Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deps: bumps ws version which patches a security vulnerability #45147

Closed
wants to merge 1 commit into from
Closed

Deps: bumps ws version which patches a security vulnerability #45147

wants to merge 1 commit into from

Conversation

pranshuchittora
Copy link

@pranshuchittora pranshuchittora commented Jun 24, 2024
edited
Loading

Summary:

Fixes #45108

https://github.com/websockets/ws/releases/tag/6.2.3

Changelog:

[INTERNAL] [SECURITY] - Fixes CVE-2024-37890

Test Plan:

NA

Thanks :)

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jun 24, 2024
@github-actions GitHub Actions
Copy link

Warnings
⚠️ 🔒 package.json - Changes were made to package.json. This will require a manual import by a Facebook employee.

Generated by 🚫 dangerJS against a1e14a2

@facebook-github-bot facebook-github-bot added the Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. label Jun 24, 2024
@analysis-bot
Copy link

Platform Engine Arch Size (bytes) Diff
android hermes arm64-v8a 20,479,690 -1
android hermes armeabi-v7a n/a --
android hermes x86 n/a --
android hermes x86_64 n/a --
android jsc arm64-v8a 23,677,075 +9
android jsc armeabi-v7a n/a --
android jsc x86 n/a --
android jsc x86_64 n/a --

Base commit: 986cf18
Branch: main

@facebook-github-bot
Copy link
Contributor

@arushikesarwani94 has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@NickGerleman
Copy link
Contributor

The old version is still getting pulled into lock file?

@cortinico
Copy link
Contributor

cortinico commented Jun 24, 2024
edited
Loading

The old version is still getting pulled into lock file?

I believe that's because of @react-native-community/cli-server-api:

$ yarn why ws
=> Found "[email protected]"
info Has been hoisted to "ws"
info Reasons this module exists
   - "workspace-aggregator-28148ab4-8bd7-4548-888c-fe4b28e574f9" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#ws"
   - Hoisted from "_project_#@react-native#dev-middleware#ws"
   - Hoisted from "_project_#react-native#ws"
info Disk size without dependencies: "136KB"
info Disk size with unique dependencies: "240KB"
info Disk size with transitive dependencies: "240KB"
info Number of shared dependencies: 1
=> Found "@react-native-community/cli-server-api#[email protected]"
info This module exists because "_project_#@react-native#community-cli-plugin#@react-native-community#cli-server-api" depends on it.
info Disk size without dependencies: "136KB"
info Disk size with unique dependencies: "240KB"
info Disk size with transitive dependencies: "240KB"
info Number of shared dependencies: 1
=> Found "react-devtools-core#[email protected]"
info This module exists because "_project_#react-native#react-devtools-core" depends on it.
info Disk size without dependencies: "168KB"
info Disk size with unique dependencies: "168KB"
info Disk size with transitive dependencies: "168KB"
info Number of shared dependencies: 0
=> Found "metro#[email protected]"
info This module exists because "_project_#@react-native#community-cli-plugin#metro" depends on it.
info Disk size without dependencies: "168KB"
info Disk size with unique dependencies: "168KB"
info Disk size with transitive dependencies: "168KB"
info Number of shared dependencies: 0
=> Found "selenium-webdriver#[email protected]"
info This module exists because "_project_#@react-native#bots#firebase#@firebase#auth-compat#selenium-webdriver" depends on it.
info Disk size without dependencies: "180KB"
info Disk size with unique dependencies: "180KB"
info Disk size with transitive dependencies: "180KB"
info Number of shared dependencies: 0
✨  Done in 0.32s.

This was referenced Jun 25, 2024
Merged
Closed
Open
@arushikesarwani94
Copy link
Contributor

FWIW, this is covered by #45130
Hence closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cortinico cortinico cortinico approved these changes

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ws affected by a DoS when handling a request with many HTTP headers
6 participants
@pranshuchittora @analysis-bot @facebook-github-bot @NickGerleman @cortinico @arushikesarwani94