From 4de534716985a474657c2a0d88b97bc05da4cade Mon Sep 17 00:00:00 2001 From: idapixl Date: Thu, 16 Jul 2026 09:20:33 -0700 Subject: [PATCH] fix(deps): bump transitive websocket-driver to patch critical vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit firebase-admin -> @firebase/database-compat -> @firebase/database -> faye-websocket pins websocket-driver@0.7.4, which has two critical advisories (GHSA-mp7j-qc5w-4988 resource-limit bypass, GHSA-xv26-6w52-cph6 message corruption). Dependabot never alerted on this — same dependency-graph blind spot found in tools-content/evolution/social/reasoning on 2026-07-09. npm audit fix resolves it to 0.7.5, lockfile-only, no package.json version bump needed. Co-Authored-By: Claude --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8616932..6eea5fe 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5146,9 +5146,9 @@ "license": "BSD-2-Clause" }, "node_modules/websocket-driver": { - "version": "0.7.4", - "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.4.tgz", - "integrity": "sha512-b17KeDIQVjvb0ssuSDF2cYXSg2iztliJ4B9WdsuB6J952qCPKmnVq4DyW5motImXHDC1cBT/1UezrJVsKw5zjg==", + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.5.tgz", + "integrity": "sha512-ZL2+3c7kMBdIRCMz6l8jQMHyGVxj+UL+xVk74Ombiciboca8rHa15L86B19E5oh1pL9Ii/uj54gtsIrZGMo6zA==", "dev": true, "license": "Apache-2.0", "dependencies": {