Update npm package ws to v8.20.1 [SECURITY]

[hash-worker]

This PR contains the following updates:

Package	Change	Age	Confidence
ws	8.18.3 → 8.20.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-45736

Impact

The websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument.

Proof of concept

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

Patches

The vulnerability was fixed in ws@8.20.1 (websockets/ws@c0327ec).

Credits

Credit for the private and responsible disclosure of this issue goes to Nikita Skovoroda.

Remarks

Although the calculated CVSS severity is medium, the actual severity is believed to be low, as the flaw is only exploitable through misuse that is unlikely in practice.

Resources

• GHSA-58qx-3vcg-4xpx
• https://www.cve.org/CVERecord?id=CVE-2026-45736

---

Release Notes

websockets/ws (ws)

v8.20.1

Compare Source

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close()
  (c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

v8.20.0

Compare Source

Features

• Added exports for the PerMessageDeflate class and utilities for the
  Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

v8.19.0

Compare Source

Features

• Added the closeTimeout option (#​2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (1998485).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Error		May 23, 2026 12:36pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign-tokens	Ignored	Preview	May 23, 2026 12:36pm
petrinaut	Skipped		May 23, 2026 12:36pm

[hash-worker]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error This project's package.json defines "packageManager": "yarn@4.12.0". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.

[cursor]

PR Summary

Low Risk
Low risk dependency bump affecting WebSocket behavior only; should mainly be a security/bugfix update but could surface subtle runtime differences in WS close/error handling.

Overview
Updates the ws dependency from 8.18.3 to 8.20.1 in apps/hash-api and apps/plugin-browser to pick up the upstream security fix for websocket.close() uninitialized memory disclosure when misused with TypedArray reasons.

^{Reviewed by Cursor Bugbot for commit ba7d376. Bugbot is set up for automated code reviews on this repo. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the pinned ws dependency to 8.20.1 in apps/hash-api and apps/plugin-browser to address a security advisory.

Changes:

• Bumped ws from 8.18.3 → 8.20.1 in both app package manifests (includes the fix for the websocket.close() uninitialized-memory disclosure when misused with a TypedArray reason).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ba7d376. Configure here.}

[cursor]

Lockfile still pins vulnerable ws

Medium Severity

This PR bumps ws to 8.20.1 in both workspace manifests, but yarn.lock still resolves @apps/hash-api and @apps/plugin-browser to ws@8.18.3. Yarn Berry installs from the lockfile, so the CVE fix may not land until the lockfile is regenerated and committed with the manifest changes.

Additional Locations (1)

• apps/plugin-browser/package.json#L46-L47

 

^{Reviewed by Cursor Bugbot for commit ba7d376. Configure here.}