Consider removing dependency on simple-websocket

Open yeikel opened this issue 7 months ago • 0 comments

The simple-websocket package does not seem to be actively maintained as the last commit is from 5 years ago

This is a challenge because it impacts redocly-cli indirectly via transitive dependencies. For example, CVE-2024-37890 is a recent example

npm ls ws
└─┬ @redocly/[email protected]
  └─┬ [email protected]
    └── [email protected].

Although users can manually override ws to address this, it does not provide a great experience

Additional context: https://github.com/feross/simple-websocket/issues/67

May 30 '25 16:05 yeikel