Skip to content

fix(deps): patch critical websocket-driver vulnerability (Dependabot blind spot)#39

Merged
idapixl merged 1 commit into
masterfrom
fix/websocket-driver-dependabot-blindspot
Jul 16, 2026
Merged

fix(deps): patch critical websocket-driver vulnerability (Dependabot blind spot)#39
idapixl merged 1 commit into
masterfrom
fix/websocket-driver-dependabot-blindspot

Conversation

@idapixl

@idapixl idapixl commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • npm audit flags a critical severity issue in websocket-driver@<=0.7.4 (pulled in transitively via firebase-admin -> @firebase/database-compat -> @firebase/database -> faye-websocket): resource-limit bypass (GHSA-mp7j-qc5w-4988) and message corruption (GHSA-xv26-6w52-cph6).
  • Dependabot has never generated an alert for this — same dependency-graph blind spot as the hono issue found in tools-content/evolution/social/reasoning on 2026-07-09.
  • Fix is lockfile-only (npm audit fix -> websocket-driver 0.7.4 -> 0.7.5), no package.json version bump needed for this repo's own version.

Test plan

  • npm ci && npm run build — 0 errors
  • npm audit — 0 vulnerabilities after fix (was 1 critical)

Found during scheduled ecosystem health check (2026-07-16), running unattended — opened as a PR rather than merged directly so a human can review before it lands on master.

🤖 Generated with Claude Code

…bilities

firebase-admin -> @firebase/database-compat -> @firebase/database ->
faye-websocket pins websocket-driver@0.7.4, which has two critical
advisories (GHSA-mp7j-qc5w-4988 resource-limit bypass, GHSA-xv26-6w52-cph6
message corruption). Dependabot never alerted on this — same
dependency-graph blind spot found in tools-content/evolution/social/reasoning
on 2026-07-09. npm audit fix resolves it to 0.7.5, lockfile-only, no
package.json version bump needed.

Co-Authored-By: Claude <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 16, 2026 16:21

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@idapixl
idapixl merged commit 83ac30f into master Jul 16, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants