bumping ws dependency to fix component vulnerability #57536
Conversation
ghost
added
the
dotnet-policy-service
bot
added
the
community-contribution
|
Thanks for doing this, I'm experiencing this issue at my org - much needed! |
|
Also experiencing this issue at my org - really appreciate the PR! |
|
Thanks for the change! |
|
When will this make it into a version of @microsoft/signalr on npm? Looks like the latest version available there contains the impacted version of ws: https://www.npmjs.com/package/@microsoft/signalr?activeTab=code Thanks! |
|
This change was made in our 10.0 branch, which we're not shipping until next year. I can backport it to 9.0 and 8.0 so that it makes it into our next monthly release - unfortunately the branches are closed right now, so the fix won't ship until December. |
|
/backport to release/9.0 |
|
/backport to release/8.0 |
|
Started backporting to release/9.0: https://github.com/dotnet/aspnetcore/actions/runs/11369683658 |
|
Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/11369685243 |
|
Actually, I was able to get this merged in time for the 9.0.0 RTM release in November |
|
When will you publish this fix? For the latest |
Which package are you referring to? The 8.0 SignalR package has been using 7.5.10 for some time now: |
|
npm package still contain "ws": "^7.4.5" |
Bumping
wsdependency to fixComponent Vulnerabilityissuews package has a DoS attach vulnerability between v7.0.0 and v7.5.10
Details can be found here; https://security.snyk.io/package/npm/ws
GitHub Code Scanning feature shows a
High SeverityalertDescription
wsdependency in the package.json is pinned to v7.4.5, and it needs to be updated to at least v7.5.10Fixes #56723