Security vulnerability GHSA-6fc8-4gx4-v693 affecting "ws" package (nested dependency)

[pedrosanta]

Hi,

As I've commented on https://github.com/gruntjs/grunt-contrib-connect/commit/6289a8abb9bc4b27c466481f84ef0b0b486148f9, perhaps we should drop node-http2 in favor of node own http2 interface because the former has security vulnerabilities.

Actually, I've just now noticed that the reason to change to node-http2 from http2 node interface was a broken test. That's kinda weird: instead of updating the code/calls to match the updated API on node, one just moves all together to a totally different library? Kinda bold.

Anyway node-http2 is currently plagued by a security vulnerability and I think one should simplify and resort to node own http2 interface.

If I can I will throw a PR for that.

Edit:

• Link to the security vulnerability: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
• Link to issue on websocket-stream: https://github.com/maxogden/websocket-stream/issues/162

[pedrosanta]

Upon closer inspection, I've noticed that Node.js http2 module only became stable from v10.10.0 onwards.

And since grunt-contrib-connect supports Node.js versions 10 or greater ("engines": { "node": ">=10" }) it supports all versions of 10.x release, including earlier ones where the http2 module was still experimental API.

So, from my POV, unless the supported node versions were updated (and thus triggering a major version bump on grunt-contrib-connect to 4.0.0) we should not move/upgrade to Node.js http2 module.

Which is kinda unfortunate because:

• node-http2 repository (which was itself a fork of https://github.com/molnarg/node-http2 / http2 npm package, which since went seemingly unpublished too) was deleted/is nowhere to be found (see here: https://www.npmjs.com/package/node-http2) so one can't submit Issues or PRs to fix the security vulnerability that the latest node-http2 release/version (4.0.1) has.
• node-http2 4.0.1 depends on "websocket-stream": "^5.0.1" which depends (even on latest version/release 5.4.0) on "ws": "^3.2.0", which has a security vulnerability: https://github.com/advisories/GHSA-6fc8-4gx4-v693 (I've created the https://github.com/maxogden/websocket-stream/issues/162 issue to track this).
• Lastly, I already had the update to http2 module ready to go at https://github.com/pedrosanta/grunt-contrib-connect/tree/http2-update.

But again, from my POV:

• Either the Node.js supported versions are updated (new major version), or
• The next best chance to fix the vulnerability is to have websocket-stream upgrade their ws dependency.

PS: Meanwhile I'll update this issue to reference/track the security vulnerability in the first place, moreso than moving to http2 module, etc.

[pedrosanta]

Closing in favor of #270.