chore(deps): bump ws and @remotion/cli in /packages/plugin/docs/animation

[dependabot]

Bumps ws to 8.21.0 and updates ancestor dependency @remotion/cli. These dependencies need to be updated together.

Updates ws from 8.17.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Updates @remotion/cli from 4.0.462 to 4.0.481

Release notes

Sourced from @​remotion/cli's releases.

v4.0.481

What's Changed

• @remotion/effects: Add checkerboard effect by @​JonnyBurger in remotion-dev/remotion#8563
• @remotion/effects: Add emboss effect by @​JonnyBurger in remotion-dev/remotion#8530
• @remotion/effects: Add gridlines effect by @​JonnyBurger in remotion-dev/remotion#8564
• @remotion/effects: Add zoom blur effect by @​JonnyBurger in remotion-dev/remotion#8562
• @remotion/effects: Fix vignette on transparent sources by @​JonnyBurger in remotion-dev/remotion#8567
• @remotion/lambda: allow custom s3 provider regions by @​suzunn in remotion-dev/remotion#8536
• @remotion/studio: Add effect context menu option by @​JonnyBurger in remotion-dev/remotion#8566
• @remotion/studio: Add sequence property shortcuts by @​JonnyBurger in remotion-dev/remotion#8569
• @remotion/studio: Derive timeline selection order by @​JonnyBurger in remotion-dev/remotion#8546
• @remotion/studio: Filter expanded timeline rows by @​JonnyBurger in remotion-dev/remotion#8535
• @remotion/studio: Fix Studio error overlay issues by @​JonnyBurger in remotion-dev/remotion#8537
• @remotion/studio: Keep dragged keyframes unselected by @​JonnyBurger in remotion-dev/remotion#8539
• @remotion/studio: Keep inspector for same-sequence effects by @​JonnyBurger in remotion-dev/remotion#8560
• @remotion/studio: Reset effect props with defaults by @​JonnyBurger in remotion-dev/remotion#8541
• @remotion/studio: Show component name in sequence inspector by @​JonnyBurger in remotion-dev/remotion#8544
• @remotion/studio: Show visual handles for selected easings by @​JonnyBurger in remotion-dev/remotion#8557
• @remotion/studio: Stop reset zoom pointerdown propagation by @​JonnyBurger in remotion-dev/remotion#8556
• create-video: Update tar dependency by @​JonnyBurger in remotion-dev/remotion#8549

Docs

• Revert layout changes in the showcase page + update items by @​MehmetAdemi in remotion-dev/remotion#8538
• Add Remocn resource for Remotion components by @​kapishdima in remotion-dev/remotion#8565
• Improve effect drag preview by @​JonnyBurger in remotion-dev/remotion#8575

Internal

• Bump astro from 6.1.10 to 6.4.6 in /packages/astro-example by @​app/dependabot in remotion-dev/remotion#8507
• @remotion/skills: Add custom effect skill guidance by @​JonnyBurger in remotion-dev/remotion#8543

Full Changelog: remotion-dev/remotion@v4.0.479...v4.0.481

v4.0.479

What's Changed

• remotion: Make interactivity schema public by @​JonnyBurger in remotion-dev/remotion#8482
• @remotion/studio: Revamp Props panel as Inspector by @​JonnyBurger in remotion-dev/remotion#8470
• @remotion/studio: Centralize timeline field display formatting by @​JonnyBurger in remotion-dev/remotion#8528
• @remotion/studio: Hide empty inspector sections by @​JonnyBurger in remotion-dev/remotion#8526
• @remotion/studio: Hide default props warning without schema by @​JonnyBurger in remotion-dev/remotion#8525
• @remotion/studio: Add easing editor presets by @​JonnyBurger in remotion-dev/remotion#8520
• @remotion/studio: Show media details for current asset by @​JonnyBurger in remotion-dev/remotion#8515
• @remotion/studio: Fix Sequence arrow key nudging by @​JonnyBurger in remotion-dev/remotion#8517
• @remotion/studio: Add freeze frame action to timeline layers by @​JonnyBurger in remotion-dev/remotion#8519
• @remotion/studio: Add effect picker to sequence inspector by @​JonnyBurger in remotion-dev/remotion#8498
• @remotion/studio: Allow copy-pasting easings by @​JonnyBurger in remotion-dev/remotion#8496
• @remotion/studio: Snap rotation drags with Shift by @​JonnyBurger in remotion-dev/remotion#8497

... (truncated)

Commits

• ffc91a7 v4.0.481
• 5f7b8ab v4.0.480
• 1c47dd1 Merge branch 'main' of https://github.com/remotion-dev/remotion
• 4440210 Update SKILL.md
• 530afd3 Update resources.mdx
• 70897c8 v4.0.480
• 56fbb7f @remotion/effects: Add gridlines effect (#8564)
• edc75cf @remotion/studio: Add sequence property shortcuts (#8569)
• 608fb7b Add Remocn resource for Remotion components (#8565)
• 9dde702 @remotion/studio: Add effect context menu option (#8566)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

---

Summary by cubic

Update dependencies in the animation docs plugin to align with Remotion 4.0.481 and patch a WebSocket DoS vulnerability. This affects only packages/plugin/docs/animation and requires no app code changes.

• Dependencies
  • @remotion/cli: 4.0.462 → 4.0.481 (updates @remotion/* packages; improves Studio features and stability)
  • ws: 8.17.1 → 8.21.0 (fixes memory exhaustion DoS; adds maxBufferedChunks and maxFragments options)

^{Written for commit ea52202. Summary will update on new commits.}

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​remotion/​cli@​4.0.462 ⏵ 4.0.481			+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/plugin/docs/animation/package-lock.json → npm/@remotion/cli@4.0.481 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @mediabunny/flac-encoder is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/plugin/docs/animation/package-lock.json → npm/@remotion/cli@4.0.481 → npm/@mediabunny/flac-encoder@1.47.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mediabunny/flac-encoder@1.47.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @mediabunny/flac-encoder is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/plugin/docs/animation/package-lock.json → npm/@remotion/cli@4.0.481 → npm/@mediabunny/flac-encoder@1.47.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mediabunny/flac-encoder@1.47.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @mediabunny/flac-encoder is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/plugin/docs/animation/package-lock.json → npm/@remotion/cli@4.0.481 → npm/@mediabunny/flac-encoder@1.47.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mediabunny/flac-encoder@1.47.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @mediabunny/mp3-encoder is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/plugin/docs/animation/package-lock.json → npm/@remotion/cli@4.0.481 → npm/@mediabunny/mp3-encoder@1.47.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mediabunny/mp3-encoder@1.47.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report