Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: Bump ws to 6.2.2 due to ReDoS vulnerability #34759

Closed
wants to merge 1 commit into from
Closed

build: Bump ws to 6.2.2 due to ReDoS vulnerability #34759

wants to merge 1 commit into from

Conversation

gabrieldonadel
Copy link
Collaborator

Summary

A moderate vulnerability was found in all versions of ws below 7.4.6 June last year. React native current uses v6.1.4 which is susceptible to it, fortunately this security fix has been backported to v6.X.X and we don't need to upgrade any major versions/worry about breaking changes. This PR bumps ws to 6.2.2 (CHANGELOG) due to this ReDoS vulnerability

More information about this vulnerability can be found here -> GHSA-6fc8-4gx4-v693

Closes #31646

Changelog

[Internal] [Security] - Bump ws to 6.2.2 due to ReDoS vulnerability

Test Plan

Ensure WebSocket tests are working as expected

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Sep 21, 2022
@github-actions
Copy link

github-actions bot commented Sep 21, 2022
edited
Loading

Warnings
⚠️ 🔒 package.json - Changes were made to package.json. This will require a manual import by a Facebook employee.

Generated by 🚫 dangerJS against 388b1f1

@facebook-github-bot facebook-github-bot added the Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. label Sep 21, 2022
@analysis-bot
Copy link

analysis-bot commented Sep 22, 2022
edited
Loading

Platform Engine Arch Size (bytes) Diff
android hermes arm64-v8a 7,739,379 +0
android hermes armeabi-v7a 7,142,055 +0
android hermes x86 8,050,464 +0
android hermes x86_64 8,022,326 +0
android jsc arm64-v8a 9,607,492 +0
android jsc armeabi-v7a 8,373,001 +0
android jsc x86 9,555,154 +0
android jsc x86_64 10,147,760 +0

Base commit: 108c876
Branch: main

@analysis-bot
Copy link

analysis-bot commented Sep 22, 2022
edited
Loading

Platform Engine Arch Size (bytes) Diff
ios - universal n/a --

Base commit: 108c876
Branch: main

@facebook-github-bot
Copy link
Contributor

@cortinico has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@cortinico
Copy link
Contributor

Hey @gabrieldonadel, can I ask you to rebase? The CI should be green then.
I'm also handing this over to @jacdebug for merging as ws is a quite of a tricky dependency of ours.

@gabrieldonadel
Copy link
Collaborator Author

Hey @gabrieldonadel, can I ask you to rebase? The CI should be green then. I'm also handing this over to @jacdebug for merging as ws is a quite of a tricky dependency of ours.

Sounds good, I've just pushed a commit rebasing it

@facebook-github-bot
Copy link
Contributor

@jacdebug has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@react-native-bot
Copy link
Collaborator

This pull request was successfully merged by @gabrieldonadel in fa22a6e.

When will my fix make it into a release? | Upcoming Releases

@react-native-bot react-native-bot added the Merged This PR has been merged. label Oct 10, 2022
@gabrieldonadel gabrieldonadel deleted the feat/bump-ws branch October 10, 2022 12:00
OlimpiaZurek pushed a commit to OlimpiaZurek/react-native that referenced this pull request May 22, 2023
@gabrieldonadel @OlimpiaZurek
build: Bump ws to 6.2.2 due to ReDoS vulnerability (facebook#34759)
26015c5 
Summary:
A moderate vulnerability was found in all versions of `ws` below 7.4.6 June last year. React native current uses v6.1.4 which is susceptible to it, fortunately this security fix has been backported to v6.X.X and we don't need to upgrade any major versions/worry about breaking changes. This PR bumps `ws` to 6.2.2 ([CHANGELOG](https://github.com/websockets/ws/releases/tag/6.2.2)) due to this ReDoS vulnerability

More information about this vulnerability can be found here -> GHSA-6fc8-4gx4-v693

Closes facebook#31646

## Changelog

[Internal] [Security] - Bump ws to 6.2.2 due to ReDoS vulnerability

Pull Request resolved: facebook#34759

Test Plan:
Ensure WebSocket tests are working as expected

Tested HMR working on Twilight
| iOS | Android |
| https://pxl.cl/2g70M | https://pxl.cl/2g70V |

Reviewed By: hramos, cortinico

Differential Revision: D39722905

fbshipit-source-id: 12088ab5ea26d904675de484e2014949d6696465
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hramos hramos Awaiting requested review from hramos

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Merged This PR has been merged. Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. Type: Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Regular Expression Denial of Service vulerability in "ws" package
5 participants
@gabrieldonadel @analysis-bot @facebook-github-bot @cortinico @react-native-bot