shadow auto-approve: would require human review. This PR updates multiple dependencies including the production dependency ws, which has security fixes and feature additions, so human review is needed to assess any potential breaking changes.

Re-trigger cubic}

LCSOGthb · 2026-05-27T12:15:44Z

@dependabot rebase

dependabot · 2026-05-27T12:15:48Z

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

LCSOGthb · 2026-05-27T12:16:01Z

@dependabot recreate

cr-gpt · 2026-05-27T12:18:02Z

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

codeant-ai · 2026-05-27T12:18:03Z

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

LCSOGthb · 2026-05-27T12:18:55Z

@CodeAnt-AI review

codeant-ai · 2026-05-27T12:19:02Z

CodeAnt AI is running the review.

codspeed-hq · 2026-05-27T12:19:21Z

Merging this PR will not alter performance

✅ 13 untouched benchmarks

_{Comparing dependabot/npm_and_yarn/npm_and_yarn-e5a46ec0e1 (d30bb8b) with main (a2f8011)}

difflens · 2026-05-27T12:20:15Z

View changes in DiffLens

codeant-ai · 2026-05-27T12:20:17Z

Sequence Diagram

This PR updates the Cloudflare worker tooling (wrangler, miniflare, workerd) and the ws library, affecting how local development serves workers and safely manages WebSocket connections.

sequenceDiagram
    participant Developer
    participant WranglerCLI
    participant LocalRuntime
    participant WebClient
    participant WebSocketLib

    Developer->>WranglerCLI: Run wrangler dev
    WranglerCLI->>LocalRuntime: Start worker preview with updated runtime
    WebClient->>LocalRuntime: Connect and upgrade to WebSocket
    LocalRuntime->>WebSocketLib: Handle WebSocket session
    WebSocketLib-->>WebClient: Exchange messages and close with safe reason handling

Generated by CodeAnt AI

codeant-ai · 2026-05-27T12:22:01Z

CodeAnt AI finished running the review.

cubic-dev-ai

No issues found across 2 files

Confidence score: 5/5

Automated review surfaced no issues in the provided summaries.
No files require special attention.

_{Shadow auto-approve: would require human review. This PR updates Cloudflare tooling (wrangler, workerd, kv-asset-handler) which includes an engine requirement change to Node.js >=22, and while the ws security fix is important, the multi-package dependency update carries moderate risk that should be reviewed by a human for compatibility and...

Re-trigger cubic}

cr-gpt · 2026-05-27T12:27:15Z

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

difflens · 2026-05-27T12:27:36Z

View changes in DiffLens

guardrails · 2026-05-27T12:27:40Z

⚠️ We detected 5 security issues in this pull request:

Vulnerable Libraries (5)

Severity	Details
Medium	pkg:npm/next@15.5.18 upgrade to: > 15.5.18
High	pkg:npm/wrangler@4.95.0 upgrade to: > 4.95.0
Medium	pkg:npm/vitest@4.1.7 upgrade to: > 4.1.7
High	pkg:npm/eslint-config-next@15.3.4 upgrade to: > 15.3.4
Medium	pkg:npm/@tailwindcss/postcss@4.1.18 (t) upgrade to: > 4.1.18

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Bumps the npm_and_yarn group with 1 update in the / directory: [ws](https://github.com/websockets/ws). Updates `ws` from 8.18.0 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.0...8.20.1) --- updated-dependencies: - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

cr-gpt · 2026-05-27T12:33:11Z

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

difflens · 2026-05-27T12:33:18Z

View changes in DiffLens

codescene-delta-analysis

No application code in the PR — skipped Code Health checks.

See analysis details in CodeScene

Quality Gate Profile: Pay Down Tech Debt
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

codacy-production · 2026-05-27T12:53:05Z

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer}
_{TIP This summary will be updated as you push new changes.}

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 24, 2026

pull-request-size Bot added the size/XS label May 24, 2026

vercel Bot had a problem deploying to Preview May 24, 2026 04:28 Failure

devin-ai-integration Bot reviewed May 24, 2026

View reviewed changes

This comment was marked as outdated.

Sign in to view

LCSOGthb force-pushed the dependabot/npm_and_yarn/npm_and_yarn-e5a46ec0e1 branch from 49d84f1 to dfc387a Compare May 24, 2026 09:29

This comment was marked as outdated.

Sign in to view

vercel Bot had a problem deploying to Preview May 24, 2026 09:29 Failure

cubic-dev-ai Bot reviewed May 24, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-e5a46ec0e1 branch from dfc387a to 1764225 Compare May 27, 2026 12:17

vercel Bot had a problem deploying to Preview May 27, 2026 12:18 Failure

codeant-ai Bot added the size:L This PR changes 100-499 lines, ignoring generated files label May 27, 2026

cubic-dev-ai Bot reviewed May 27, 2026

View reviewed changes

vercel Bot had a problem deploying to Preview May 27, 2026 12:27 Failure

This comment was marked as outdated.

Sign in to view

LCSOGthb force-pushed the dependabot/npm_and_yarn/npm_and_yarn-e5a46ec0e1 branch from 678155f to d30bb8b Compare May 27, 2026 12:33

codescene-delta-analysis Bot approved these changes May 27, 2026

View reviewed changes

vercel Bot had a problem deploying to Preview May 27, 2026 12:33 Failure

LCSOGthb merged commit a7a952c into main May 27, 2026
50 of 56 checks passed

LCSOGthb deleted the dependabot/npm_and_yarn/npm_and_yarn-e5a46ec0e1 branch May 27, 2026 12:46

Conversation

dependabot Bot commented on behalf of github May 24, 2026 • edited by codeant-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

User description

8.20.1

Bug fixes

8.20.0

Features

8.19.0

Features

Bug fixes

CodeAnt-AI Description

What Changed

Impact

Checking Your Pull Request

Talking to CodeAnt AI

Example

Preserve Org Learnings with CodeAnt

Example

Retrigger review

Check Your Repository Health

Uh oh!

vercel Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

netlify Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for lsngames ready!

Uh oh!

difflens Bot commented May 24, 2026

Uh oh!

difflens Bot commented May 24, 2026

Uh oh!

socket-security Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

what-the-diff Bot commented May 24, 2026

PR Summary

Uh oh!

devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

✅ Devin Review: No Issues Found

Uh oh!

deepsource-io Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DeepSource Code Review

PR Report Card

Code Review Summary

Uh oh!

This comment was marked as outdated.

Uh oh!

kilo-code-bot Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Summary

Uh oh!

codacy-production Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Up to standards ✅

Uh oh!

difflens Bot commented May 24, 2026

Uh oh!

This comment was marked as outdated.

Uh oh!

LCSOGthb commented May 24, 2026

Uh oh!

cubic-dev-ai Bot commented May 24, 2026

Uh oh!

LCSOGthb commented May 24, 2026

Uh oh!

cubic-dev-ai Bot commented May 24, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

LCSOGthb commented May 27, 2026

Uh oh!

dependabot Bot commented on behalf of github May 27, 2026

Uh oh!

LCSOGthb commented May 27, 2026

Uh oh!

dependabot Bot commented on behalf of github May 24, 2026 •

edited by codeant-ai Bot

Loading

vercel Bot commented May 24, 2026 •

edited

Loading

netlify Bot commented May 24, 2026 •

edited

Loading

socket-security Bot commented May 24, 2026 •

edited

Loading

deepsource-io Bot commented May 24, 2026 •

edited

Loading

kilo-code-bot Bot commented May 24, 2026 •

edited

Loading

codacy-production Bot commented May 24, 2026 •

edited

Loading

codspeed-hq Bot commented May 27, 2026 •

edited

Loading

guardrails Bot commented May 27, 2026 •

edited

Loading