search

izy521 / discord.io

A small, single-file library for creating DiscordApp clients from Node.js or the browser
https://discord.gg/0MvHMfHcTKVVmIGP
MIT License
535 stars 155 forks source link

High-severity security alert in dependency: ws #323

Open soryy708 opened 4 years ago

soryy708 commented 4 years ago

The dependency ws is vulnerable in versions >= 0.2.6, < 3.3.1. Patched version: 3.3.1.

Affected version of ws are vulnerable to: "a specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash."

Fixing commit: https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a

How to reproduce?

  1. Create a repository.
  2. npm install --save discord.io
  3. Upload to GitHub (including package-lock.json)
  4. See a "We found a potential security vulnerability in one of your dependencies." message at the github page of the repository (powered by WhiteSource)