Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Improvement]: @coveo/headless depends on an insecure version of ws #4209

Open
bbellmyers opened this issue Jul 19, 2024 · 1 comment
Open
Labels
dependencies Pull requests that update a dependency file enhancement New feature or request

Comments

@bbellmyers
Copy link

Which product are you using?

Headless

product version

2.73.0

bug description

@coveo/headless version 2.73.0 depends on ws@6.2.3, which is flagged as insecure by GitHub (GHSA-3h5v-q93c-6h6q)

Steps to reproduce

While some versions have been back-patched, GitHub still flags if ws version is less than 8.17.1

Relevant log output

npm explain ws: 

ws@6.2.3 peer
node_modules/react-native/node_modules/ws
  ws@"^6.2.2" from react-native@0.74.3
  node_modules/react-native
    peer react-native@"*" from @react-native/virtualized-lists@0.74.85
    node_modules/@react-native/virtualized-lists
      @react-native/virtualized-lists@"0.74.85" from react-native@0.74.3
    peer react-native@">=0.56" from react-native-get-random-values@1.11.0
    node_modules/react-native-get-random-values
      react-native-get-random-values@"^1.11.0" from coveo.analytics@2.30.6
      node_modules/coveo.analytics
        coveo.analytics@"2.30.6" from @coveo/headless@2.73.0
        node_modules/@coveo/headless
          @coveo/headless@"2.73.0" from the root project
@bbellmyers bbellmyers added the bug Something isn't working label Jul 19, 2024
@louis-bompart
Copy link
Collaborator

louis-bompart commented Jul 24, 2024

Hi @bbellmyers, We do not automatically consider supply chain vulnerability as bugs: the vulnerable code needs to be used for the product to be vulnerable (and thus qualify as a bug).

In this specific case, ws is only used by react-native-get-random-values, which is used only when using coveo.analytics in a react-native context.
Headless doesn't do so, nor does it support it.

So, while we'll try to 'plug' this hole in the future, we don't think this a bug and will not prioritize it like one.

@louis-bompart louis-bompart added enhancement New feature or request dependencies Pull requests that update a dependency file and removed bug Something isn't working labels Jul 24, 2024
@louis-bompart louis-bompart changed the title [Bug]: @coveo/headless depends on an insecure version of ws [Improvement]: @coveo/headless depends on an insecure version of ws Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants