Closed jessicaonly closed 12 months ago
There's a security vulnerability in the "ws" package that was fixed in version 7.4.6 of that library, here: https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
Here's some more documentation of the vulnerability and the fix on websockets' repo: https://github.com/websockets/ws/releases/tag/7.4.6
Thanks! 🙏
We do allow a secure version of ws to be used:
ws
https://github.com/webpack-contrib/webpack-bundle-analyzer/blob/f01056a51fa16f3274204b5b98bba1be3a3f496d/package.json#L48
This is a development-only tool so the security vulnerability does not apply to us. See https://overreacted.io/npm-audit-broken-by-design/ for more details.
Issue description
There's a security vulnerability in the "ws" package that was fixed in version 7.4.6 of that library, here: https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
Technical info
Here's some more documentation of the vulnerability and the fix on websockets' repo: https://github.com/websockets/ws/releases/tag/7.4.6
Thanks! 🙏