This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
ReleasePort's take
Moderate signalThe release upgrades the `ws` dependency to version 8.21.0, fixing a remote memory‑exhaustion DoS vulnerability.
Why it matters: Affects the `ws` WebSocket bridge in Safari extensions; upgrade to ws 8.21.0 resolves the high‑severity (90) DoS risk.
Summary
AI summaryBumped ws to 8.21.0 to fix a remote memory-exhaustion DoS vulnerability.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Bumped `ws` from 8.20.1 to 8.21.0 to fix remote memory-exhaustion DoS vulnerability. Bumped `ws` from 8.20.1 to 8.21.0 to fix remote memory-exhaustion DoS vulnerability. Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Security
- Bumped
ws8.20.1 → 8.21.0 to pick up the upstream fix for a remote memory-exhaustion DoS (responsibly disclosed by Nadav Magier).
A peer streaming a high volume of tiny fragments or data chunks could OOM the receiving ws server or client. safari-mcp uses ws for the Safari extension WebSocket bridge, so the new upstream cap on retained fragments now applies. No API changes — drop-in upgrade.
Resolves Dependabot alert #18.
Full diff: https://github.com/achiya-automation/safari-mcp/compare/v2.11.4...v2.11.5
Security Fixes
- CVE-2024-20941 — `ws` 8.21.0 fixes remote memory-exhaustion DoS by capping retained fragments
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About achiya-automation/safari-mcp
Native Safari browser automation for AI agents with 80+ tools. No Chrome dependency, optimized for Apple Silicon with 60% less CPU overhead.
Related context
Related tools
Earlier breaking changes
- v2.10.5 npm audit gate now fails build on high or critical advisories.
Beta — feedback welcome: [email protected]