Register | Log in

node-ws

RFC-6455 WebSocket implementation module for Node.js

Choose email to subscribe with

general

source: node-ws (main)
version: 8.20.1+~cs14.19.1-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD] – Ximin Luo [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.4.2+~cs18.0.8-2
oldstable: 8.11.0+~cs13.7.3-1
stable: 8.18.1+~cs14.18.2-1
testing: 8.19.0+~cs14.19.1-1
unstable: 8.20.1+~cs14.19.1-1

versioned links

7.4.2+~cs18.0.8-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.11.0+~cs13.7.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.1+~cs14.18.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.19.0+~cs14.19.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.20.1+~cs14.19.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-ws

action needed

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-45736: ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

Created: 2026-05-15 Last update: 2026-05-17 15:03

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2026-45736: ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

1 issue postponed or untriaged:

CVE-2024-37890: (needs triaging) ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Created: 2026-05-15 Last update: 2026-05-17 15:03

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-45736: (needs triaging) ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-15 Last update: 2026-05-17 15:03

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-37890: (needs triaging) ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
CVE-2026-45736: (needs triaging) ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-06-17 Last update: 2026-05-17 15:03

testing migrations

excuses:
- Migration status for node-ws (8.19.0+~cs14.19.1-1 to 8.20.1+~cs14.19.1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for jupyterlab/4.0.11+ds2+~cs11.25.27-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-configurable-http-proxy/4.5.3+~cs15.2.4-4: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-jsdom/20.0.3+~cs124.18.21-6: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-mqtt/4.3.7-8: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-proxy-agents/0~2025070717+~cs15.3.7-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-tap/16.3.7+ds3+~cs49.5.20-7: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-websocket-stream/5.4.0-6: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-ws/8.20.1+~cs14.19.1-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-yarnpkg/4.1.0+dfsg-5: amd64: Failed (not a regression) ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Test triggered, ppc64el: Regression ♻ (reference ♻), riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Lintian check waiting for test results - info
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-ws.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-05-16] Accepted node-ws 8.20.1+~cs14.19.1-1 (source) into unstable (Xavier Guimard)
[2026-03-19] node-ws 8.19.0+~cs14.19.1-1 MIGRATED to testing (Debian testing watch)
[2026-03-16] Accepted node-ws 8.19.0+~cs14.19.1-1 (source) into unstable (Xavier Guimard)
[2025-04-06] node-ws 8.18.1+~cs14.18.2-1 MIGRATED to testing (Debian testing watch)
[2025-04-04] Accepted node-ws 8.18.1+~cs14.18.2-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-01-30] node-ws 8.18.0+~cs14.5.15-1 MIGRATED to testing (Debian testing watch)
[2025-01-26] Accepted node-ws 8.18.0+~cs14.5.15-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-07-09] node-ws 8.18.0+~cs13.7.11-1 MIGRATED to testing (Debian testing watch)
[2024-07-06] Accepted node-ws 8.18.0+~cs13.7.11-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-07] node-ws 8.11.0+~cs13.7.3-2 MIGRATED to testing (Debian testing watch)
[2023-11-23] Accepted node-ws 8.11.0+~cs13.7.3-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-21] node-ws 8.11.0+~cs13.7.3-1 MIGRATED to testing (Debian testing watch)
[2022-11-19] Accepted node-ws 8.11.0+~cs13.7.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-10-30] node-ws 8.10.0+~cs13.7.3-1 MIGRATED to testing (Debian testing watch)
[2022-10-27] Accepted node-ws 8.10.0+~cs13.7.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-07-22] node-ws 8.8.1+~cs13.7.3-1 MIGRATED to testing (Debian testing watch)
[2022-07-19] Accepted node-ws 8.8.1+~cs13.7.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-06-30] node-ws 8.8.0+~cs13.6.3-1 MIGRATED to testing (Debian testing watch)
[2022-06-28] Accepted node-ws 8.8.0+~cs13.6.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-05-21] node-ws 8.6.0+~cs13.6.3-1 MIGRATED to testing (Debian testing watch)
[2022-05-19] Accepted node-ws 8.6.0+~cs13.6.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-02-22] node-ws 8.5.0+~cs13.3.3-2 MIGRATED to testing (Debian testing watch)
[2022-02-20] Accepted node-ws 8.5.0+~cs13.3.3-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-02-20] Accepted node-ws 8.5.0+~cs13.3.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-12] node-ws 7.5.5+~cs13.0.13-1 MIGRATED to testing (Debian testing watch)
[2021-11-09] Accepted node-ws 7.5.5+~cs13.0.13-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-05-31] node-ws 7.4.2+~cs18.0.8-2 MIGRATED to testing (Debian testing watch)
[2021-05-30] Accepted node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2021-05-26] Accepted node-ws 7.4.2+~cs18.0.8-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-01-31] node-ws 7.4.2+~cs18.0.8-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.19.0+~cs14.19.1-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing