chore: upgrade ws to ^8.20.1 to address CVE-2026-45736

[brendan-kellam]

Fixes SOU-1171

Resolves CVE-2026-45736 (ws uninitialized memory disclosure) by refreshing the stale socket.io subtree rather than forcing a resolutions override.

The vulnerable ws@~8.17.1 was pinned by two transitive packages whose parents' existing ranges already admitted patched versions:

• engine.io 6.6.4 → 6.6.8 (ws ~8.20.1), within socket.io's ~6.6.0
• socket.io-adapter 2.5.5 → 2.5.7 (ws ~8.20.1), within socket.io's ~2.5.2

After yarn up -R engine.io socket.io-adapter, every ws instance consolidates at 8.20.1 (the fixed version). Lockfile-only change — no package.json / resolutions override, per the CVE-fix playbook's preference for a refresh over a forced override.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated a dependency to the latest stable version.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f9d41eb9-fa1d-4649-8d5a-700fb8f7ef99

📥 Commits

Reviewing files that changed from the base of the PR and between 33bb66c and b365987.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

---

Walkthrough

This PR adds a single changelog entry documenting an upgrade of the ws dependency to ^8.20.1 under the Unreleased → Fixed section with a link to PR #1286.

Changes

ws Dependency Upgrade Changelog Entry

Layer / File(s)	Summary
Changelog entry for ws upgrade CHANGELOG.md	CHANGELOG.md Unreleased Fixed section is updated with a bullet documenting the ws dependency upgrade to ^8.20.1 with PR reference #1286.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1281: Similar changelog edit documenting a dependency upgrade under the Unreleased → Fixed section.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: upgrading the ws dependency to address a specific CVE vulnerability, which aligns with the CHANGELOG.md update and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/ws

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

❌ Status: FAIL

Metric	Count
Total packages	2132
Resolved (non-standard)	10
Unresolved	2
Strong copyleft	0
Weak copyleft	38

Fail Reasons

• 2 package(s) have unresolvable licenses: @react-grab/mcp, element-source

Unresolved Packages

Package	Version	License	Reason
@react-grab/mcp	0.1.29	UNKNOWN	No license field in any published npm version; package has no repository or homepage metadata and is not present in the related aidenybai/react-grab monorepo (only cli, grab, react-grab packages exist there). No LICENSE file could be located.
element-source	0.0.3	UNKNOWN	No license field on npm (package-level or version-level); no repository, homepage, or author metadata, and the README contains no license statement. No source could be located to determine the license.

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (10)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo LICENSE file (aidenybai/react-grab monorepo root is MIT; packages/cli confirmed)
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo LICENSE file (aidenybai/react-grab monorepo root is MIT; packages/cli confirmed)
@tanstack/react-query	5.69.0	UNKNOWN	MIT	npm registry (original UNKNOWN was a transient HTTP 502 at generation time)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	npm registry (package + neighboring version 4.0.1 declare Apache-2.0)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	npm registry (package declares Apache-2.0)
map-stream	0.1.0	UNKNOWN	MIT	npm registry (package declares MIT)
memorystream	0.3.1	UNKNOWN	MIT	extracted from object (npm licenses field: [{type:MIT}])
pause-stream	0.0.11	["MIT","Apache2"]	(MIT OR Apache-2.0)	extracted from object (license array ["MIT","Apache2"])
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo LICENSE file (PostHog/posthog-js LICENSE is Apache License 2.0)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo LICENSE file (ogt/valid-url LICENSE + package.json declare MIT)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 17: Move the CHANGELOG entry for PR `#1286` ("Upgraded `ws` to `^8.21.0`.
[`#1286`]") to the bottom of the "Fixed" section by relocating that single line so
it appears immediately after the entry for PR `#1149`; ensure the entry remains
unchanged except for its position and that the "Fixed" section ordering follows
the guideline of appending new entries at the bottom.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 61ad8a5e-c078-40ab-9185-2fc037f2ae9e

📥 Commits

Reviewing files that changed from the base of the PR and between 539938e and 8d6ab2d.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json