Page MenuHomePhorge
Differential D25967

Aphlict: Bump NodeJS package ws from 7.5.0 to 7.5.10
AcceptedPublic
Actions

Authored by aklapper on Wed, Apr 16, 17:15.
Tags
None
Referenced Files
F3772077: D25967.1745853688.diff
Sun, Apr 27, 15:21
F3720823: D25967.1745716311.diff
Sat, Apr 26, 01:11
F3705499: D25967.1745634277.diff
Fri, Apr 25, 02:24
F3682253: D25967.1745569770.diff
Thu, Apr 24, 08:29
F3677987: D25967.1745548497.diff
Thu, Apr 24, 02:34
F3675789: D25967.1745523628.diff
Wed, Apr 23, 19:40
F3668917: D25967.1745467178.diff
Wed, Apr 23, 03:59
F3645296: D25967.1745368330.diff
Tue, Apr 22, 00:32
View All 22 Files
Subscribers
avivey
Cigaryno
Matthew
tobiaswiese
valerio.bozzolan

Details

Reviewers
valerio.bozzolan
Group Reviewers
O1: Blessed Committers
Maniphest Tasks
T16037: Bump ws npm package for Aphlict
Summary

Avoid "1 high severity vulnerability" warnings after following https://we.phorge.it/book/phorge/article/notifications/#installing-node-and-modules.

Official NPM security advisor:

ws affected by a DoS when handling a request with many HTTP headers

https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Closes T16037

Test Plan

Run Aphlict, still see real time notifications.

Diff Detail

Repository
rP Phorge
Branch
aphlictNpm (branched from master)
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 1908
Build 1908: arc lint + arc unit

Event Timeline

aklapper created this revision.Wed, Apr 16, 17:15
Owners added a reviewer: O1: Blessed Committers.Wed, Apr 16, 17:15
Herald added subscribers: Cigaryno, Matthew, valerio.bozzolan, tobiaswiese. · View Herald TranscriptWed, Apr 16, 17:15

Thanks for this patch! Kind reminder: if you touched CSS or JavaScript, please remember to also run this:

./bin/celerity map

⚙️ Thanks! Bip bop I'm a bot - helping for T15209

aklapper requested review of this revision.Wed, Apr 16, 17:15
Harbormaster completed remote builds in B1876: Diff 2889.Wed, Apr 16, 17:15
valerio.bozzolan edited the summary of this revision. (Show Details)Mon, Apr 28, 07:59
valerio.bozzolan accepted this revision.Mon, Apr 28, 08:02
valerio.bozzolan edited the summary of this revision. (Show Details)

notmyfault

This revision is now accepted and ready to land.Mon, Apr 28, 08:03
aklapper mentioned this in Z1: Phorge.Tue, Apr 29, 20:06
avivey subscribed.Wed, Apr 30, 09:01
  1. Can we specify the .10 in packages.json itself?
  2. Do installs need upgrade instructions to complete the upgrade?
aklapper added a comment.Wed, Apr 30, 10:49

Both are good questions. I only put here the diff which npm created. First question: Very likely Yes.
(Note that I have no knowledge in this area and don't even know why both package-lock.json and package.json are needed.)

aklapper updated this revision to Diff 2950.Wed, Apr 30, 10:50

also manually bump version in package.json; then running npm install results in another bump in package-lock.json

Harbormaster completed remote builds in B1908: Diff 2950.Wed, Apr 30, 10:50

Revision Contents
Changeset List

Diff 2950

View Options

support/aphlict/server/package-lock.json

Loading...
View Options

support/aphlict/server/package.json

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0