Vulnerability in ws@5.2.3

[gamboaa]

(Describe your issue and goal here)

Packages:

Select all that apply:

• @slack/web-api
• [x ] @slack/rtm-api
• @slack/webhooks
• @slack/oauth
• @slack/socket-mode
• @slack/types
• I don't know

Requirements

The direct dependency on ws@5.2.3 introduces a vulnerability

CVE-2021-32640 

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

[hello-ashleyintech]

Hi, @gamboaa! Thanks so much for submitting this notice! 😄

It looks like we had a PR from a while ago to update the ws base version to ws@7.5.3 in the @slack/rtm-api package, but it looks like it was never released. I am going to re-verify with my team to make sure this is good to release, and if so, I'll release a version with the updated ws base version! 🙌

[hello-ashleyintech]

@gamboaa thanks again for flagging this! A new @slack/rtm-api version, v6.1.0, has been released that addresses this security update. You can view the release notes here!

Since this is resolved, I will be closing this issue out, but if anything else comes up then please feel free to file another issue! 🎉