Update ws to 3.3.3 (security vulnerability)

SocketCluster / socketcluster-client

JavaScript client for SocketCluster

MIT License

291 stars 92 forks source link

Update ws to 3.3.3 (security vulnerability) #101

Closed andersbv closed 6 years ago

andersbv commented 6 years ago

Node Security scan is showing warnings against ws 3.1.0 related to https://snyk.io/vuln/npm:ws:20171108

jondubois commented 6 years ago

Thanks. This is more a concern for the server than the client. I'll update the ws version number there as well. I couldn't reproduce the process crash issue with socketcluster-server; maybe it's an edge case of ws which doesn't affect SC. But worth updating anyway.

jondubois commented 6 years ago

I've published the patch to socketcluster-client 9.0.3 and socketcluster-server 9.1.3.

In case anyone is concerned, I wasn't able to reproduce the issue in SC (using the PoC steps from snyk.io) using either the ws or uws WebSocket engines. Also, uws is the default engine in SC and this issue affects ws.