Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade ws package to 5.2.3 #674

Closed
flvyu opened this issue Jun 9, 2021 · 3 comments
Closed

Upgrade ws package to 5.2.3 #674

flvyu opened this issue Jun 9, 2021 · 3 comments

Comments

@flvyu
Copy link

flvyu commented Jun 9, 2021
edited
Loading

Do you want to request a feature or report a bug?
Bug
What is the current behavior?
There is a security vulnerability with the current version of ws, that requires it to be upgraded to 5.2.3.
This is also an issue for any packages in metro that use a ws version before than 5.2.3

If the current behavior is a bug, please provide the steps to reproduce and a minimal repository on GitHub that we can yarn install and yarn test.

Please see: GHSA-6fc8-4gx4-v693

What is the expected behavior?

No security vulnerability

Please provide your exact Metro configuration and mention your Metro, node, yarn/npm version and operating system.
@jonthysell jonthysell mentioned this issue Jun 14, 2021
Merged
@jonthysell
Copy link

We were in the process of updating our versions in react-native-windows of ws to clear the vulnerability alerts but trying to force this with a yarn resolution breaks web debugging.

@motiz88
Copy link
Contributor

motiz88 commented Jun 16, 2021

Looks like we need to go through 4 major versions' worth of breaking changes to get to ws v5.x.

https://github.com/websockets/ws/releases/tag/5.0.0
https://github.com/websockets/ws/releases/tag/4.0.0
https://github.com/websockets/ws/releases/tag/3.0.0
https://github.com/websockets/ws/releases/tag/2.0.0

At a glance, we're affected by at least websockets/ws#1099 in v3.x (here) and websockets/ws@63e275e in v4.x (here). Probably a few other changes as well.

@kelset
Copy link
Contributor

kelset commented Jul 12, 2021

@motiz88 anything we can do to help bumping ws? As far as I can see the main react-native repo is already on 6.1.4 https://github.com/facebook/react-native/blob/ca440b91000530e0f9d7cbb4109f25cdd9d135a5/package.json#L121

(ps: maybe worth closing this issue and redirect here? #413)

facebook-github-bot pushed a commit that referenced this issue Jul 26, 2021
@facebook-github-bot
upgrade ws package to to 7.5.1
4c41277 
Summary:
# Context

#674

>There is a security vulnerability with the current version of ws, that requires it to be upgraded to 5.2.3.

# In this diff

> At a glance, we're affected by at least websockets/ws#1099 in v3.x (here) and websockets/ws@63e275e in v4.x (here). Probably a few other changes as well.

Like motiz88 mentioned in the issue, there's only 2 API changes that needed to be fixed:
- `upgradeReq` was removed from the web socket object, the fix being to take the URL from the request param instead
- `onError` now correctly passes an `ErrorEvent` instead of an `Error` object

Those are the only usages of ws in metro that i've seen

Reviewed By: GijsWeterings

Differential Revision: D29517185

fbshipit-source-id: bac12e7106f09b88877e2e138472a0d981d55200
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@motiz88 @jonthysell @flvyu @kelset