What would be the impact of upgrading ws 1.1.5, a dependency of node-red? (ws has a known high vulnerability)

#1

Hello,
In a project I am working on we're using node-red in order to extend project's capabilities.
The final docker image is scanned with different tools to identify security vulnerabilities, and one of reported high vulnerabilities is related to ws 1.1.5 library (a dependency of node-red).
Deatils can be found here: https://www.npmjs.com/advisories/550

What would be the impact of upgrading ws from 1.1.5 to a non-vulnerable version ( minimum 3.3.1, latest version is 6.2.0 ) ?

#2

Hi @pkorecki

there were very significant changes to the ws library from version 1.x up to its latest 6.x stream. It requires a lot of changes in the node-red code base to support.

The good news is 0.20 has had those changes applied and will be available in the next couple of days (all being well...).

3 Likes
#3

Thanks for quick answer!