Security alert on install from ethers, ws

[jacque006]

Describe the bug
When installing the latest @semaphore-protocol/core (v4.7.2) & running npm audit, the following alert appears:

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
No fix available
node_modules/ws
  ethers  6.0.0-beta.1 - 6.13.0
  Depends on vulnerable versions of ws
  node_modules/ethers
    @semaphore-protocol/proof  >=4.0.0-alpha
    Depends on vulnerable versions of ethers
    node_modules/@semaphore-protocol/proof
      @semaphore-protocol/core  *
      Depends on vulnerable versions of @semaphore-protocol/proof
      node_modules/@semaphore-protocol/core

To Reproduce

1. npm install @semaphore-protocol/core (Note some older versions may have this alert as well)
2. npm audit

Expected behavior
No security alert is present. This has been fixed in ethers >= v6.13.1 https://github.com/ethers-io/ethers.js/releases/tag/v6.13.1.

Note that since this is a server-side ws issue, it is unlikely have an impact barring some exceptional use cases (Using Semaphore's ether's ws version on server)

Technologies (please complete the following information):

• Node.js v20.18.1
• NPM 10.8.2

Additional context
I will open PR to address by updating ethers version. Feel free to assign this issue to me.

[jacque006]

Would it also be valuable to add checks either in CI or a yarn command/script that fails if it detects a Severity: high in a dep?

[cedoor]

Would it also be valuable to add checks either in CI or a yarn command/script that fails if it detects a Severity: high in a dep?

Yes, I think it's definitely valuable! Do you want to open another issue for it?

[jacque006]

@cedoor Done #922

[cedoor]

Thanks @jacque006 🙏🏽