Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ws to 8.17.1 to mitigate CVE-2024-37890 #3734

Closed
wants to merge 3 commits into from
Closed

Update ws to 8.17.1 to mitigate CVE-2024-37890 #3734

wants to merge 3 commits into from

Conversation

Plsr
Copy link

@Plsr Plsr commented Jun 18, 2024

We were notified by dependabot this morning about CVE-2024-37890 that was introduced to our project by a peer-dependency on ws by jsdom.

This issue was fixed in version 8.17.1 of ws, so this PR introduces this update.

This release of ws addresses only this fix (see release notes)

@gazpachu
Copy link

Merge please 🙏

@kevinschaul
Copy link

You'll want to update the ws version in package.json too, right? https://github.com/jsdom/jsdom/blob/main/package.json#L42

@Plsr
Copy link
Author

Plsr commented Jun 19, 2024

@kevinschaul good point, updated package.json as well

@ibakirov not sure if it's helpful to have two PRs open for this now

@ibakirov
Copy link

@Plsr ok, i canceled my request

@domenic
Copy link
Member

domenic commented Jun 20, 2024

Since jsdom uses ^8.17.0, 8.17.1 is automatically installed by all compliant package managers, so this is not necessary.

@domenic domenic closed this Jun 20, 2024
@Plsr
Copy link
Author

Plsr commented Jun 20, 2024
edited
Loading

@domenic True, I missed that tbh. Thought it would be nice to exclude the version with a known vulnerability explicitly anyways.

Thanks for taking the time to look at this and your work on jsdom, have a great day!

@ibakirov
Copy link

@domenic I would argue and propose ^8.17.1 to be clearly defined.

@am
Copy link

am commented Jun 20, 2024

Since jsdom uses ^8.17.0, 8.17.1 is automatically installed by all compliant package managers, so this is not necessary.

Isn't package-lock.json definition preventing that from happening?

@jhoermann
Copy link

With npm update it'll automatically update ws in your package lock file as mentioned in #3734 (comment).

@bendeutz
Copy link

I am a bit confused why now both PRs are closed (and not merged)? Sorry if i missed something.

@MarkBerube
Copy link

@bendeutz other PR was closed due to dup. PR. This one was closed because the dep definition in package.json includes 8.17.1 in the package.json already technically:

"ws": "^8.17.0",

The problem I still face though is that the lack of package lock updates makes many dependency/security managers like dependabot scream because jsdom's package lock is still set at 8.17.0. npm update will not fix that, only modding the lock will.

could this please be reopened @domenic ?

@domenic
Copy link
Member

domenic commented Jul 11, 2024

Nope, if there are tools that don't understand the ^ syntax, we're not going to work around them in jsdom.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@Plsr @gazpachu @kevinschaul @ibakirov @domenic @am @jhoermann @bendeutz @MarkBerube