Closed KearseTrevor closed 1 week ago
Closing issue per following
Patches
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
This issue is meant to raise discussion/provide transparency for the current vulnerability with the
ws
package that@web/dev-server-core
and@web/dev-server-hmr
make use of. It seems the current recommended fix is to major rev the package to8.17.1
.Additional requirements of
ws
are made via a transitive dependency onpuppeteer-core
. Updatingpuppeteer-core
to22.11.2
will address these instances.Convenience link to CVE-2024-37890