Skip to content

fix(deps): bump ws to 8.21.0 and diff to 8.0.3 (clears remaining audit findings)#127

Merged
anoncam merged 1 commit into
mainfrom
fix/deps-ws-diff
Jun 2, 2026
Merged

fix(deps): bump ws to 8.21.0 and diff to 8.0.3 (clears remaining audit findings)#127
anoncam merged 1 commit into
mainfrom
fix/deps-ws-diff

Conversation

@anoncam

@anoncam anoncam commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Summary

Patches the final two transitive vulnerabilities via overrides. npm audit now reports 0 vulnerabilities (down from 8 at the start of this security pass).

Package From To Sonatype severity Pulled by
ws 8.18.0 8.21.0 CVE-2026-48779 8.7 + sonatype-2026-003100 (7.5) miniflare (hard-pins 8.18.0)
diff 7.0.0 8.0.3 sonatype-2026-000159 8.7 (DoS in parsePatch) mocha@^7.0.0

Notes

  • Severity correction: npm audit rated these moderate/low, but Sonatype scores both as 8.7 high. Targets are the highest-trust clean versions per Sonatype (ws 8.21.0 → trust 94; diff 8.0.3 → trust 98).
  • Both required overrides: miniflare hard-pins [email protected], and diff 8.0.3 is a major bump beyond mocha's ^7 range.
  • Dev-only blast radius: ws backs miniflare's local dev WebSocket; diff backs mocha's assertion-diff rendering. Neither ships in the deployed Worker.

Verification

  • npm run build ✅ passes
  • npm audit0 vulnerabilities
  • npm test: mocha runs and renders assertion diffs correctly under the diff 8 major (verified via the existing failures' diff output). No regression — the 2 failures are the pre-existing flaky friend-encryption / PGP tests, identical to main (21 passing / 2 failing).

@anoncam
fix(deps): bump ws to 8.21.0 and diff to 8.0.3 via overrides
cb76f07 
Clears the last two audit findings (npm audit now reports 0).
- ws: CVE-2026-48779 (8.7) + sonatype-2026-003100 (7.5); miniflare pins 8.18.0
- diff: sonatype-2026-000159 (8.7) DoS in parsePatch; mocha pins ^7.0.0
Both dev-only (local dev server / test reporter). Sonatype-verified targets.
@anoncam anoncam merged commit 76b4cc6 into main Jun 2, 2026
2 checks passed
@anoncam anoncam deleted the fix/deps-ws-diff branch June 2, 2026 15:51
github-actions Bot added a commit that referenced this pull request Jun 2, 2026
@github-actions
Bump version to 1.24.9
c2a1510 
Version bump type: patch
PR: #127
Title: fix(deps): bump ws to 8.21.0 and diff to 8.0.3 (clears remaining audit findings)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anoncam