Consider forking or moving off `sockjs` to resolve GHSA-w5hq-g745-h8pq

[G-Rath]

sockjs is pulling in an old version of uuid which is considered vulnerable to GHSA-w5hq-g745-h8pq.

While in practice this is not actually exploitable given how prevalent webpack is, this is going to be very noisy - the dependency itself is being pulled in by sockjs which has not had a release in 5 years, and the last change was landed 8 months ago.

I'm hoping it is still maintained so I've opened sockjs/sockjs-node#315 but in the case it isn't then the library will need to be forked or replaced

[alexander-akait]

Already was dropped in the next branch, so the next major release will be without sockjs

[rafael-nogueras]

@alexander-akait Will there be a version of webpack-dev-server that removes sockjs also for those of us with a dependency on webpack-dev-server@^4.6.0 (i.e. still using react-scripts@5.0.1)? Thanks!

[alexander-akait]

No, you will need to update webpack-dev-server to the latest version (when we will do the next release, soon - next week), anyway sockjs is not used by default, so your code is not infected

[rafael-nogueras]

@alexander-akait Thanks for the quick response! So, no back-port to the 4.x version, is that right? Just so you know, such a back-port would be helpful for everyone still using react-scripts which, even though it's unsupported, still has a lot of usage.

It's good to know the code is not infected, but unfortunately the static vulnerability analyzers are not that discriminating, so our code is still being marked as having a vulnerability. :-)

[alexander-akait]

Thanks for the quick response! So, no back-port to the 4.x version, is that right?

No backport, I highly recommend upgrading to version 5, version 4 is very outdated.