undici 6.24.0 → 6.24.1

package/docs/docs/api/WebSocket.md

@@ -20,7 +20,6 @@ When passing an object as the second argument, the following options are availab
 * **protocols** `string | string[]` (optional) - Subprotocol(s) to request the server use.
 * **dispatcher** `Dispatcher` (optional) - A custom [`Dispatcher`](/docs/docs/api/Dispatcher.md) to use for the connection.
 * **headers** `HeadersInit` (optional) - Custom headers to include in the WebSocket handshake request.
-* **maxDecompressedMessageSize** `number` (optional) - Maximum allowed size in bytes for decompressed messages when using the `permessage-deflate` extension. **Default:** `4194304` (4 MB).
 
 ### Example:
 
@@ -45,20 +44,6 @@ import { WebSocket } from 'undici'
 const ws = new WebSocket('wss://echo.websocket.events', ['echo', 'chat'])
 ```
 
-### Example with custom decompression limit:
-
-To protect against decompression bombs (small compressed payloads that expand to very large sizes), you can set a custom limit:
-
-```mjs
-import { WebSocket } from 'undici'
-
-const ws = new WebSocket('wss://echo.websocket.events', {
-  maxDecompressedMessageSize: 1 * 1024 * 1024
-})
-```
-
-> ⚠️ **Security Note**: The `maxDecompressedMessageSize` option protects against memory exhaustion attacks where a malicious server sends a small compressed payload that decompresses to an extremely large size. If you increase this limit significantly above the default, ensure your application can handle the increased memory usage.
-
 ## Read More
 
 - [MDN - WebSocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)

package/lib/web/websocket/permessage-deflate.js

@@ -17,9 +17,6 @@ class PerMessageDeflate {
 
   #options = {}
 
-  /** @type {number} */
-  #maxDecompressedSize
-
   /** @type {boolean} */
   #aborted = false
 
@@ -28,12 +25,10 @@ class PerMessageDeflate {
 
   /**
    * @param {Map<string, string>} extensions
-   * @param {{ maxDecompressedMessageSize?: number }} [options]
    */
-  constructor (extensions, options = {}) {
+  constructor (extensions) {
     this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover')
     this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits')
-    this.#maxDecompressedSize = options.maxDecompressedMessageSize ?? kDefaultMaxDecompressedSize
   }
 
   decompress (chunk, fin, callback) {
@@ -75,7 +70,7 @@ class PerMessageDeflate {
 
         this.#inflate[kLength] += data.length
 
-        if (this.#inflate[kLength] > this.#maxDecompressedSize) {
+        if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) {
           this.#aborted = true
           this.#inflate.removeAllListeners()
           this.#inflate.destroy()

package/lib/web/websocket/receiver.js

@@ -37,23 +37,18 @@ class ByteParser extends Writable {
   /** @type {Map<string, PerMessageDeflate>} */
   #extensions
 
-  /** @type {{ maxDecompressedMessageSize?: number }} */
-  #options
-
   /**
    * @param {import('./websocket').WebSocket} ws
    * @param {Map<string, string>|null} extensions
-   * @param {{ maxDecompressedMessageSize?: number }} [options]
    */
-  constructor (ws, extensions, options = {}) {
+  constructor (ws, extensions) {
     super()
 
     this.ws = ws
     this.#extensions = extensions == null ? new Map() : extensions
-    this.#options = options
 
     if (this.#extensions.has('permessage-deflate')) {
-      this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions, options))
+      this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions))
     }
   }
 

package/lib/web/websocket/websocket.js

@@ -44,9 +44,6 @@ class WebSocket extends EventTarget {
   /** @type {SendQueue} */
   #sendQueue
 
-  /** @type {{ maxDecompressedMessageSize?: number }} */
-  #options
-
   /**
    * @param {string} url
    * @param {string|string[]} protocols
@@ -120,11 +117,6 @@ class WebSocket extends EventTarget {
     // 10. Set this's url to urlRecord.
     this[kWebSocketURL] = new URL(urlRecord.href)
 
-    // Store options for later use (e.g., maxDecompressedMessageSize)
-    this.#options = {
-      maxDecompressedMessageSize: options.maxDecompressedMessageSize
-    }
-
     // 11. Let client be this's relevant settings object.
     const client = environmentSettingsObject.settingsObject
 
@@ -443,7 +435,7 @@ class WebSocket extends EventTarget {
     // once this happens, the connection is open
     this[kResponse] = response
 
-    const parser = new ByteParser(this, parsedExtensions, this.#options)
+    const parser = new ByteParser(this, parsedExtensions)
     parser.on('drain', onParserDrain)
     parser.on('error', onParserError.bind(this))
 
@@ -546,19 +538,6 @@ webidl.converters.WebSocketInit = webidl.dictionaryConverter([
   {
     key: 'headers',
     converter: webidl.nullableConverter(webidl.converters.HeadersInit)
-  },
-  {
-    key: 'maxDecompressedMessageSize',
-    converter: webidl.nullableConverter((V) => {
-      V = webidl.converters['unsigned long long'](V)
-      if (V <= 0) {
-        throw webidl.errors.exception({
-          header: 'WebSocket constructor',
-          message: 'maxDecompressedMessageSize must be greater than 0'
-        })
-      }
-      return V
-    })
   }
 ])
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "6.24.0",
+  "version": "6.24.1",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {

package/types/websocket.d.ts

@@ -146,12 +146,5 @@ export declare const ErrorEvent: {
 interface WebSocketInit {
   protocols?: string | string[],
   dispatcher?: Dispatcher,
-  headers?: HeadersInit,
-  /**
-   * Maximum size in bytes for decompressed WebSocket messages.
-   * When a message exceeds this limit during decompression, the connection
-   * will be closed with status code 1009 (Message Too Big).
-   * @default 4194304 (4 MB)
-   */
-  maxDecompressedMessageSize?: number
+  headers?: HeadersInit
 }