[Improvement]: @coveo/headless depends on an insecure version of ws

[bbellmyers]

Which product are you using?

Headless

product version

2.73.0

bug description

@coveo/headless version 2.73.0 depends on ws@6.2.3, which is flagged as insecure by GitHub (https://github.com/advisories/GHSA-3h5v-q93c-6h6q)

Steps to reproduce

While some versions have been back-patched, GitHub still flags if ws version is less than 8.17.1

Relevant log output

npm explain ws: 

ws@6.2.3 peer
node_modules/react-native/node_modules/ws
  ws@"^6.2.2" from react-native@0.74.3
  node_modules/react-native
    peer react-native@"*" from @react-native/virtualized-lists@0.74.85
    node_modules/@react-native/virtualized-lists
      @react-native/virtualized-lists@"0.74.85" from react-native@0.74.3
    peer react-native@">=0.56" from react-native-get-random-values@1.11.0
    node_modules/react-native-get-random-values
      react-native-get-random-values@"^1.11.0" from coveo.analytics@2.30.6
      node_modules/coveo.analytics
        coveo.analytics@"2.30.6" from @coveo/headless@2.73.0
        node_modules/@coveo/headless
          @coveo/headless@"2.73.0" from the root project

[louis-bompart]

Hi @bbellmyers, We do not automatically consider supply chain vulnerability as bugs: the vulnerable code needs to be used for the product to be vulnerable (and thus qualify as a bug).

In this specific case, ws is only used by react-native-get-random-values, which is used only when using coveo.analytics in a react-native context. Headless doesn't do so, nor does it support it.

So, while we'll try to 'plug' this hole in the future, we don't think this a bug and will not prioritize it like one.