Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgraded ws to 8.17.1 and solved some issues #2415

Merged
merged 2 commits into from
Jun 24, 2024
Merged

Upgraded ws to 8.17.1 and solved some issues #2415

merged 2 commits into from
Jun 24, 2024

Conversation

ChiaMineJP
Copy link
Contributor

@ChiaMineJP ChiaMineJP commented Jun 20, 2024
edited
Loading

This PR replaces #2413

Why need replacing? Because

  1. with the above dependabot PR, the version of packages/gui/node_modules/ws remains 8.14.1 in package-lock.json and vulnerability still opens.
  2. ws@8.17.1 doesn't work with packages/gui since it added a conditonal exports to its own package.json like below.
// See https://www.npmjs.com/package/ws/v/8.17.1?activeTab=code
"exports": {
  ".": {
    ...,
    "browser": "./browser.js"
  }
}

When building code with webpack, it treats electron-renderer code (mostly React components) as browser code by the above exports entry.
This is the problem, since the content of ws/browser.js is

'use strict';

module.exports = function () {
  throw new Error(
    'ws does not work in the browser. Browser clients must use the native ' +
      'WebSocket object'
  );
};

So when you try to instantiate WebSocket, it immediately throws.

Solutions to the above issues

  1. Remove ws from packages/gui by npm un ws -w @chia-network/gui then re-add ws by npm i ws -w @chia-network/gui. After the re-installation, run npm audit fix to upgrade ws to vuln-free version.
  2. Add the below entry to packages/gui/webpack.react.babel.ts
exports.module = {
  ...,
  resolve: {
    alias: {
      ws: require.resolve('ws'), // This will be `.../node_modules/ws/index.js`
    },
  },
  ...
};

@ChiaMineJP ChiaMineJP added the dependencies Pull requests that update a dependency file label Jun 20, 2024
@ChiaMineJP ChiaMineJP self-assigned this Jun 20, 2024
@ChiaMineJP ChiaMineJP requested a review from a team as a code owner June 20, 2024 16:44
@socket-security Socket Security
Copy link

socket-security bot commented Jun 20, 2024
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher

🚮 Removed packages: npm/ws@8.4.2

View full report↗︎

@ChiaMineJP ChiaMineJP mentioned this pull request Jun 20, 2024
Closed
@cmmarslender cmmarslender merged commit c9f4e15 into main Jun 24, 2024
9 checks passed
@cmmarslender cmmarslender deleted the cmj.upgrade-ws-to-8-17-1 branch June 24, 2024 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seeden seeden seeden approved these changes

@markelrod markelrod markelrod approved these changes

Assignees

@ChiaMineJP ChiaMineJP

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ChiaMineJP @seeden @markelrod @cmmarslender