Update "ws" package dependency to version 7.4.6 or greater

webpack-contrib / webpack-bundle-analyzer

Webpack plugin and CLI utility that represents bundle content as convenient interactive zoomable treemap

MIT License

12.57k stars 484 forks source link

Closed jessicaonly closed 12 months ago

jessicaonly commented 1 year ago

There's a security vulnerability in the "ws" package that was fixed in version 7.4.6 of that library, here: https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff

Here's some more documentation of the vulnerability and the fix on websockets' repo: https://github.com/websockets/ws/releases/tag/7.4.6

Thanks! 🙏

valscion commented 12 months ago

We do allow a secure version of ws to be used:

This is a development-only tool so the security vulnerability does not apply to us. See https://overreacted.io/npm-audit-broken-by-design/ for more details.