[2.2.14] npm audit reports high severity vulnerability in dependency 'websocket-stream'

[jmattsson]

Describe the bug

Run npm audit
# npm audit report

ws  2.1.0 - 5.2.3
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install aws-iot-device-sdk@2.2.8, which is a breaking change
node_modules/websocket-stream/node_modules/ws
  websocket-stream  4.0.0 - 5.1.2 || >=5.4.0
  Depends on vulnerable versions of ws
  node_modules/websocket-stream
    aws-iot-device-sdk  >=2.2.9
    Depends on vulnerable versions of websocket-stream
    node_modules/aws-iot-device-sdk

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected Behavior

No known vulnerabilities present :)

Current Behavior

The suggested fix would force a downgrade from 2.2.14 back to 2.2.8, which would introduce other issues again and is not viable.

Reproduction Steps

Take a project that requires aws-iot-device-sdk v2.2.14 package, and run npm audit

Possible Solution

No response

Additional Information/Context

No response

SDK version used

2.2.14

Environment details (OS name and version, etc.)

Linux

[bretambrose]

We cannot do anything about websocket-stream's dependencies: https://github.com/max-mapper/websocket-stream/issues/162.

FWIW, the vulnerability is irrelevant to the SDK's functionality.

[bretambrose]

I take that back, it looks like we could switch dependencies to https://www.npmjs.com/package/@httptoolkit/websocket-stream

Given that we don't use server functionality, it may not end up being a high priority though.

[bretambrose]

2.2.15 addresses this issue and has been published to npm.

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

[jmattsson]

Lovely, thank you for the quick turnaround!