security: kurento-client depends on vulnerable version of ws package

[koendhondt]

Prerequisites

These are MANDATORY, otherwise the issue will be automatically closed.

• I agree to fill this issue template.
• I have read the Troubleshooting Guide and Support Instructions.

Issue description

Running an npm audit on any typescript application which includes kurento-client results in the following vulnerability being reported:

ws  <=1.1.0
Severity: high
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes. - 
https://gist.github.com/c0nrad/e92005446c480707a74a,https://github.com/websockets/ws/releases/tag/1.0.1,https://nodesecurity.io/advisories/67
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
https://github.com/nodejs/node/issues/7388,https://nodesecurity.io/advisories/120
No fix available
node_modules/websocket-stream/node_modules/ws
  websocket-stream  0.3.2 - 2.3.0
  Depends on vulnerable versions of ws
  node_modules/websocket-stream
    reconnect-ws  *
    Depends on vulnerable versions of websocket-stream
    node_modules/reconnect-ws
      kurento-client  *
      Depends on vulnerable versions of reconnect-ws
      node_modules/kurento-client

Context

We are using Kurento-client in our application to facilitate audio broadcast to a selected group of users. Our internal security policy requires us to address this issue.

This issue is also reported as #373, but this is IMHO incorrectly labelled as an Enhancement while it is a Security risk for any use of kurento-client.

This issue appears to continue to exist as the reconnect-ws package referenced by kurento-client hasn't seen any updates in a number of years.

How to reproduce?

npm install kurento-client

added 28 packages, and audited 29 packages in 9s

4 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Expected & current behavior

Expected: 0 vulnerabilities

Current: 4 high severity vulnerabilities:

• https://gist.github.com/c0nrad/e92005446c480707a74a
• https://nodesecurity.io/advisories/67
• Error: toString failed nodejs/node#7388
• https://nodesecurity.io/advisories/120

About your Application Server

• Programming Language: typescript
• Kurento Client version: 6.18.0

About end-user clients

• Device(s): PC, Mac
• OS(es): Windows 11, MacOs Monterey
• Browser(s): FireFox, Chrome, Edge, Safari

[github-actions]

Hello @koendhondt! 👋 we're sorry you found a bug... so first of all, thank you very much for reporting it.

To know about progress, check in Triage. All issues are considered Backlog Candidates until work priorities align and the issue is selected for development. It will then become part of our official Backlog.

[j1elo]

Using #439 to track this.