Bump ws and tmi.js in /src/nodejs

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps ws to 7.4.6 and updates ancestor dependency tmi.js. These dependencies need to be updated together.

Updates ws from 7.4.2 to 7.4.6

Release notes

Sourced from ws's releases.

7.4.6

Bug fixes

• Fixed a ReDoS vulnerability (00c425ec).

A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

7.4.5

Bug fixes

• UTF-8 validation is now done even if utf-8-validate is not installed (23ba6b29).
• Fixed an edge case where websocket.close() and websocket.terminate() did not close the connection (67e25ff5).

7.4.4

Bug fixes

• Fixed a bug that could cause the process to crash when using the permessage-deflate extension (92774377).

7.4.3

Bug fixes

• The deflate/inflate stream is now reset instead of reinitialized when context takeover is disabled (#1840).

Commits

• f5297f7 [dist] 7.4.6
• 00c425e [security] Fix ReDoS vulnerability
• 990306d [lint] Fix prettier error
• 32e3a84 [security] Remove reference to Node Security Project
• 8c914d1 [minor] Fix nits
• fc7e27d [ci] Test on node 16
• 587c201 [ci] Do not test on node 15
• f672710 [dist] 7.4.5
• 67e25ff [fix] Fix case where abortHandshake() does not close the connection
• 23ba6b2 [fix] Make UTF-8 validation work even if utf-8-validate is not installed
• Additional commits viewable in compare view

Updates tmi.js from 1.5.0 to 1.8.5

Release notes

Sourced from tmi.js's releases.

tmi.js v1.8.5

v1.8.5

• d9a3d63 Fix emoteset update timer not using sets.

tmi.js v1.8.4

v1.8.4

• 4a21293 Removed union from utils as it only had a single use in the library. These util functions shouldn't be used outside of the library but worth mentioning.
• b44286d Allow passing an HTTP proxy agent instance to node-fetch (Node) at the option connection.fetchAgent. Feedback on this is very welcomed, please open an issue if it doesn't work.
• 643b2c9 Allow passing an HTTP proxy agent instance to ws (Node) at the option connection.agent. #209 #380 See this example on https-proxy-agent for more detail and available options. Feedback on this is very welcomed, please open an issue if it doesn't work.

const HttpsProxyAgent = require('https-proxy-agent');
const agent = new HttpsProxyAgent(proxyOptions);
const client = new tmi.Client({ connection: { agent } });
client.connect();

• a3343ec Fix for some channels returning empty mod/VIP lists, potentially because all accounts on the list are closed/banned. #480
• b477c6a Upgrade dependencies. (Notable: ws v7.4.3 -> v8.0.0)
  • ca392a0 And tests to match
• 697c9d6 Update NOTICE msg-ids for ban/timeout anon/mod.

tmi.js v1.8.3

v1.8.3

• b9a9a70 Clear emotesets timer

tmi.js v1.8.2

v1.8.2 [Deprecated]

• 826e105 Remove async/await code from client._updateEmoteset. #463

v1.8.1

• 28be1a7 Revert class and destructuring syntax.

tmi.js v1.8.0

v1.8.0

• f9a5b3a The option connection.reconnect is now true by default.
• 43900a9 Added option options.skipMembership (false by default) to not receive JOIN/PART messages for other users. This can reduce a lot of the spammy data that's getting blasted at the client.

const client = new tmi.Client({ options: { skipMembership: true } });

• c74c2bb
  • Added option options.skipUpdatingEmotesets (false by default) to skip calling the emoticon_images API which can be a lot of data. The emotesets event will still be called but the second argument will just be an empty object.
  • Added option options.updateEmotesetsTimer (60000 (ms) by default) to change how often the emoticon_images API will be recalled. Set to 0 or a negative number (or false) to disable the timer entirely.

</tr></table> 

... (truncated)

Commits

• e4547c0 Release 1.8.5
• b9ab3aa package: update dependencies
• d9a3d63 client: fix emoteset update timer not using sets
• 150fbbc Release v1.8.4
• 31b68f7 various: match function style across parser/utils
• 412258f utils: move static regex
• 4a21293 utils: remove union
• dcbdeea github: adjust issue template config section
• 2a66500 client: pass null for default delay
• ee4c347 readme: remove default options from example
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.