You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@coveo/headless version 2.73.0 depends on ws@6.2.3, which is flagged as insecure by GitHub (GHSA-3h5v-q93c-6h6q)
Steps to reproduce
While some versions have been back-patched, GitHub still flags if ws version is less than 8.17.1
Relevant log output
npm explain ws:
ws@6.2.3 peer
node_modules/react-native/node_modules/ws
ws@"^6.2.2" from react-native@0.74.3
node_modules/react-native
peer react-native@"*" from @react-native/virtualized-lists@0.74.85
node_modules/@react-native/virtualized-lists
@react-native/virtualized-lists@"0.74.85" from react-native@0.74.3
peer react-native@">=0.56" from react-native-get-random-values@1.11.0
node_modules/react-native-get-random-values
react-native-get-random-values@"^1.11.0" from coveo.analytics@2.30.6
node_modules/coveo.analytics
coveo.analytics@"2.30.6" from @coveo/headless@2.73.0
node_modules/@coveo/headless
@coveo/headless@"2.73.0" from the root project
The text was updated successfully, but these errors were encountered:
Hi @bbellmyers, We do not automatically consider supply chain vulnerability as bugs: the vulnerable code needs to be used for the product to be vulnerable (and thus qualify as a bug).
In this specific case, ws is only used by react-native-get-random-values, which is used only when using coveo.analytics in a react-native context.
Headless doesn't do so, nor does it support it.
So, while we'll try to 'plug' this hole in the future, we don't think this a bug and will not prioritize it like one.
louis-bompart
changed the title
[Bug]: @coveo/headless depends on an insecure version of ws
[Improvement]: @coveo/headless depends on an insecure version of ws
Jul 24, 2024
Which product are you using?
Headless
product version
2.73.0
bug description
@coveo/headless version 2.73.0 depends on ws@6.2.3, which is flagged as insecure by GitHub (GHSA-3h5v-q93c-6h6q)
Steps to reproduce
While some versions have been back-patched, GitHub still flags if ws version is less than 8.17.1
Relevant log output
The text was updated successfully, but these errors were encountered: