Page MenuHomePhorge

Bump ws npm package for Aphlict
Closed, ResolvedPublic

Description

[acko@meouw server (aphlictNpm $%|u=)]$ pwd
/var/www/html/phorge/phorge/support/aphlict/server

[acko@meouw server (aphlictNpm $%|u=)]$ npm install
npm warn old lockfile
npm warn old lockfile The package-lock.json file was created with an old version of npm,
npm warn old lockfile so supplemental metadata must be fetched from the registry.
npm warn old lockfile
npm warn old lockfile This is a one-time fix-up, please be patient...
npm warn old lockfile

changed 1 package, and audited 2 packages in 759ms

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

[acko@meouw server (aphlictNpm *$%|u=)]$ npm audit fix

changed 1 package, and audited 2 packages in 1s

found 0 vulnerabilities

[acko@fedora server (aphlictNpm *$%|u=)]$ git diff
diff --git a/support/aphlict/server/package-lock.json b/support/aphlict/server/package-lock.json
index 8af62ae233..c81c2e235d 100644
--- a/support/aphlict/server/package-lock.json
+++ b/support/aphlict/server/package-lock.json
@@ -1,12 +1,35 @@
 {
   "name": "aphlict-server",
+  "lockfileVersion": 3,
   "requires": true,
-  "lockfileVersion": 1,
-  "dependencies": {
-    "ws": {
-      "version": "7.5.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.0.tgz",
-      "integrity": "sha512-6ezXvzOZupqKj4jUqbQ9tXuJNo+BR2gU8fFRk3XCP3e0G6WT414u5ELe6Y0vtp7kmSJ3F7YWObSNr1ESsgi4vw=="
+  "packages": {
+    "": {
+      "name": "aphlict-server",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "ws": "^7.5.0"
+      }
+    },
+    "node_modules/ws": {
+      "version": "7.5.10",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz",
+      "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.3.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": "^5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
     }
   }
 }

[acko@fedora server (aphlictNpm *$%|u=)]$ rpm -qf /usr/bin/npm
nodejs-npm-10.9.2-1.22.14.0.2.fc41.x86_64

Node JS 8.3.0 was released in August 2017.

ws 7.5.10 was released June 2024.

Event Timeline

avivey triaged this task as High priority.Thu, May 1, 07:49
avivey subscribed.

Possible ways to reduce risk for future issues:

  • add a Setup Check that runs npm audit
  • remove node, use php-based websocket implementation