starpc 0.33.9 → 0.33.11

package/go.mod

@@ -2,27 +2,29 @@ module github.com/aperturerobotics/starpc
 
 go 1.22
 
-// This fork uses go-protobuf-lite and adds post-quantum crypto support.
-replace github.com/libp2p/go-libp2p => github.com/aperturerobotics/go-libp2p v0.33.1-0.20240511072027-002c32698a19 // aperture
+replace (
+	// This fork avoids importing net/http on wasm.
+	github.com/coder/websocket => github.com/paralin/nhooyr-websocket v1.8.13-0.20240820051708-db89d1b29ef8 // aperture-2
 
-// This fork uses go-protobuf-lite.
-replace github.com/libp2p/go-msgio => github.com/aperturerobotics/go-libp2p-msgio v0.0.0-20240511033615-1b69178aa5c8 // aperture
+	// This fork uses go-protobuf-lite and adds post-quantum crypto support.
+	github.com/libp2p/go-libp2p => github.com/aperturerobotics/go-libp2p v0.33.1-0.20240511072027-002c32698a19 // aperture
 
-// This fork avoids importing net/http on wasm.
-replace nhooyr.io/websocket => github.com/paralin/nhooyr-websocket v1.8.12-0.20240504231911-2358de657064 // aperture-1
+	// This fork uses go-protobuf-lite.
+	github.com/libp2p/go-msgio => github.com/aperturerobotics/go-libp2p-msgio v0.0.0-20240511033615-1b69178aa5c8 // aperture
+)
 
 require (
 	github.com/aperturerobotics/protobuf-go-lite v0.6.5 // latest
-	github.com/aperturerobotics/util v1.25.7 // latest
+	github.com/aperturerobotics/util v1.25.8 // latest
 )
 
 require (
-	github.com/libp2p/go-libp2p v0.36.1 // latest
-	github.com/libp2p/go-yamux/v4 v4.0.2-0.20240322071716-53ef5820bd48 // master
+	github.com/coder/websocket v1.8.12 // latest
+	github.com/libp2p/go-libp2p v0.36.3 // latest
+	github.com/libp2p/go-yamux/v4 v4.0.2-0.20240826150533-e92055b23e0e // master
 	github.com/pkg/errors v0.9.1 // latest
 	github.com/sirupsen/logrus v1.9.3 // latest
 	google.golang.org/protobuf v1.34.2 // latest
-	nhooyr.io/websocket v1.8.17 // latest
 )
 
 require (
@@ -42,7 +44,7 @@ require (
 	github.com/multiformats/go-varint v0.0.7 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
 )

package/go.sum

@@ -4,8 +4,8 @@ github.com/aperturerobotics/json-iterator-lite v1.0.0 h1:cihbrYWoK/S2RYXhJLpDZd+
 github.com/aperturerobotics/json-iterator-lite v1.0.0/go.mod h1:snaApCEDtrHHP6UWSLKiYNOZU9A5NyzccKenx9oZEzg=
 github.com/aperturerobotics/protobuf-go-lite v0.6.5 h1:AuPPcZ7ZaJe9ZYYC4gF7/5/Xbn9Mt9uXyV3+ADWy+Ys=
 github.com/aperturerobotics/protobuf-go-lite v0.6.5/go.mod h1:YTbfnUj3feSULhs8VgepAHFnF3wUc0CPj4jd2axy21I=
-github.com/aperturerobotics/util v1.25.7 h1:e9fdF3W/E7IHdl7YAJC0jjuxGph7yzE3a5zZoLFJ3G0=
-github.com/aperturerobotics/util v1.25.7/go.mod h1:G5ybyxaL62Rdv0K5ZGqu+D1NfqlZCLYPQhdfiYhxlAg=
+github.com/aperturerobotics/util v1.25.8 h1:ERuWwwrtm1qKO/uIQOIlprmnVd5WRtm8YhDjlpJ0yV0=
+github.com/aperturerobotics/util v1.25.8/go.mod h1:Dx1gWoi21JgnWRXfMWjyhInQjulW3OfrcwEVwrxarQQ=
 github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqwI=
 github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -21,8 +21,8 @@ github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6
 github.com/libp2p/go-buffer-pool v0.1.0/go.mod h1:N+vh8gMqimBzdKkSMVuydVDq+UV5QTWy5HSiZacSbPg=
 github.com/libp2p/go-libp2p-testing v0.12.0 h1:EPvBb4kKMWO29qP4mZGyhVzUyR25dvfUIK5WDu6iPUA=
 github.com/libp2p/go-libp2p-testing v0.12.0/go.mod h1:KcGDRXyN7sQCllucn1cOOS+Dmm7ujhfEyXQL5lvkcPg=
-github.com/libp2p/go-yamux/v4 v4.0.2-0.20240322071716-53ef5820bd48 h1:KI65sCCL2h9IyCQwBhBXDgkKt3bmXoTu8T3rLVLZW4I=
-github.com/libp2p/go-yamux/v4 v4.0.2-0.20240322071716-53ef5820bd48/go.mod h1:PGP+3py2ZWDKABvqstBZtMnixEHNC7U/odnGylzur5o=
+github.com/libp2p/go-yamux/v4 v4.0.2-0.20240826150533-e92055b23e0e h1:Luuxp/lnfmJjQgGgAh5kmMZalC+8EVh/bYNQ8vS6d7I=
+github.com/libp2p/go-yamux/v4 v4.0.2-0.20240826150533-e92055b23e0e/go.mod h1:C808cCRgOs1iBwY4S71T5oxgMxgLmqUw56qh4AeBW2o=
 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
 github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
@@ -41,8 +41,8 @@ github.com/multiformats/go-multistream v0.5.0 h1:5htLSLl7lvJk3xx3qT/8Zm9J4K8vEOf
 github.com/multiformats/go-multistream v0.5.0/go.mod h1:n6tMZiwiP2wUsR8DgfDWw1dydlEqV3l6N3/GBsX6ILA=
 github.com/multiformats/go-varint v0.0.7 h1:sWSGR+f/eu5ABZA2ZpYKBILXTTs9JWpdEM/nEGOHFS8=
 github.com/multiformats/go-varint v0.0.7/go.mod h1:r8PUYw/fD/SjBCiKOoDlGF6QawOELpZAu9eioSos/OU=
-github.com/paralin/nhooyr-websocket v1.8.12-0.20240504231911-2358de657064 h1:JV7i3sVQ6S4YhpBmTTPuRVH9WUM1xmqApX4Ffb5rOZQ=
-github.com/paralin/nhooyr-websocket v1.8.12-0.20240504231911-2358de657064/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=
+github.com/paralin/nhooyr-websocket v1.8.13-0.20240820051708-db89d1b29ef8 h1:OZrehfqYOUl5q43cd3dvEes1zftihzNb/pN/nhzwdOg=
+github.com/paralin/nhooyr-websocket v1.8.13-0.20240820051708-db89d1b29ef8/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -57,8 +57,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI=
+golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "starpc",
-  "version": "0.33.9",
+  "version": "0.33.11",
   "description": "Streaming protobuf RPC service protocol over any two-way channel.",
   "license": "MIT",
   "author": {
@@ -113,6 +113,6 @@
     "ws": "^8.17.0"
   },
   "resolutions": {
-    "@aptre/protobuf-es-lite": "0.4.6"
+    "@aptre/protobuf-es-lite": "0.4.7"
   }
 }

package/srpc/packet-rw.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/binary"
 	"io"
+	"math"
 	"sync"
 
 	"github.com/pkg/errors"
@@ -42,8 +43,15 @@ func (r *PacketReadWriter) WritePacket(p *Packet) error {
 	defer r.writeMtx.Unlock()
 
 	msgSize := p.SizeVT()
+
+	// G115: integer overflow conversion int -> uint32 (gosec)
+	if msgSize > math.MaxUint32 {
+		return errors.New("message size exceeds maximum uint32 value")
+	}
+
 	data := make([]byte, 4+msgSize)
-	binary.LittleEndian.PutUint32(data, uint32(msgSize))
+	binary.LittleEndian.PutUint32(data, uint32(msgSize)) //nolint:gosec
+
 	_, err := p.MarshalToSizedBufferVT(data[4:])
 	if err != nil {
 		return err

package/srpc/server-http.go

@@ -7,7 +7,7 @@ import (
 	"io"
 	"net/http"
 
-	"nhooyr.io/websocket"
+	"github.com/coder/websocket"
 )
 
 // HTTPServer implements the SRPC HTTP/WebSocket server.

package/srpc/websocket.go

@@ -3,9 +3,9 @@ package srpc
 import (
 	"context"
 
+	"github.com/coder/websocket"
 	"github.com/libp2p/go-libp2p/core/network"
 	"github.com/libp2p/go-yamux/v4"
-	"nhooyr.io/websocket"
 )
 
 // NewWebSocketConn wraps a websocket into a MuxedConn.