pubkey/rxdb

Upgrading WS to 8.17.1

elribonazo opened this issue · 3 comments

Morning! This is the week of the medium and high severity vulns I guess!!!

This is happening in all RXDB versions.

# npm audit report

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install rxdb@12.7.16, which is a breaking change
node_modules/engine.io-client/node_modules/ws
node_modules/rxdb/node_modules/ws
node_modules/ws
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.5.3
  Depends on vulnerable versions of ws
  node_modules/engine.io-client
  rxdb  >=13.0.0-beta.1
  Depends on vulnerable versions of ws
  node_modules/rxdb

3 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

This got mitigated on our side by forcing 8.17.1 which has the fix for this in place, I can work on a PR later to get this approved in Main branch but is there a way to make an additional upgrade for <15?

Hi @elribonazo Thank for the investigation.
I am sorry, but there will be no more <15 releases.
PR is welcomed.

Cool, so will try to kickoff our collab later by this :) thanks!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed soon. Please update it or it may be closed to keep our repository organized. The best way is to add some more information or make a pull request with a test case. Also you might get help in fixing it at the RxDB Community Chat If you know you will continue working on this, just write any message to the issue (like "ping") to remove the stale tag.