Page MenuHomePhorge
Differential D25967

Aphlict: Bump NodeJS package ws from 7.5.0 to 7.5.10
ClosedPublic
Actions

Authored by aklapper on Apr 16 2025, 17:15.

Details

Reviewers
valerio.bozzolan
Group Reviewers
O1: Blessed Committers
Maniphest Tasks
T16037: Bump ws npm package for Aphlict
Commits
rPde2b53638299: Aphlict: Bump NodeJS package ws from 7.5.0 to 7.5.10
Summary

Avoid "1 high severity vulnerability" warnings after following https://we.phorge.it/book/phorge/article/notifications/#installing-node-and-modules.

Official NPM security advisor:

ws affected by a DoS when handling a request with many HTTP headers

https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Closes T16037

Test Plan

Run Aphlict, still see real time notifications.

Diff Detail

Repository
rP Phorge
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

aklapper created this revision.Apr 16 2025, 17:15
Owners added a reviewer: O1: Blessed Committers.Apr 16 2025, 17:15
Herald added subscribers: Cigaryno, Matthew, valerio.bozzolan, tobiaswiese. · View Herald TranscriptApr 16 2025, 17:15

Thanks for this patch! Kind reminder: if you touched CSS or JavaScript, please remember to also run this:

./bin/celerity map

⚙️ Thanks! Bip bop I'm a bot - helping for T15209

aklapper requested review of this revision.Apr 16 2025, 17:15
Harbormaster completed remote builds in B1876: Diff 2889.Apr 16 2025, 17:15
valerio.bozzolan edited the summary of this revision. (Show Details)Mon, Apr 28, 07:59
valerio.bozzolan accepted this revision.Mon, Apr 28, 08:02
valerio.bozzolan edited the summary of this revision. (Show Details)

notmyfault

This revision is now accepted and ready to land.Mon, Apr 28, 08:03
aklapper mentioned this in Z1: Phorge.Tue, Apr 29, 20:06
avivey subscribed.Wed, Apr 30, 09:01
  1. Can we specify the .10 in packages.json itself?
  2. Do installs need upgrade instructions to complete the upgrade?
aklapper added a comment.Wed, Apr 30, 10:49

Both are good questions. I only put here the diff which npm created. First question: Very likely Yes.
(Note that I have no knowledge in this area and don't even know why both package-lock.json and package.json are needed.)

aklapper updated this revision to Diff 2950.Wed, Apr 30, 10:50

also manually bump version in package.json; then running npm install results in another bump in package-lock.json

Harbormaster completed remote builds in B1908: Diff 2950.Wed, Apr 30, 10:50
avivey added a comment.Thu, May 1, 07:20

@aklapper want to land this?
I figure users need to just run npm audit fix to be safe, and then fix the mess it did on the git diff.

I'm also publishing this in our Security blog.

avivey mentioned this in Blog Post: DoS attack against Aphlict.Thu, May 1, 08:04
aklapper added a comment.Thu, May 1, 10:38
In D25967#26245, @avivey wrote:

@aklapper want to land this?

Will do. I just wasn't sure about any related implications so I guess I was implicitly waiting for another review (which you provided).

Closed by commit rPde2b53638299: Aphlict: Bump NodeJS package ws from 7.5.0 to 7.5.10. · Explain WhyThu, May 1, 10:38
This revision was automatically updated to reflect the committed changes.
aklapper added a commit: rPde2b53638299: Aphlict: Bump NodeJS package ws from 7.5.0 to 7.5.10.
aklapper mentioned this in Next Up.Thu, May 1, 10:42
avivey mentioned this in 2025.18.Fri, May 2, 11:35

Revision Contents
Changeset List

Diff 2952

View Options

support/aphlict/server/package-lock.json

Loading...
View Options

support/aphlict/server/package.json

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0