chore: Added resolutions in package.json file to resolve CVE-2024-378…

[v-rakeshsh]

…90 CG Issue

Details

WS (Web Socket)'s latest version is vulnerable and unmaintained. Our repo don't use it directly but it uses as dependency from other packages like puppeteer-core. So the fix is available in latest WS version, which we added now in our package json under resolutions.

WS repo issue link: https://github.com/websockets/ws/issues/2230 WS version 8.18.0 Release notes - https://github.com/websockets/ws/releases/tag/8.18.0

Motivation

This change will fix CVE-2024-37890

Context

Pull request checklist

• [x] Addresses an existing issue: CVE-2024-37890
• [ NA] Added relevant unit test for your changes. (yarn test)
• [ NA] Verified code coverage for the changes made. Check coverage report at: <rootDir>/test-results/unit/coverage
• [x] Ran precheckin (yarn precheckin)

[madalynrose]

Can we link to the security issue in the ws repo and the release notes for the version we're adding a resolution for in the PR details?

Also why are we bumping all the way up to 8.18.0 when 8.17.1 fixes the issue?

[v-rakeshsh]

Hi @madalynrose sure.

1. added the release notes in the PR.
2. Updated to 8.18.0 instead of 8.17.1 as it was latest version, so updated to 8.18.0, please let me know if i can keep to 8.17.1 ?
3. Unable to link the PR to the CG Work item, because of github and workitem configurations.

[madalynrose]

Hi @madalynrose sure.

1. added the release notes in the PR.
2. Updated to 8.18.0 instead of 8.17.1 as it was latest version, so updated to 8.18.0, please let me know if i can keep to 8.17.1 ?
3. Unable to link the PR to the CG Work item, because of github and workitem configurations.

Yes, 8.17.1 will fix the issue so should be the version mentioned in resolutions.

[v-rakeshsh]

HI @madalynrose updated changes as per review comments, please re-review. Thank you.