There was recently a security advisory about the ws package relating to its handling of the Sec-WebSocket-Extensions header:
in its handshake, and this would cause an error in the handshake parser and crash the process.
I looked into whether websocket-extensions is vulnerable to this. It does have the same bug, but it should not cause a denial of service. It is already a documented feature of its API that it throws an error on invalid headers, and so websocket-driver and everything built on top of that is written to catch any errors from websocket-extensions.
So for our modules, the bug just means the socket connection fails, but the server keeps running. This is probably fine since a client sending extensions with these names is probably malicious and not something a legit end user is relying on.
I've just released websocket-extensions 0.1.3 which fixes this error, so the header is parsed successfully and the unknown extension names are ignored. I'd recommend everyone install this update as soon as possible.