Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Update "ws" package to ^7.4.6 due to vulnerability (CVE-2021-32640)

See original GitHub issue

Is your feature request related to a problem? Please describe. ws >= 7.0.0 < 7.4.6 have a vulnerability allowing to significantly slow down a ws server.

Describe the solution you’d like Update dependencies in package.json to request "ws": "^7.4.6"

Additional context Please find full details of the vulnerability at: https://github.com/advisories/GHSA-6fc8-4gx4-v693

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
TonyMassecommented, Sep 7, 2021

@darrachequesne , absolutely. But here, we have versions that are in the range, and that are dangerous. Thus it makes sense to actually avoid the range and specify that we want the version that has the fix, and any more recent versions.

1reaction
TonyMassecommented, Jan 13, 2022

Closing this issue as the latest version requires “ws” version ~8.2.3. Thanks team.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CVE-2021-32640 Detail - NVD
A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been ...
Read more >
Regular Expression Denial of Service (ReDoS) in ws | Snyk
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the Sec-Websocket ...
Read more >
CVE-2021-32640 - Debian Security Tracker
Name, CVE-2021-32640. Description, ws is an open ... The vulnerability has been fixed in ws@7.4.6 ... Source Package, Release, Version, Status. node-ws (PTS) ......
Read more >
Regular Expression Denial Of Service (ReDoS) Vulnerability ...
ws is vulnerable to regular expression denial of service. An attacker is able to cause excessive CPU consumption that can lead to an...
Read more >
CVE-2021-32640
The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

this.pingIntervalTimer.refresh is not a function

Next page

On Webpack and CRA build there is an WARN "Critical dependency: the request of a dependency is an expression"