Update dependency ws to v3

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
ws	dependencies	major	^1.1.1 -> ^3.0.0

By merging this PR, the issue #11 will be automatically resolved and closed:

Severity	CVSS Score	CVE
High	7.5	WS-2017-0421
High	7.4	WS-2017-0107

---

Release Notes

websockets/ws (ws)

v3.3.1

Compare Source

Bug fixes

• Fixed a DoS vulnerability (c4fe466).

A specially crafted value of the Sec-WebSocket-Extensions header that
used Object.prototype property names as extension or parameter names
could be used to make a ws server crash.

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

The vulnerability has been privately reported by Nick Starke and
Ryan Knell of Sonatype Security Research and promptly fixed. Please
update now!

v3.3.0

Compare Source

Features

• Added ecdhCurve option (#​1228).

v3.2.0

Compare Source

Features

• Added ability to specify the compression level (#​1199).
• Added ability to limit the number of concurrent calls to zlib (#​1204).

v3.1.0

Compare Source

Features

• Added ability to specify the handshake request timeout (#​1177).

Bug fixes

• Fixed an issue where CloseEvent#wasClean was incorrectly set to false for
  close codes in the 3000-4999 range (#​1146).

v3.0.0

Compare Source

Breaking changes

• Removed the upgradeReq property (#​1099).
• Removed unnecessary events (#​1100).
• Removed the flags argument from the 'message', 'ping', and 'pong'
  events (#​1101).
• The permessage-deflate extension is now disabled by default on the server
  (#​1107).

v2.3.1

Compare Source

Bug fixes

• Fixed an issue that prevented WebSocket.prototype.close() from working
  properly when called from a listener of the headers event (732aaf0).

v2.3.0

Compare Source

Features

• All hooks have now access to the upgrade request (#​1070).
• The WebSocket client now emits a headers event (#​1082).

v2.2.3

Compare Source

Notable changes

• Added support for Node.js 4.1.0 - 4.4.7 (#​1059).

Bug fixes

• Fixed a bug that caused the options argument to be reassigned when
  protocols was null (20bd7c7).

v2.2.2

Compare Source

Bug fixes

• Fixed a linter issue that prevented tests from running on CITGM (#​1050).

v2.2.1

Compare Source

Bug fixes

• WebSocket.prototype.terminate() now closes the connection immediately even
  if the other peer fails to work properly (#​1033).

v2.2.0

Compare Source

Features

• Added "fragments" as possible value for the binaryType attribute (#​1018).

Bug fixes

• A random masking key is now also used for zero-length frames (5edb460).

v2.1.0

Compare Source

Features

• Added ability to specify URL path with UNIX domain socket URLs (060b275).

Bug fixes

• Fixed a bug that could make the parser crash if an error was emitted
  synchronously on the socket while parsing data (6695bd4).

v2.0.3

Compare Source

Bug fixes

• Fixed an issue that caused a stack overflow when parsing a buffer with
  thousands of frames (#​992).
• Restored support for default port numbers (f043b52).

v2.0.2

Compare Source

Notable changes

• Added support for bufferutil@2 and utf-8-validate@3 (466e210).

v2.0.1

Compare Source

Bug fixes

• Fixed a bug that caused wrong frames to be created (d856dcb).

v2.0.0

Compare Source

Breaking changes

• Dropped support for Node.js < 4.5.0.
• The new operator is now required to create all instances as we moved to ES6
  classes.
• Error messages have been simplified.
• The clients property of the WebSocketServer is no longer an Array but a
  Set and is only set if the clientTracking option is truthy (#​806).
• The default HTTP status message is now used when handshake fails (41e7cae).
• Removed support for the Hixie-76 version of the protocol (#​871).
• Removed ability to specify different paths for multiple WebSocketServers
  when binding them to the same underlying HTTP/s server (#​885).
• Removed WebSocket.prototype.stream() and ability to pass a readable stream
  to WebSocket.prototype.send() (#​875).
• Removed callback argument from handleProtocols handler (#​890).
• Removed supports property from WebSocket (#​918).
• Removed WebSocket.createServer(), WebSocket.createConnection(), and
  WebSocket.connect() factory functions (#​926).
• The second argument of WebSocket.prototype.ping() and
  WebSocket.prototype.pong() is no longer an options object but a boolean
  (#​951).
• An error is emitted if WebSocket.prototype.close() is called before the
  connection is established (#​956).

The following breaking changes only apply if you required the mentioned classes
directly.

• Removed Sender inheritance from EventEmitter (#​861).
• Removed BufferPool class (73ab370).
• Made extensions a required argument for the Receiver constructor (5f53194).
• receiver.onbinary and receiver.ontext have been merged into
  receiver.onmessage (#​939).

Features

• Added ability to set TCP backlog for WebSocketServer (#​795).
• Added checkServerIdentity option to WebSocket (#​701).
• Added a threshold option for permessage-deflate to only compress messages
  whose size is bigger than threshold (6b3904b).
• Added shouldHandle method to WebSocketServer to see if a request should
  be accepted or rejected. This method can be overridden by the user if a
  custom logic is desired (6472425).
• Added removeEventListener method to WebSocket (078e96a).
• Added family option to WebSocket (#​962).

Bug fixes

• Fixed an issue that prevented permessage-deflate options from being correctly
  handled (#​744).
• All error events are now emitted with a proper Error instance (#​789).
• Fixed an issue that could cause a stack overflow crash (#​810).
• Added 1012 and 1013 to the list of allowed close codes (b58f688).
• Fixed an issue that prevented the connection from being closed when path
  validation failed (#​534).
• Fixed an issue where the fin option of WebSocket.prototype.send() was
  unconditionally set to true (ea50be7).
• Fixed an issue that prevented the total length of a fragmented message from
  being correctly calculated (545635d).
• Fixed an issue where zlib.flush() was called with a wrong flush level
  (#​733).
• The callback of WebSocketServer.prototype.close() is now invoked when the
  close event is emitted by the underlying HTTP/s server (#​892).
• Fixed an issue that prevented the server from listening on IPv6 addresses
  with default settings (dcdc652).
• Fixed an issue where the connection event was emitted even if the client
  closed the connection during the handshake process (04530ad).
• The masking key is now generated using crypto.randomBytes() instead of
  Math.random() (7253f06).
• Fixed an issue that, under particular circumstances, caused data to be
  discarded (#​945).
• Fixed an issue that prevented clients from being removed from the clients
  set (#​955).
• WebSocket.prototype.close() now works as expected if called on the client
  before the connection is established (#​956).
• WebSocket.prototype.send() no longer mutates the options object (#​968).
• The bufferedAmount getter now takes into account the data queued in the
  sender (#​971).

v1.1.5

Compare Source

Bug fixes

• Fixed a DoS vulnerability (f8fdcd4).

v1.1.4

Compare Source

Notable changes

• Removed istanbul coverage folder from npm package (fac50ac).

v1.1.3

Compare Source

Notable changes

• Added support for bufferutil@>1 and utf-8-validate@>2 (b4cf110).

v1.1.2

Compare Source

Bug fixes

• The masking key is now generated using crypto.randomBytes() instead of
  Math.random() (#​994).
• Fixed an issue that could cause a stack overflow crash (c1f3b21).

---

• If you want to rebase/retry this PR, check this box