Request ws web socket library upgrade to avoid any potential DDoS attacks

[mharper010]

Is your feature request related to a problem? Please describe.

Our static code analysis (Veracode) detects a potential DDoS attack with the ws web socket library v6.2.1 utilized by @microsoft/signalr. A malicious user is able to cause the process to crash by using the permessage-deflate extension.

Class: lib/permessage-deflate.js
Method: PerMessageDeflate#_decompress()

Details: https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-29608/summary

Describe the solution you'd like

The ws v7.4.4 (or higher) corrects this issue. I do not see anything (even in the preview) that suggests that Microsoft is upgrading to ws v7.4.4 or higher. Any potential upgrade planned?

[BrennanConroy]

We currently reference 7.4.3 in main, looks like 7.4.4 just came out. We have no problem updating in main here. But we are unlikely to change major versions in other releases.

As a workaround, you can manually reference a newer version of "ws" in your project.json assuming there are no breaking changes that would affect the signalr library.

[ghost]

Thanks for contacting us.

We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.