Page MenuHomePhorge

Aphlict: Bump NodeJS package ws from 7.5.0 to 7.5.10
AcceptedPublic

Authored by aklapper on Wed, Apr 16, 17:15.

Details

Summary

Avoid "1 high severity vulnerability" warnings after following https://we.phorge.it/book/phorge/article/notifications/#installing-node-and-modules.

Official NPM security advisor:

ws affected by a DoS when handling a request with many HTTP headers

https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Closes T16037

Test Plan

Run Aphlict, still see real time notifications.

Diff Detail

Repository
rP Phorge
Branch
aphlictNpm (branched from master)
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 1908
Build 1908: arc lint + arc unit

Event Timeline

Thanks for this patch! Kind reminder: if you touched CSS or JavaScript, please remember to also run this:

./bin/celerity map

⚙️ Thanks! Bip bop I'm a bot - helping for T15209

This revision is now accepted and ready to land.Mon, Apr 28, 08:03
  1. Can we specify the .10 in packages.json itself?
  2. Do installs need upgrade instructions to complete the upgrade?

Both are good questions. I only put here the diff which npm created. First question: Very likely Yes.
(Note that I have no knowledge in this area and don't even know why both package-lock.json and package.json are needed.)

also manually bump version in package.json; then running npm install results in another bump in package-lock.json