The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

• preserve transport literal suggestions (#5469) (d8f392e)

• ws@~8.21.0 (diff)

The ws dependency was bumped to ~8.21.0 following CVE-2026-48779.

• ws@~8.21.0 (diff)

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

• do not skip local broadcast when publishAndReturnOffset throws (#5457) (f630158)

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

• ws@~8.20.1 (diff)

The ws dependency was bumped to ~8.20.1 following CVE-2026-45736.

Note from the ws maintainers:

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

• clean up resources upon WebTransport handshake failure (f86b95f)

• ws@~8.20.1 (diff)

• close HTTP requests with invalid content type (fc11285)
• handle invalid packets when upgrading to WebTransport (1fa1f46)
• prevent WebTransport connections when a middleware is registered (d1f5aa9)

• ws@~8.18.3 (no change)

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

• add a limit to the number of binary attachments (9d39f1f)

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

• add a limit to the number of binary attachments (719f9eb)

• add a limit to the number of binary attachments (b25738c)