chore(deps): bump ws and @nestjs/graphql in /sample/31-graphql-federation-code-first/posts-application

[dependabot]

Bumps ws to 8.17.1 and updates ancestor dependency @nestjs/graphql. These dependencies need to be updated together.

Updates ws from 7.5.9 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Updates @nestjs/graphql from 12.0.11 to 12.2.0

Release notes

Sourced from @​nestjs/graphql's releases.

v12.2.0 (2024-07-02)

Bug fixes

• graphql
  • #3157 fix(graphql): add deprecationReason to ArgsOptions (@​hayatekiribayashi)
  • #3219 fix(graphql): ensure scalarsMap in buildSchemaOptions is respected (@​ssut)
• apollo, graphql
  • #3171 fix(apollo): federation interface resolver (@​mattia-lau)

Enhancements

• apollo, graphql
  • #3222 feat(graphql): add support for option newline at the end of schema file (@​sabolch)

Docs

• graphql
  • #3150 docs(graphql): added jsdoc for debug and introspection. Closes #3142 (@​aarontravass)

Dependencies

• Other
  • #3228 chore(deps): update dependency ts-jest to v29.1.5 (@​renovate[bot])
  • #3227 chore(deps): update dependency rimraf to v5.0.7 (@​renovate[bot])
  • #3223 chore(deps): update dependency lerna to v8.1.5 (@​renovate[bot])
  • #3225 chore(deps): update dependency lint-staged to v15.2.7 (@​renovate[bot])
  • #3217 fix(deps): update dependency ws to v8.17.1 [security] - autoclosed (@​renovate[bot])
  • #3199 chore(deps): update node.js to v21.7 (@​renovate[bot])
  • #3207 chore(deps): bump ejs from 3.1.9 to 3.1.10 (@​dependabot[bot])
  • #3187 chore(deps): bump follow-redirects from 1.15.5 to 1.15.6 (@​dependabot[bot])
  • #3220 chore(deps): bump braces from 3.0.2 to 3.0.3 (@​dependabot[bot])
  • #3192 chore(deps): bump undici from 5.26.3 to 5.28.3 (@​dependabot[bot])
  • #3160 chore(deps): bump ip from 1.1.8 to 1.1.9 (@​dependabot[bot])
• apollo, graphql, mercurius
  • #3229 fix(deps): update dependency tslib to v2.6.3 (@​renovate[bot])
• mercurius
  • #3195 chore(deps): update dependency mercurius to v14 (@​renovate[bot])
  • #3197 chore(deps): update dependency @​mercuriusjs/gateway to v3.0.1 - autoclosed (@​renovate[bot])
  • #3203 feat(mercurius): upgrade to mercurius v14 (@​Tony133)
• graphql
  • #3226 chore(deps): update dependency reflect-metadata to v0.2.2 (@​renovate[bot])
  • #3144 fix(deps): update dependency graphql-ws to v5.16.0 (@​renovate[bot])
  • #3159 fix(deps): update graphql-tools monorepo (@​renovate[bot])
  • #3221 chore(deps): bump ws from 8.16.0 to 8.17.1 in /packages/graphql (@​dependabot[bot])

Committers: 6

• Antonio Tripodi (@​Tony133)
• Sabolch Varha (@​sabolch)
• Suhun Han (@​ssut)
• @​aarontravass
• @​hayatekiribayashi
• @​mattia-lau

... (truncated)

Commits

• f9549c0 v12.2.0
• 36a17b3 Merge pull request #3228 from nestjs/renovate/ts-jest-29.x
• 15598ae Merge pull request #3229 from nestjs/renovate/tslib-2.x
• 966e28f chore(deps): update dependency ts-jest to v29.1.5
• 71f51b7 Merge pull request #3195 from nestjs/renovate/mercurius-14.x
• b6b11fe fix(deps): update dependency tslib to v2.6.3
• b20f91e Merge pull request #3197 from nestjs/renovate/mercuriusjs-gateway-3.x
• 535d473 Merge pull request #3226 from nestjs/renovate/reflect-metadata-0.x
• 9e88803 Merge pull request #3227 from nestjs/renovate/rimraf-5.x
• 15f30f7 chore(deps): update dependency mercurius to v14
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[coveralls]

Pull Request Test Coverage Report for Build f80ef7c9-3c15-4be3-b89f-97e8081028af

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 92.213%

---

Totals
Change from base Build 56e2d50d-3c7f-4fc4-936f-4aede6bb6364:	0.0%
Covered Lines:	6750
Relevant Lines:	7320

---

💛 - Coveralls