https://nodesecurity.io/advisories/550
x in one of the [ ])x in each of the [ ])The ws module needs to be updated to >= 3.3.1
@slack/client version: 3.14.1
node version:
OS version(s): 6.9.1 (all)
1.
2.
3.
What you expected to happen
What actually happened
Logs, screenshots, screencast, sample project, funny gif, etc.
[email protected] is not vulnerable. Also I guess ws is only used as a client here in which case it doesn't really matter as the vulnerability is on the server.
It would be nice to update ws to the latest version nonetheless.
thanks for the analysis folks. i agree, it would be great to upgrade ws. i'm hoping to attack this (and other dependency updates) after we ship v3.15.0. i don't think updating this package would break the module's API since this module isn't exposed directly, but if its grouped with updating many other deps, the total effect is likely to change some behavior and i feel better about doing it in a major version bump.
how does that sound?
@aoberoi I agree on the major version bump. ws >= 2 only supports Node.js 4 or greater.
I've asked nsp to update the advisory regarding 1.1.15, just in case.
Not sure their format accepts such conditions (>=3.3.1 or>=1.1.5).
The correct range of vulnerable versions is >=0.6.0 <3.3.1 excluding 1.1.5
This is now passing the nsp check. Thanks!