From 3451dac3232660cf84cca32c1028b42d69855b59 Mon Sep 17 00:00:00 2001
From: Jiayu Liu <jimexist@gmail.com>
Date: Mon, 25 May 2026 08:13:44 +0800
Subject: [PATCH 1/2] Upgrade ws from 5.2.x to 8.21.0 Client: nodejs

The ws package was pinned at ^5.2.3 (resolved 5.2.4), which is
several major versions behind the current 8.21.0 release.

ws is consumed indirectly via isomorphic-ws in
lib/nodejs/lib/thrift/ws_connection.js; only the client-side
`new WebSocket(uri, "", wsOptions)` constructor is used, which is
unchanged across the v5 -> v8 transition. No server-side ws.Server
API is used in the codebase.

ws v8 requires Node.js >= 10.0.0; package.json's engines.node is
already >= 10.18.0, so the engine constraint is satisfied. The
transitive async-limiter dependency (only needed by ws 5.x) is
removed from the lock file.

ws is BSD-2-Clause licensed (ASF Category A), so no LICENSE or
NOTICE updates are required.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Generated-by: Claude Opus 4.7 (1M context)
---
 package-lock.json | 34 +++++++++++++++++++++-------------
 package.json      |  2 +-
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e8ce4f1516..4689519d49 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,7 @@
         "node-int64": "^0.4.0",
         "q": "^1.5.0",
         "uuid": "^14.0.0",
-        "ws": "^5.2.3"
+        "ws": "^8.21.0"
       },
       "devDependencies": {
         "@eslint/js": "^9.18.0",
@@ -746,11 +746,6 @@
         "sprintf-js": "~1.0.2"
       }
     },
-    "node_modules/async-limiter": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.1.tgz",
-      "integrity": "sha512-csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ=="
-    },
     "node_modules/balanced-match": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
@@ -2307,7 +2302,7 @@
       "version": "3.7.0",
       "resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-3.7.0.tgz",
       "integrity": "sha512-L/Eg02Epx6Si2NXmedx+Okg+4UHqmaf3TNcxd50SF9NQGcJaON3AtU++kax69XV7YWz4tUspqZSAsVofhFKG2w==",
-      "dev": true,
+      "devOptional": true,
       "bin": {
         "node-gyp-build": "bin.js",
         "node-gyp-build-optional": "optional.js",
@@ -3055,7 +3050,7 @@
       "version": "5.0.2",
       "resolved": "https://registry.npmjs.org/utf-8-validate/-/utf-8-validate-5.0.2.tgz",
       "integrity": "sha512-SwV++i2gTD5qh2XqaPzBnNX88N6HdyhQrNNRykvcS0QKvItV9u3vPEJr+X5Hhfb1JC0r0e1alL0iB09rY8+nmw==",
-      "dev": true,
+      "devOptional": true,
       "hasInstallScript": true,
       "dependencies": {
         "node-gyp-build": "~3.7.0"
@@ -3224,11 +3219,24 @@
       }
     },
     "node_modules/ws": {
-      "version": "5.2.4",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-5.2.4.tgz",
-      "integrity": "sha512-fFCejsuC8f9kOSu9FYaOw8CdO68O3h5v0lg4p74o8JqWpwTf9tniOD+nOB78aWoVSS6WptVUmDrp/KPsMVBWFQ==",
-      "dependencies": {
-        "async-limiter": "~1.0.0"
+      "version": "8.21.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
       }
     },
     "node_modules/xmlcreate": {
diff --git a/package.json b/package.json
index febc130fe3..39c76deaa7 100644
--- a/package.json
+++ b/package.json
@@ -41,7 +41,7 @@
     "node-int64": "^0.4.0",
     "q": "^1.5.0",
     "uuid": "^14.0.0",
-    "ws": "^5.2.3"
+    "ws": "^8.21.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.18.0",

From 6fecd3c2933d06530c967c2dadb42d0baca92e9d Mon Sep 17 00:00:00 2001
From: Jiayu Liu <jimexist@gmail.com>
Date: Mon, 25 May 2026 08:20:58 +0800
Subject: [PATCH 2/2] Fix WebSocket subprotocol for ws v8 Client: nodejs

ws v8 added strict validation of the protocols argument and rejects
an empty string with `SyntaxError: An invalid or duplicated subprotocol
was specified`. ws v5 tolerated `""` silently.

WSConnection passed `""` as the protocols argument when running on
Node (browser code path is unaffected). Switch to `undefined` so the
constructor receives no subprotocol, matching both the WHATWG
WebSocket and ws documented signatures.

Surfaced by the lib-nodejs CI job after the ws 5 -> 8 upgrade.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Generated-by: Claude Opus 4.7 (1M context)
---
 lib/nodejs/lib/thrift/ws_connection.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/nodejs/lib/thrift/ws_connection.js b/lib/nodejs/lib/thrift/ws_connection.js
index 878a5724ff..534c045453 100644
--- a/lib/nodejs/lib/thrift/ws_connection.js
+++ b/lib/nodejs/lib/thrift/ws_connection.js
@@ -220,7 +220,7 @@ WSConnection.prototype.open = function () {
   if (jsEnv.isBrowser) {
     this.socket = new WebSocket(this.uri());
   } else {
-    this.socket = new WebSocket(this.uri(), "", this.wsOptions);
+    this.socket = new WebSocket(this.uri(), undefined, this.wsOptions);
   }
   this.socket.binaryType = "arraybuffer";
   this.socket.onopen = this.__onOpen.bind(this);