Skip to content

feat(root): address ws vulnerability #6265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat(root): address ws vulnerability #6265

wants to merge 1 commit into from

Conversation

zahin-mohammad
Copy link
Contributor

The ws vulnerability does not affect bitgojs, however it
is a cause of alarm when viewing the audit report for this repo.

Unfortunately the vulnerability comes from a deep nested dependency with celo,
where even upgrading to the latest celo deps will not fix the issue.

This PR creates a resolution for "ws" to address the audit.

@zahin-mohammad zahin-mohammad requested review from a team as code owners June 9, 2025 20:31
@zahin-mohammad
Copy link
Contributor Author

The ws vulnerability does not affect bitgojs, however it
is a cause of alarm when viewing the audit report for this repo.

Its primarily a concern for backend services, however bitgo express does not directly use the ws package.

lokesh-bitgo
lokesh-bitgo reviewed Jun 10, 2025
View reviewed changes
yarn.lock
resolved "https://registry.npmjs.org/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c"
integrity sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A==
[email protected], [email protected], ws@^3.0.0, ws@^5.2.4:
version "5.2.4"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we locking the ws version to 5.2.4? Some dependent packages require [email protected], but this change forces them to use 5.2.4, which might not support features introduced in the newer versions. Could this lead to runtime issues or missing functionality?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, we probably shouldn't force the resolution for higher versions. I'll investigate what nested dep caused this.

@zahin-mohammad zahin-mohammad marked this pull request as draft June 10, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lokesh-bitgo lokesh-bitgo lokesh-bitgo approved these changes

@margueriteblair margueriteblair margueriteblair approved these changes

@pranavjain97 pranavjain97 pranavjain97 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zahin-mohammad @margueriteblair @pranavjain97 @lokesh-bitgo