ws dependency package vulnerability: CVE-2024-37890

[pting-me]

Upgrading to [email protected] or later should work. The package is currently hard coded to 8.12.0.

More info: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

[enisdenjo]

A PR is very welcome! Not urgent though since ws is an optional peer dependency.

[sternma]

This is throwing off some warnings for us, I'll submit a PR shortly.

[sternma]

My PR will reference only the top-level ws dependency. Consider leaving this issue open if you are wanting to fix the rest in the tree. Some (like subscriptions-transport-ws) are not possible to fix via an upgrade as they are not actively maintained.

yarn why ws
├─ @fastify/websocket@npm:9.0.0
│  └─ ws@npm:8.16.0 [fdeca] (via npm:^8.0.0 [fdeca])
│
├─ fastify-websocket@npm:4.2.2
│  └─ ws@npm:8.16.0 [fdeca] (via npm:^8.0.0 [fdeca])
│
├─ graphql-ws@workspace:.
│  ├─ ws@npm:7.5.9 [1b8a6] (via npm:ws@^7.5.9 [1b8a6])
│  └─ ws@npm:8.17.1 [1b8a6] (via npm:8.17.1 [1b8a6])
│
├─ jsdom@npm:20.0.3
│  └─ ws@npm:8.16.0 (via npm:^8.11.0)
│
├─ jsdom@npm:20.0.3 [6fdb1]
│  └─ ws@npm:8.16.0 [fdeca] (via npm:^8.0.0 [fdeca])
│
├─ subscriptions-transport-ws@npm:0.11.0
│  └─ ws@npm:7.5.9 (via npm:^5.2.0 || ^6.0.0 || ^7.0.0)
│
├─ subscriptions-transport-ws@npm:0.11.0 [1b8a6]
│  └─ ws@npm:7.5.9 [c6eda] (via npm:^5.2.0 || ^6.0.0 || ^7.0.0 [c6eda])
│
└─ webpack-bundle-analyzer@npm:4.7.0
   └─ ws@npm:7.5.9 [c6eda] (via npm:^5.2.0 || ^6.0.0 || ^7.0.0 [c6eda])