Dependency update: ws (due to ReDOS)

Question

thernstig opened this issue 3 years ago · comments

Tobias Hernstig · Answer 1 · Wed Jun 02 2021 21:27:03 GMT+0800 (China Standard Time)

Jakesterwars · Answer 2 · Wed Jun 02 2021 22:41:27 GMT+0800 (China Standard Time)

Or maybe no update is needed, since https://github.com/socketio/engine.io-client/blob/master/package.json shows "ws": "~7.4.2"?

There is already a dependabot PR related to this here: #666

Tobias Hernstig · Answer 3 · Thu Jun 03 2021 01:50:04 GMT+0800 (China Standard Time)

Thanks @Jakesterwars, closing.

Damien Arrachequesne · Answer 4 · Thu Jun 03 2021 05:06:18 GMT+0800 (China Standard Time)

Or maybe no update is needed, since https://github.com/socketio/engine.io-client/blob/master/package.json shows "ws": "~7.4.2"?

@thernstig yes, running npm audit fix (or npm update --depth 9999 ws) should fix the issue, since we use the ~ operator.

@Jakesterwars please note that the PR only applies to the package-lock.json file of the project, which is not published.