refresh lockfile to automatically remove the vulnerability introduced by ws@3.3.3

Question

refresh lockfile to automatically remove the vulnerability introduced by ws@3.3.3

Opened this issue 3 years ago · 0 comments

Hi, @mkohanim, I have reported a vulnerability issue in package mqtt.

As far as I am aware, vulnerability CVE-2021-32640 detected in package ws(<5.2.3,>=6.0.0 <6.2.2,>=7.0.0 <7.4.6) is directly referenced by mqtt@2.18.8, on which your package pgc_interface@1.0.13 transittively depends. As such, this vulnerability can also affect pgc_interface@1.0.13 via the following path:
pgc_interface@1.0.13 ➔ mqtt@2.18.8 ➔ websocket-stream@5.5.2 ➔ ws@3.3.3(vulnerable version)

Since mqtt has released a new patched version mqtt@2.18.9 to resolve this issue (mqtt@2.18.9 ➔ websocket-stream@5.2.0 ➔ ws@6.2.2(fix version)), then this vulnerability patch can be automatically propagated into your project only if you update your lockfile. The following is your new dependency path :
pgc_interface@1.0.13 ➔ mqtt@2.18.9 ➔ websocket-stream@5.2.0 ➔ ws@6.2.2(vulnerability fix version).

A warm tip.^_^