posibility of a 2.1.2 release with less strict websocket-stream version dependency

Hi, @RangerMauve, I'd like to report a vulnerability introduced by package ws@3.3.3:

Issue Description

I noticed that a vulnerability is introduced in hyperswarm-web@2.1.1: Vulnerability CVE-2021-32640 affects package ws (versions:<5.2.3,>=6.0.0 <6.2.2,>=7.0.0 <7.4.6): https://snyk.io/vuln/SNYK-JS-WS-1296835 The above vulnerable package is referenced by hyperswarm-web@2.1.1 via: hyperswarm-web@2.1.1 ➔ websocket-stream@5.5.2 ➔ ws@3.3.3

Since hyperswarm-web@2.1.1 is referenced by 34 downstream projects (e.g., ssb-dht-invite 2.0.0 (latest version), multiserver-dht 5.0.0 (latest version), ssb-browser-core 11.1.0 (latest version), cabal 13.4.1 (latest version), dat-sdk 2.8.1 (latest version)), the vulnerability CVE-2021-32640 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths: (1)@telios/telios-sdk@0.12.1 ➔ dat-sdk@2.8.1 ➔ hyperswarm-web@2.1.1 ➔ websocket-stream@5.5.2 ➔ ws@3.3.3 (2)cabal@13.4.1 ➔ cabal-client@6.3.2 ➔ paperslip@3.1.0 ➔ hyperswarm-web@2.1.1 ➔ websocket-stream@5.5.2 ➔ ws@3.3.3 ......

If hyperswarm-web@2.1.* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from hyperswarm-web@2.1.1 ?

Fixing suggestions

In hyperswarm-web@2.1.2, maybe you can kindly try to perform the following upgrade : websocket-stream ^5.5.2 ➔ ~5.2.0;

Note: websocket-stream@5.2.0(>=5.2.0 <5.4.0) directly depends on ws@6.2.2 which has fixed the vulnerability CVE-2021-32640.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue. ^_^

RangerMauve / hyperswarm-web

posibility of a 2.1.2 release with less strict websocket-stream version dependency #18

Issue Description

Fixing suggestions