Included version of ws (transitive dependency) has a high severity security issue

[michael-booth]

Our internal CI security scans have detected that the version of ws==0.4.32 which is pulled in as a transitive dependency of thrift==0.10.0 (lightstep dependency) exposes 2 high severity security threats.

DoS vulnerability: ws < 1.1.15 || >=2.0.0 <3.3.1

• https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407
• https://github.com/websockets/ws/releases/tag/3.3.1

DoS vulnerability:

• https://www.npmjs.com/advisories/120

As it stands, these issues block our CI/CD pipeline.

The next minor version release of thrift (0.11.0) - makes use of ws 5.x which resolves the threats mentioned above.

Would it be possible to update the version of thrift required by the lightstep module to mitigate this threat?

We did note a bump to 0.11.0 had been attempted in the past and was rolled back https://github.com/lightstep/lightstep-tracer-javascript/pull/126 due to incompatibilities with older versions of node.

[austinlparker]

Thanks for opening this issue - we are aware of the ws vulnerability and plan to update thrift in order to resolve it. As you noticed, there are incompatibilities with older node.js versions and thrift 0.11. We're working internally to ensure we can deprecate these versions in a new release, but let me see if I can get the ball rolling in the hopes of getting a release out sooner rather than later.

In the mean time, we analyzed the reported ws vulnerabilities and believe them to be low impact. If you require a write-up, please email me at austin@lightstep.com and I can share it with you.

[austinlparker]

Just a quick update - after some internal discussion, we're going to go-ahead with dropping support for older node versions. I should be able to get to it early next week as I'm returning from Kubecon today. Thanks for your patience!

[esarafianou]

Thanks for the followup @austinlparker, I really appreciate it.