Description
I've received a security alert from Github about ws in this package.
WS-2017-0421 More information
high severity
Vulnerable versions: >= 0.2.6, < 3.3.1
Patched version: 3.3.1
Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Mori info:
https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
Solution
Upgrade ws to version 3.3.1 or later.
aevaldas
All 9 comments
Sounds good. We should do it.
CC: @Esemesek since you've been working on the debugger, you have the context already :)
grabbou
on 14 Nov 2019
thymikee
on 11 Mar 2020
Hey all! Any updates on this? 馃檪
tomtargosz
on 9 Apr 2021
No update. IIRC we're pretty much blocked by Metro, so it would be good to nudge them somehow :)
thymikee
on 9 Apr 2021
Is there an issue open on Metro?
brodybits
on 9 Apr 2021
Dunno :D
thymikee
on 9 Apr 2021
Yep! I attempted to give a nudge 馃槃 https://github.com/facebook/metro/issues/413
tomtargosz
on 9 Apr 2021
Thanks @tomtargosz!
brodybits
on 9 Apr 2021
There is another security vulnerability with this package that requires it to be bumped to 5.2.3 to fix it.
Please see here: https://github.com/advisories/GHSA-6fc8-4gx4-v693
Would we be able to fix this as part of this issue as well?
Flavyoo
on 9 Jun 2021
Related issues
jacargentina
路
4Comments
mauricioscotton
路
3Comments
patrickkempff
路
4Comments
lucasbento
路
3Comments
Steffi3rd
路
3Comments