Websocket-extension security vulnerability warning from GitHub

[AdamBebko]

🐛 Bug Report

I'm using docusaurus for an open-source project, and suddenly github is telling me that I need to upgrade to websocket-extensions from v0.1.3 to v0.1.4 because of a security issue.

I read that I should not edit package-lock.json myself.

Searching online, it sounds like the correct answer is to bug the developer about outdated dependencies, so here is my formal bug :)

Have you read the Contributing Guidelines on issues?

yes

To Reproduce

(Write your steps here:)

Github security notice complaining about websocket-extensions dependency in docusaurus

Expected behavior

Github doesn't complain about docusaurus.

(Write what you thought would happen.)

Actual Behavior

I tried

npm outdated docusaurus

which gave nothing back. (i'm using docusaurus1)

i tried

npm outdated websocket

which also gave nothing.

Your Environment

$ npm list websocket-extensions

D:\PATHTOREPOSITORY\doc_projects\website
`-- docusaurus@1.14.4
  `-- tiny-lr@1.1.1
    `-- faye-websocket@0.10.0
      `-- websocket-driver@0.7.3
        `-- websocket-extensions@0.1.3

• Docusaurus version used: 1.14.4
• Environment name and version (e.g. Chrome 78.0.3904.108, Node.js 10.17.0): ?
• Operating system and version (desktop or mobile): Windows 10 desktop

Not sure how to do that given it's a dependency within docusaurus.

[slorber]

Hi,

Normally the dependency on websocket-extensions is a semver range. It is locked at a specific version when the lockfile is created.

If you run npm update websocket-extensions it should update to the 0.1.4 version in your lockfile.

If it does not work maybe try deleting the lockfile and do npm install, you should have all the deps upgraded. (I'm more used to yarn, don't know all the npm commands)

[AdamBebko]

Doing npm update websocket-extensions while inside the website folder from a git terminal did not update anything, it’s still v1.3. Npm List showed same result as above.

Deleting the lock file and npm install resulted in the same version 1.3

I also tried updating tiny-lr, Faye-websocket, websocket-driver with the same result

Update, I found some forum posts that led me to try installing websocket extensions rather than updating. That appears to have worked.

npm install websocket-extensions

Which yielded

D:\PATHTOREPOSITORY\doc_projects\website
`-- docusaurus@1.14.4
  `-- tiny-lr@1.1.1
    `-- faye-websocket@0.10.0
      `-- websocket-driver@0.7.3
        `-- websocket-extensions@0.1.4   deduped 
‘— websocket-extensions@0.1.4