Skip to content

fix(deps): bump ws to 8.21.0 (GHSA-96hv-2xvq-fx4p)#112

Merged
ClodoCapeo merged 1 commit into
mainfrom
keeper/ws-8.21.0-cve-fix
Jul 5, 2026
Merged

fix(deps): bump ws to 8.21.0 (GHSA-96hv-2xvq-fx4p)#112
ClodoCapeo merged 1 commit into
mainfrom
keeper/ws-8.21.0-cve-fix

Conversation

@ClodoCapeo

Copy link
Copy Markdown
Contributor

Contexte

deps-audit échoue sur main : npm audit --omit=dev --audit-level=high flagge ws (GHSA-96hv-2xvq-fx4p, DoS mémoire par petits fragments/chunks, affecte 8.0.0 - 8.20.1). Cela bloque le merge de PR #111.

Fix

Bump ws8.21.0 (patché). La plage déclarée dans les workspaces (pulsar-bundle-full, pulsar-bundle, pulsar-client) est déjà ^8.18.0, qui permet 8.21.0 : seul le pin du lockfile bouge, aucun package.json ni overrides requis.

Vérification locale

  • npm audit --omit=dev --audit-level=highfound 0 vulnerabilities
  • npm ci --dry-run → lockfile synchro, pas de drift
  • Compatible obs-websocket-js ^8.13.0, isomorphic-ws *, devDep ^8.18.0 (patch API-compatible)

Risque

Faible : usage transitif client loopback-only, jamais serveur ws exposé. Patch direct → pas de raison d'accepter le risque (verdict Bastion).

Une fois mergé, PR #111 peut rebaser et reverdir sa CI.

Memory-exhaustion DoS from tiny fragments/data chunks affects ws
8.0.0 - 8.20.1. The declared range (^8.18.0) already permits the
patched 8.21.0; only the lockfile pin moves. Usage is transitive
loopback-only client, never an exposed ws server, so real risk is
low, but the patch is direct and API-compatible.

Unblocks deps-audit on main.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ClodoCapeo ClodoCapeo force-pushed the keeper/ws-8.21.0-cve-fix branch from 236786f to 4fc73b1 Compare July 5, 2026 14:13
@ClodoCapeo ClodoCapeo merged commit 397a6d7 into main Jul 5, 2026
14 checks passed
@ClodoCapeo ClodoCapeo deleted the keeper/ws-8.21.0-cve-fix branch July 5, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant