Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability GHSA-6fc8-4gx4-v693 on ws ^3.2.0 dependency #162

Open
pedrosanta opened this issue Aug 21, 2021 · 2 comments
Open

Security vulnerability GHSA-6fc8-4gx4-v693 on ws ^3.2.0 dependency #162

pedrosanta opened this issue Aug 21, 2021 · 2 comments

Comments

@pedrosanta
Copy link

pedrosanta commented Aug 21, 2021
edited
Loading

Hello, dependabot just warned me on one of my repositories that "ws": "^3.2.0" has this security vulnerability: GHSA-6fc8-4gx4-v693

The closest fixed version is 5.2.3.

Any upgrade path planned for this?

I'm going to try to help as much as I can, but I'm not familiar with the codebase of the project (just arrived here), but if I can be of help, I will do so.

Any comment from maintainers on this?
@pedrosanta pedrosanta changed the title ws vulnerability ws ^3.2.0 vulnerability Aug 21, 2021
pedrosanta referenced this issue in gruntjs/grunt-contrib-connect Aug 21, 2021
@XhmikosR
Replace http2 with node-http2.
6289a8a
@pedrosanta pedrosanta mentioned this issue Aug 22, 2021
Closed
@pedrosanta pedrosanta changed the title ws ^3.2.0 vulnerability Security vulnerability GHSA-6fc8-4gx4-v693 on ws ^3.2.0 dependency Aug 22, 2021
@RangerMauve
Copy link

@mafintosh @mcollina Would you like any help getting this fixed? Some of my modules are affected by it so I'd be happy to help with the upgrade.

It seems like this would make DoS really easy for anything using websocket-stream for servers which could be annoying.

@RangerMauve RangerMauve mentioned this issue Sep 2, 2021
Open
@mcollina
Copy link
Collaborator

mcollina commented Sep 2, 2021

@RangerMauve this module needs a lot more maintenance than just this fix. ws ships with its own server implementation for the streams, so there is no need to use it all.

Anyway, if I can add you as an owner on npm. I would recommend pushing to your own repo because we do not have owner rights here.

@ioxFR ioxFR mentioned this issue Oct 14, 2021
Closed
@bretambrose bretambrose mentioned this issue Jun 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pedrosanta @mcollina @RangerMauve