From c2ccd45559d8f7f1ab172e7888e04d1bd032ab7e Mon Sep 17 00:00:00 2001 From: Sunny Sethi Date: Mon, 13 Jul 2026 14:00:59 +0530 Subject: [PATCH] chore(deps): bump ws to >=8.21.0 via overrides (AXE-3768) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix CVE-2026-48779 (GHSA-96hv-2xvq-fx4p) — ws memory exhaustion DoS via tiny WebSocket fragments. CVSS 7.5 (HIGH). ws is transitive (via engine.io, socket.io-adapter). Override collapses all copies (8.17.1, 8.18.3) to 8.21.0. Backward compatible — same major version, basic WebSocket API unchanged. --- package-lock.json | 78 ++++++----------------------------------------- package.json | 3 +- 2 files changed, 12 insertions(+), 69 deletions(-) diff --git a/package-lock.json b/package-lock.json index 860100cb1..21782ef28 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5477,27 +5477,6 @@ "undici-types": "~6.20.0" } }, - "node_modules/engine.io/node_modules/ws": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", - "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", - "dev": true, - "engines": { - "node": ">=10.0.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": ">=5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/ent": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/ent/-/ent-2.2.0.tgz", @@ -12380,27 +12359,6 @@ "ws": "~8.17.1" } }, - "node_modules/socket.io-adapter/node_modules/ws": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", - "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", - "dev": true, - "engines": { - "node": ">=10.0.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": ">=5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/socket.io-parser": { "version": "4.2.4", "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.4.tgz", @@ -13865,9 +13823,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.18.3", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz", - "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "dev": true, "engines": { "node": ">=10.0.0" @@ -17797,7 +17755,7 @@ "cors": "~2.8.5", "debug": "~4.3.1", "engine.io-parser": "~5.2.1", - "ws": "~8.17.1" + "ws": ">=8.21.0" }, "dependencies": { "@types/node": { @@ -17808,13 +17766,6 @@ "requires": { "undici-types": "~6.20.0" } - }, - "ws": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", - "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", - "dev": true, - "requires": {} } } }, @@ -20091,7 +20042,7 @@ "whatwg-encoding": "^3.1.1", "whatwg-mimetype": "^4.0.0", "whatwg-url": "^15.0.0", - "ws": "^8.18.2", + "ws": ">=8.21.0", "xml-name-validator": "^5.0.0" }, "dependencies": { @@ -22664,7 +22615,7 @@ "@bazel/runfiles": "^6.3.1", "jszip": "^3.10.1", "tmp": "^0.2.3", - "ws": "^8.18.2" + "ws": ">=8.21.0" } }, "semver": { @@ -22915,16 +22866,7 @@ "dev": true, "requires": { "debug": "~4.3.4", - "ws": "~8.17.1" - }, - "dependencies": { - "ws": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", - "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", - "dev": true, - "requires": {} - } + "ws": ">=8.21.0" } }, "socket.io-parser": { @@ -24041,9 +23983,9 @@ "dev": true }, "ws": { - "version": "8.18.3", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz", - "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "dev": true, "requires": {} }, diff --git a/package.json b/package.json index b90d0a690..046ddad9c 100644 --- a/package.json +++ b/package.json @@ -202,6 +202,7 @@ ] }, "overrides": { - "lodash": "4.18.1" + "lodash": "4.18.1", + "ws": ">=8.21.0" } }