Closed v-rakeshsh closed 1 month ago
Can we link to the security issue in the ws repo and the release notes for the version we're adding a resolution for in the PR details?
Also why are we bumping all the way up to 8.18.0 when 8.17.1 fixes the issue?
Hi @madalynrose sure.
Hi @madalynrose sure.
- added the release notes in the PR.
- Updated to 8.18.0 instead of 8.17.1 as it was latest version, so updated to 8.18.0, please let me know if i can keep to 8.17.1 ?
- Unable to link the PR to the CG Work item, because of github and workitem configurations.
Yes, 8.17.1 will fix the issue so should be the version mentioned in resolutions.
HI @madalynrose updated changes as per review comments, please re-review. Thank you.
…90 CG Issue
Details
WS (Web Socket)'s latest version is vulnerable and unmaintained. Our repo don't use it directly but it uses as dependency from other packages like puppeteer-core. So the fix is available in latest WS version, which we added now in our package json under resolutions.
WS repo issue link: https://github.com/websockets/ws/issues/2230 WS version 8.18.0 Release notes - https://github.com/websockets/ws/releases/tag/8.18.0
Motivation
This change will fix CVE-2024-37890
Context
Pull request checklist
yarn test
)<rootDir>/test-results/unit/coverage
yarn precheckin
)