-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport Security Fix to 6.2.1 #1895
Comments
|
I guess this https://github.com/webpack/webpack-dev-server/blob/v3.11.2/package.json#L14 is the blocker. |
I've released |
Will the npm advisory be updated too? https://www.npmjs.com/advisories/1748/versions |
@dacevedo12 it should do eventually yes - sending a ticket to npm support advising them about the advisory update, it can help expedite matters. @lpinca I don't mind doing this, but I think it could have more weight if you send it as a maintainer of the package :) |
@G-Rath I am not sure if this is the right place to ask, but do you know the process of updating the npm advisory db and how it works? |
@danishsatkut The advisory database is managed by npm (it's not something that's stored locally like So the process on the sides of us devs is to contact their support if we have new information about an advisory, as I said in my previous comment :) I believe there is an actual security channel somewhere for submitting actual security advisories, but I'm not well versed in that side of the security world so don't know what that actually is 🤷 |
I'm sure you're even less excited by this request, but: any chance of a backport to (Context: I am a maintainer of Apollo Server. We are in the process of a big major release that entirely removes our core dependency on |
@glasser the 6.x release line had only small breaking changes from 5.x. See https://github.com/websockets/ws/releases/tag/6.0.0. Are there any blockers? |
Mostly just not wanting to deal with pushing any breaking changes to users when we're trying to reduce our investment in this part of our system. For example, maybe the new default maxPayload limit of 100MB is a breaking change for some users, so we would have to give a way to thread that option through our API? It looks like the patch would apply directly to version-5. Would it help if I file a PR? |
Yes but it's trivial no? Just add the const ws = new WebSocket(url, { maxPayload: Infinity }); I prefer to help you upgrade to |
@glasser I've released |
Thank you! I did also cut a new patch version of |
And I contacted npm support. |
issue.
Description
Any chances the security fix patch 00c425e could be backported to 6.2.1 to release a 6.2.2 with the fix?
Webpack-dev-server currently uses 6.2.1 which has caused a flagged security issue in a lot of repos that can't be fixed until people can upgrade to the not yet stable webpack-dev-server 4. webpack/webpack-dev-server#3360 (Incidentally, we are using webpack-dev-server as a dependency of react-scrips so it will probably be a long time before react-scripts updates to webpack-dev-server v4.)
Admittedly being a dev server, this is (hopefully) only local, but it would be nice not to have a security alert stuck on our github repository.
Reproducible in:
Steps to reproduce:
Expected result:
No security issue
Actual result:
Flagged security issues
The text was updated successfully, but these errors were encountered: