Skip to content
This repository has been archived by the owner on Feb 15, 2023. It is now read-only.

Vulnerability found in ws dependency #52

Closed
mgmarlow opened this issue Jul 4, 2019 · 1 comment
Closed

Vulnerability found in ws dependency #52

mgmarlow opened this issue Jul 4, 2019 · 1 comment

Comments

@mgmarlow
Copy link

mgmarlow commented Jul 4, 2019
edited
Loading

Just bootstrapped a new svelte project using this template and pushed it to Github. Github now notifies me with a vulnerability warning for the dependency ws. The dependency belongs to rollup-plugin-livereload#livereload, as shown with yarn why ws.

There's an open ticket in livereload to address this vulnerability: napcs/node-livereload#130. Yet I still opened this ticket to bring visibility.

image

yarn why ws
=> Found "ws@1.1.5"
info Reasons this module exists
   - "rollup-plugin-livereload#livereload" depends on it
   - Hoisted from "rollup-plugin-livereload#livereload#ws"
@mrkishi
Copy link
Member

mrkishi commented Jul 4, 2019

Thanks for the heads up!

It seems this specific Github security alert is being erroneously reported for ws@1.1.5, according npm's advisory and a conversation on the fix confirming the advisory's versions.

I don't think there's anything to be done here other than leaving this open for visibility until livereload upgrades the ws dependency. Since livereload is only used during development, production builds wouldn't be affected anyway.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrkishi @mgmarlow @Conduitry