aspnetcore
aspnetcore copied to clipboard
dotnet
bumping ws dependency to fix component vulnerability
Bumping ws dependency to fix Component Vulnerability issue
ws package has a DoS attach vulnerability between v7.0.0 and v7.5.10
Details can be found here; https://security.snyk.io/package/npm/ws
GitHub Code Scanning feature shows a High Severity alert
Description
ws dependency in the package.json is pinned to v7.4.5, and it needs to be updated to at least v7.5.10
Fixes #56723
Thanks for doing this, I'm experiencing this issue at my org - much needed!
When will this make it into a version of @microsoft/signalr on npm? Looks like the latest version available there contains the impacted version of ws: https://www.npmjs.com/package/@microsoft/signalr?activeTab=code
Thanks!
This change was made in our 10.0 branch, which we're not shipping until next year. I can backport it to 9.0 and 8.0 so that it makes it into our next monthly release - unfortunately the branches are closed right now, so the fix won't ship until December.
Started backporting to release/9.0: https://github.com/dotnet/aspnetcore/actions/runs/11369683658
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/11369685243
Actually, I was able to get this merged in time for the 9.0.0 RTM release in November
When will you publish this fix? For the latest 8.0.7, it still uses "ws": "^7.4.5"
When will you publish this fix? For the latest 8.0.7, it still uses "ws": "^7.4.5"
Which package are you referring to? The 8.0 SignalR package has been using 7.5.10 for some time now:
https://github.com/dotnet/aspnetcore/blob/db9f8d7a5aa19a582dcec04c7ae6f5d4bd2df422/src/SignalR/clients/ts/signalr/package.json#L58
npm package still contain "ws": "^7.4.5" https://www.npmjs.com/package/@microsoft/signalr?activeTab=code
