alchemyplatform
npm audit alert being triggered - alchemy-sdk tied to 3-year-old @ethersproject/providers 5.7.2 - with ws 7.x
Sorry if this has been addressed or if I'm missing something obvious.
[REQUIRED] Environment
Win10
- Browser version: none
- Alchemy SDK version: 3.4.7
[REQUIRED] Describe the problem
npm audit shows
ws 7.0.0 - 7.5.9 Severity: high ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q No fix available node_modules/@ethersproject/providers/node_modules/ws @ethersproject/providers <=5.7.2 Depends on vulnerable versions of ws node_modules/@ethersproject/providers alchemy-sdk * Depends on vulnerable versions of @ethersproject/providers node_modules/alchemy-sdk
How to reproduce:
npm audit
Relevant code or sample repro:
all my Alchemy code works fine (thanks)
This has been an ongoing issue. We previously fixed by manually updating the package-lock to the proper versions of ws and elliptic but with the 3.5.0 release it seems like the problem has returned and we have not been able to find the correct versions to override with yet.
This was supposedly fixed in 3.4.3 but we still had to do the manual override. You can see a closed issue here where we raised the problem.
https://github.com/alchemyplatform/alchemy-sdk-js/issues/457
Sharing in case it's useful to anyone — instead of a manual update, you can also use the overrides field in your package.json, as we do in OISY (here).
"overrides": {
"ws": "^7.5.10",
"elliptic": "^6.6.1",
},
This tells npm to override the specific dependency versions, making it less likely they'll be unintentionally updated by other dependency updates.
