chore(deps): bump ws and convex

[dependabot]

Bumps ws to 8.21.0 and updates ancestor dependency convex. These dependencies need to be updated together.

Updates ws from 8.20.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• See full diff in compare view

Updates convex from 1.40.0 to 1.42.0

Changelog

Sourced from convex's changelog.

1.42.0

• Added a new npx convex project create command that can be used to create new projects programmatically.
• Added a new --names-only flag to npx convex env list (and npx convex env default list). This flag shows the names of the env vars that are set, without the values. It can be useful to let AI coding agents know the variables that are set on a deployment, without giving them the actual values.
• Added a new useStaleSnapshot option to the arguments for runQuery. This is an advanced feature that can be used to allow mutations to avoid optimistic concurrency control (OCC) conflicts in some cases where they can commit even though they depend on conflicting reads. This change allows us to improve the performance of some of the official Convex components, including Workpool.
• Improved the documentation of db.* methods to more clearly explain the difference between the old APIs without table names (e.g. db.get(userId)) and the new APIs with table names (e.g. db.get("users", userId)).
• Fixed an issue where the CLI would not surface permission errors correctly when the user or token doesn’t have permission to do something.
• Exposes the current scheduled function's ID as scheduledFunctionId in ctx.meta.getRequestMetadata().
• npx convex insights has a new --json flag that makes the command output easier to parse programmatically.
• File storage: marked a few TypeScript types in convex/server as @deprecated (FileMetadata, FileStorageId, StorageId). These types are used only by file storage APIs that were deprecated in convex@1.6.0, so we also marked them as @deprecated for clarity.
• Bumps the ws peer dependency to avoid a vulnerable range.

1.41.0

• It is now possible to set limits on nested queries and mutations with the new transactionLimits option in runQuery/runMutation.
• npx convex ai-files now installs skills with separate copies of each skill for each coding agent instead of using symlinks. We made this change to avoid known issues with symlinks on Windows.
• When using Convex in anonymous mode (without a Convex account), npx convex dev now starts a different dashboard server for each deployment. This ensures the dashboard always connects to the right deployment when multiple deployments are running at the same time.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrades convex to 1.42.0 and ws to 8.21.0 to fix a ws DoS vulnerability and align with convex’s required range. No app code changes.

• Dependencies
  • convex 1.42.0: updates ws and includes minor CLI/features; no breaking changes.
  • ws 8.21.0: adds fragment/chunk limits; fixes remote memory exhaustion DoS.

^{Written for commit a2426cb. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
version-watch	Ready	Preview, Comment	Jun 24, 2026 2:50am