Skip to content

chore: Bump websocket-driver from 0.7.4 to 0.7.5#4073

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/websocket-driver-0.7.5
Open

chore: Bump websocket-driver from 0.7.4 to 0.7.5#4073
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/websocket-driver-0.7.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps websocket-driver from 0.7.4 to 0.7.5.

Changelog

Sourced from websocket-driver's changelog.

0.7.5 / 2026-06-04

  • Close a draft-75/76 connection if a length header grows to exceed the configured max length
  • Fail the connection if a message is larger than the configured max length after extension processing
Commits
  • 5d6a9aa Bump version to 0.7.5
  • c55679a Fail the connection if a message is larger than the configured max length aft...
  • 5b197ca Close a draft-75/76 connection if a length header grows to exceed the configu...
  • fc93a48 Test on Node v22, v24, and v26
  • 2e82d34 Test on recent versions of Node
  • e4962db Switch from Travis CI to GitHub Actions
  • 3f2f9b7 Travis update: cache npm modules, remove sudo, run on Node 15
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [websocket-driver](https://github.com/faye/websocket-driver-node) from 0.7.4 to 0.7.5.
- [Changelog](https://github.com/faye/websocket-driver-node/blob/main/CHANGELOG.md)
- [Commits](faye/websocket-driver-node@0.7.4...0.7.5)

---
updated-dependencies:
- dependency-name: websocket-driver
  dependency-version: 0.7.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 16, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 16, 2026 00:27
@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Jul 16, 2026
@dependabot dependabot Bot temporarily deployed to default-branch July 16, 2026 00:28 Inactive
@socket-security

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm websocket-driver in module http-parser-js

Module: http-parser-js

Location: Package overview

From: ?npm/webpack-dev-server@5.2.2npm/websocket-driver@0.7.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/websocket-driver@0.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm websocket-driver is 68.0% likely to have a medium risk anomaly

Notes: The analyzed code demonstrates a standard, well-structured WebSocket client handshake and negotiation flow with appropriate validation and error handling. No malicious behavior detected in this fragment. The main concerns are typical network risk and the handling of URL-embedded credentials (possible leakage via logs). Recommend verifying related modules (HttpParser, Hybi, Proxy) for consistent security posture and ensuring logging sanitizes sensitive data.

Confidence: 0.68

Severity: 0.60

From: ?npm/webpack-dev-server@5.2.2npm/websocket-driver@0.7.5

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/websocket-driver@0.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot temporarily deployed to default-branch July 16, 2026 00:29 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 16, 2026 00:30 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 16, 2026 00:31 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 16, 2026 00:31 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 16, 2026 00:35 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants