fix: upgrade ws to 8.17.1 to fix CVE-2024-37890#591
Closed
sternma wants to merge 2 commits intoenisdenjo:masterfrom
Closed
fix: upgrade ws to 8.17.1 to fix CVE-2024-37890#591sternma wants to merge 2 commits intoenisdenjo:masterfrom
sternma wants to merge 2 commits intoenisdenjo:masterfrom
Conversation
enisdenjo
requested changes
Nov 8, 2024
Owner
enisdenjo
left a comment
enisdenjo
left a comment
There was a problem hiding this comment.
ws is an optional peer dependency, there's no security issues the library itself (library is also zero-dependency).
Comment on lines
+9
to
+11
| moduleNameMapper: { | ||
| "^ws$": "<rootDir>/node_modules/ws/index.js" | ||
| } |
Owner
There was a problem hiding this comment.
Added moduleNameMapper to resolve module resolution issues during testing. These stemmed from ws introducing a browser.js export in their package.json in 18.12.1.
Ah ok, but I wonder if there's another way to solve this.
Owner
|
Can you please fix the linting issues so we can merge? |
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR upgrades the
wsdependency from version8.12.0to8.17.1to address the security vulnerability described in CVE-2024-37890.Changes Made:
wsversion to8.17.1.moduleNameMapperto resolve module resolution issues during testing. These stemmed from ws introducing a browser.js export in their package.json in18.12.1.Reason for Change:
8.12.0ofwshas a known vulnerability (GHSA-3h5v-q93c-6h6q).^8.17.1resolves this issue.Testing Done:
References:
Please review and let me know if any further changes are needed.