Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerbility found in ws #130

Closed
fiskgrodan opened this issue Jun 5, 2019 · 8 comments
Closed

Vulnerbility found in ws #130

fiskgrodan opened this issue Jun 5, 2019 · 8 comments

Comments

@fiskgrodan
Copy link

What version of Livereload are you using?

^0.7.0

Installed as a dependecy to rollup-plugin-livereload
https://github.com/thgh/rollup-plugin-livereload/blob/master/package.json

What OS are you using?

macOS / GitHub

What web browser are you using? (Browser name and specific version please)

Expected result

To not get a vulnerbility warning

Actual result

Getting vulnerbility warnings in terminal and in the GitHub GUI.

This is the warning I get when installing:

+ rollup-plugin-livereload@1.0.0
added 241 packages from 138 contributors and audited 1219 packages in 5.31s
found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

I get these warnings in the GitHub GUI:
Screenshot 2019-06-05 at 15 47 13

Screenshot 2019-06-05 at 15 47 32

Screenshot 2019-06-05 at 15 55 25

Steps to reproduce issue

I installed it from this repo:
https://github.com/sveltejs/template

With these steps:

  1. npx degit sveltejs/template svelte-app
  2. npm install

Why is this important?

Vulnerbility warnings give a bad impression and might scare of possible users. Maybe upgrading the ws module could fix the issue?
@napcs
Copy link
Owner

napcs commented Jun 5, 2019

@fiskgrodan LiveReload v0.8.0 was released last week.

Running npm audit on Master currently shows no vulns:

                       === npm audit security report ===

found 0 vulnerabilities
 in 2233 scanned packages

I'll continue to monitor this.

@oliverxchen oliverxchen mentioned this issue Jun 6, 2019
Merged
@oliverxchen
Copy link

The commit linked to in the Github security report is: websockets/ws@c4fe466

After creating the PR, I read down further into the comments and found this: websockets/ws@c4fe466#commitcomment-28951427 which reports that 1.1.5 is not vulnerable. So maybe Github has it wrong?

@mgmarlow mgmarlow mentioned this issue Jul 4, 2019
Closed
@larafale
Copy link

larafale commented Sep 9, 2019

same here, came from rollup-plugin-livereload@1.0.1 which use livereload@0.8.0, and pushing my repo to github gave me a security alert (high), which can be resolved by upgrading ws to 3.3.1.

bummer, because running npm audit on both livereload@master & rollup-plugin-livereload@1.0.1 and also my project return found 0 vulnerabilities

the joy of programming :)

@napcs
Copy link
Owner

napcs commented Sep 9, 2019

Ok. I'll take everyone's word for it. Lemme make sure #131 resolves this properly and I'll package up a new release this week.

@larafale
Copy link

that would be awesome, thanks !

@larafale
Copy link

hello again @napcs, just a little reminder about that one ^^
I'll buy you a beer anytime :)
thanks, take care !

@napcs
Copy link
Owner

napcs commented Sep 17, 2019

Closed by #131. 0.8.1 released

@napcs napcs closed this as completed Sep 17, 2019
@larafale
Copy link

you've made my day :) thanks a lot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@napcs @larafale @oliverxchen @fiskgrodan