Skip to content

fix(deps): update dependency ws to ^8.21.0 #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skulidropek merged 1 commit into from
May 23, 2026
Merged

fix(deps): update dependency ws to ^8.21.0 #345

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions bun.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion packages/api/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"@fedify/vocab": "^2.2.3",
"effect": "^3.21.2",
"node-pty": "^1.1.0",
"ws": "^8.20.1"
"ws": "^8.21.0"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

ws npm package version 8.21.0 release notes and changelog

💡 Result:

As of May 22, 2026, there is no version 8.21.0 of the ws npm package. The most recent version available is 8.20.1, which was published on May 12, 2026 [1][2]. The ws package maintains its changelog and release notes directly through GitHub Releases [1][3]. You can view the history of all releases, including the latest version 8.20.1, at the official repository: https://github.com/websockets/ws/releases [4].

Citations:

🌐 Web query:

ws npm package security vulnerabilities and advisories 2026

💡 Result:

As of today (2026-05-22), the key npm package security vulnerability/advisory I found for the ws package is: 1) ws (websockets/ws) uninitialized memory disclosure (CVE-2026-45736) - Advisory (GitHub/ GHSA-58qx-3vcg-4xpx): A vulnerability in ws’s websocket.close allows uninitialized memory disclosure when a TypedArray is passed as the reason argument; it affects ws versions >= 8.0.0 and < 8.20.1, and was patched in ws 8.20.1 [1]. - CVE: The issue is tracked as CVE-2026-45736 and fixed in ws 8.20.1 [1]. - Examples of the vulnerable behavior and fix guidance are reflected in the broader vulnerability writeups: upgrading ws to 8.20.1+ mitigates [2]. 2) “Direct vulnerabilities” status for the latest ws version - The Snyk package page for ws (based on latest version 8.20.1) reports “No known security issues” affecting the latest version, and notes that although there are vulnerabilities in older versions, none affect 8.20.1 [3]. 3) Additional (older) ws advisories you may still want to account for (if you run older ws versions) - DoS due to many HTTP headers (CVE-2024-37890 / GHSA-3h5v-q93c-6h6q): affects ws versions >= 2.1.0 < 5.2.4, >= 6.0.0 < 6.2.3, >= 7.0.0 < 7.5.10, and >= 8.0.0 < 8.17.1; patched in 5.2.4, 6.2.3, 7.5.10, 8.17.1 [4]. - ReDoS in Sec-Websocket-Protocol header (CVE-2021-32640 / GHSA-6fc8-4gx4-v693): affects ws versions >= 5.0.0 < 5.2.3, >= 6.0.0 < 6.2.2, >= 7.0.0 < 7.4.6; patched in 5.2.3, 6.2.2, 7.4.6 [5]. Recommended remediation (practical) - Upgrade ws to at least 8.20.1 (to address CVE-2026-45736) [1]. - If you cannot upgrade immediately, ensure you’re not calling websocket.close with a TypedArray as the “reason” argument, since the disclosure occurs under that usage condition [1]. If you want, tell me which ws version(s) you use (and whether it’s direct or transitive), and I can map the precise affected ranges to your dependency tree and suggest an upgrade target.

Citations:

🏁 Script executed:

#!/bin/bash
# Проверка использования ws в api package для оценки impact
rg -n "from ['\"]ws['\"]|require\(['\"]ws['\"]" packages/api/src/ -A 2 -B 2

Repository: ProverCoderAI/docker-git

Length of output: 2221

Обязательна правка версии ws и обоснование обновления

  • В packages/api/package.json (стр. 30) задано "ws": "^8.21.0", но версии 8.21.0 для ws на npm/GitHub Releases на текущую дату не существует (самая свежая — 8.20.1). Уточните цель/источник (например, это prerelease) или замените на существующую версию, чтобы избежать проблем с установкой.
  • Обновление зависимости не сопровождается ссылкой на issue/спецификацию и описанием изменений/целей: добавьте релиз-ноуты/чейнджлог и обоснование (в т.ч. по security, например CVE-2026-45736 закрывается начиная с 8.20.1).
  • Проверьте и синхронизируйте версии ws в Docker/шаблонах: либо синхронизируйте, либо объясните, почему допускается расхождение.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/api/package.json` at line 30, Заменить несущетсвующую версию
зависимости "ws": "^8.21.0" в packages/api/package.json на реальную
опубликованную версию (рекомендую "8.20.1") или явно пометить и
задокументировать причину использования prerelease/локального таргета; добавить
в PR/коммит ссылку на релиз-ноуты/чейнджлог и краткое обоснование обновления
(включая упоминание security-фикса, например CVE-2026-45736, если применимо);
проверить и синхронизировать эту версию "ws" во всех
Dockerfile/шаблонах/конфигурациях проекта либо документировать допустимое
расхождение и причины (файлы/места поиска: packages/api/package.json и
соответствующие Docker/шаблоны).

},
"repository": {
"type": "git",
Expand Down
2 changes: 1 addition & 1 deletion packages/app/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,6 @@
"typescript-eslint": "^8.59.4",
"vite": "^8.0.14",
"vitest": "^4.1.7",
"ws": "^8.20.1"
"ws": "^8.21.0"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Требуется обоснование обновления dev-зависимости (дублирует проблему в api package).

Аналогично production-зависимости в packages/api/package.json, обновление ws до ^8.21.0 в devDependencies не имеет:

  1. Документированной спецификации или обоснования
  2. Информации о том, какие изменения требуют этого обновления в dev-окружении
  3. Согласованности с версией, зафиксированной в Docker-шаблоне (ws@8.18.3 в packages/app/src/lib/core/templates/playwright.ts:8)

Хотя это dev-зависимость с меньшим runtime-воздействием, она все равно представляет supply-chain риск и должна иметь обоснование согласно coding guidelines.

Рекомендуется добавить в description PR или связанный issue информацию о:

  • Причине обновления (security fix, bug fix, required feature)
  • Оценке breaking changes
  • Плане синхронизации версий в Docker-шаблонах
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/app/package.json` at line 124, The devDependency bump of "ws" to
"^8.21.0" in packages/app's package.json lacks justification and conflicts with
the pinned "ws@8.18.3" used in the project's Docker/playwright template and the
change in packages/api/package.json; update the PR or create an associated issue
that documents the reason for the upgrade (security/bug/feature), an assessment
of breaking changes, and a plan to reconcile/sync the version used in the
Docker/playwright template (or intentionally explain why they may differ), and
ensure the package.json change to "ws": "^8.21.0" is either aligned with the
template or accompanied by the documented rationale.

}
}
Loading