Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability GHSA-6fc8-4gx4-v693 affecting "ws" package (nested dependency) #268

Closed
pedrosanta opened this issue Aug 21, 2021 · 2 comments
Closed

Security vulnerability GHSA-6fc8-4gx4-v693 affecting "ws" package (nested dependency) #268

pedrosanta opened this issue Aug 21, 2021 · 2 comments

Comments

@pedrosanta
Copy link

pedrosanta commented Aug 21, 2021
edited
Loading

Hi,

As I've commented on 6289a8a, perhaps we should drop node-http2 in favor of node own http2 interface because the former has security vulnerabilities.

Actually, I've just now noticed that the reason to change to node-http2 from http2 node interface was a broken test. That's kinda weird: instead of updating the code/calls to match the updated API on node, one just moves all together to a totally different library? Kinda bold.

Anyway node-http2 is currently plagued by a security vulnerability and I think one should simplify and resort to node own http2 interface.

If I can I will throw a PR for that.

Edit:
@pedrosanta pedrosanta changed the title Drop node-http2 in favour Drop node-http2 in favor of node http2 interface (bonus: fix vulnerability)? Aug 21, 2021
@pedrosanta
Copy link
Author

pedrosanta commented Aug 22, 2021
edited
Loading

Upon closer inspection, I've noticed that Node.js http2 module only became stable from v10.10.0 onwards.

And since grunt-contrib-connect supports Node.js versions 10 or greater ("engines": { "node": ">=10" }) it supports all versions of 10.x release, including earlier ones where the http2 module was still experimental API.

So, from my POV, unless the supported node versions were updated (and thus triggering a major version bump on grunt-contrib-connect to 4.0.0) we should not move/upgrade to Node.js http2 module.

Which is kinda unfortunate because:

But again, from my POV:

  • Either the Node.js supported versions are updated (new major version), or
  • The next best chance to fix the vulnerability is to have websocket-stream upgrade their ws dependency.

PS: Meanwhile I'll update this issue to reference/track the security vulnerability in the first place, moreso than moving to http2 module, etc.

@pedrosanta pedrosanta changed the title Drop node-http2 in favor of node http2 interface (bonus: fix vulnerability)? Security vulnerability GHSA-6fc8-4gx4-v693 affecting "ws" package (nested dependency) Aug 22, 2021
@darcyparker darcyparker mentioned this issue Aug 24, 2021
Closed
@pedrosanta
Copy link
Author

Closing in favor of #270.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pedrosanta