High severity vulnerabilities found in 'npm audit'

[GeVic]

I was trying out cloning this repo and doing install locally, npm install indicated 2 high severity vulnerabilities found. Below is the flashed output on the terminal

added 110 packages from 106 contributors and audited 329 packages in 850.806s
found 2 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

\open_mct_tutorials\openmct-tutorial>npm audit

                       === npm audit security report ===

# Run  npm install express-ws@4.0.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Denial of Service

  Package         ws

  Dependency of   express-ws

  Path            express-ws > ws

  More info       https://nodesecurity.io/advisories/550

# Run  npm install ws@5.2.2  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Denial of Service

  Package         ws

  Dependency of   ws

  Path            ws

  More info       https://nodesecurity.io/advisories/550

found 2 high severity vulnerabilities in 329 scanned packages
  2 vulnerabilities require semver-major dependency updates.

@akhenry can you please look into the same. Although I know it's because of the dependencies but it would be good to address it for the beginners.

[akhenry]

@GeVic Thanks for reporting this!

These two vulnerabilities appear to in fact be the same vulnerability - a DOS attack vector in the ws dependency. As stated in our documentation, the tutorial server should not be used in a production environment, so the scope for any potential damage due to this vulnerability is zero.

That said, this is a timely reminder to keep our dependencies up to date, so I've gone ahead and created a PR to address this.

Thanks again!