Bump ws, engine.io and socket.io-adapter in /js/web

[dependabot]

Bumps ws, engine.io and socket.io-adapter. These dependencies needed to be updated together.
Updates ws from 8.20.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• See full diff in compare view

Updates engine.io from 6.6.7 to 6.6.9

Release notes

Sourced from engine.io's releases.

engine.io@6.6.9

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

Dependencies

• ws@~8.21.0 (diff)

engine.io@6.6.8

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Bug Fixes

• clean up resources upon WebTransport handshake failure (f86b95f)

Dependencies

• ws@~8.20.1 (diff)

Commits

• 9dbec81 chore(release): engine.io@6.6.9
• 3ad4e1f docs: improve example with PM2
• 0e5afee docs: add example with PM2
• eab9623 docs(eio): correct maxHttpBufferSize default in JSDoc (#5508)
• c17890c docs: add documentation about WebTransport
• 20df6ae docs(examples): add client-side load balancing example
• 16d1923 ci(publish): enable staged publishing
• ad48a9b docs(examples): add example with HTTP/2
• 190572d refactor(eio-client): remove XMLHttpRequest from the definition file
• fad463c docs(examples): fix duplicate self messages (#5341)
• Additional commits viewable in compare view

Updates socket.io-adapter from 2.5.6 to 2.5.8

Release notes

Sourced from socket.io-adapter's releases.

socket.io-adapter@2.5.8

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

socket.io-adapter@2.5.7

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Bug Fixes

• do not skip local broadcast when publishAndReturnOffset throws (#5457) (f630158)

Commits

• ac83bfa chore(release): socket.io-adapter@2.5.8
• 22cc483 chore(release): engine.io-client@6.6.6
• 9dbec81 chore(release): engine.io@6.6.9
• 3ad4e1f docs: improve example with PM2
• 0e5afee docs: add example with PM2
• eab9623 docs(eio): correct maxHttpBufferSize default in JSDoc (#5508)
• c17890c docs: add documentation about WebTransport
• 20df6ae docs(examples): add client-side load balancing example
• 16d1923 ci(publish): enable staged publishing
• ad48a9b docs(examples): add example with HTTP/2
• Additional commits viewable in compare view