[agent] chore(deps): bump ws to ^8.21.0 via overrides (GHSA-96hv-2xvq-fx4p)#792
Draft
github-actions[bot] wants to merge 1 commit into
Draft
[agent] chore(deps): bump ws to ^8.21.0 via overrides (GHSA-96hv-2xvq-fx4p)#792github-actions[bot] wants to merge 1 commit into
github-actions[bot] wants to merge 1 commit into
Conversation
Add npm overrides to force ws >= 8.21.0, resolving the memory exhaustion DoS vulnerability (CVE-2026-48779 / GHSA-96hv-2xvq-fx4p) in the transitive dependency pulled in by jsdom@^24.1.3. jsdom@24.1.3 declares ws@^8.18.0; no jsdom v24.x release has updated this range to require ws >= 8.21.0, so an npm override is used as the appropriate fallback. Fixes Dependabot alert #277. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an npm
overridesentry to forcewsto^8.21.0, resolving a high-severity memory exhaustion DoS vulnerability in the transitivewsdependency.Vulnerability
ws >= 8.0.0, < 8.21.0ws@8.21.0Impact
A peer can send high volumes of tiny fragments/data chunks to force the remote peer into allocating structural wrappers consuming far more memory than the documented message-size limit, leading to OOM termination.
Changes
package.json: Added"overrides": { "ws": "^8.21.0" }package-lock.json: Updatedwsfrom8.18.0→8.21.0Why overrides?
wsis a transitive dependency pulled in byjsdom@^24.1.3(devDependency inpackages/mql-typescript).jsdom@24.1.3requiresws@^8.18.0— no release in thejsdom@24.xrange has updated this constraint to requirews >= 8.21.0. Upgradingjsdomto a version that dropswsentirely (v29+) would be a major breaking change. Therefore, an npmoverridesentry is the appropriate remediation to ensure the patchedwsversion is resolved.