Skip to content

Patch ws vulnerability via dependency overrides#514

Merged
joetannenbaum merged 1 commit into
2.xfrom
ws-fix
Jun 3, 2026
Merged

Patch ws vulnerability via dependency overrides#514
joetannenbaum merged 1 commit into
2.xfrom
ws-fix

Conversation

@joetannenbaum

Copy link
Copy Markdown
Contributor

socket.io-client brings in engine.io-client@6.6.3 which pins ws to ~8.17.1, a version affected by GHSA-58qx-3vcg-4xpx. This bumps the socket.io-client dev dependency to ^4.8.3 (which resolves engine.io-client@6.6.5 using ws@~8.20.1) and adds a ws>=8.20.1 override to ensure the patched version is always used in this repo.

Also migrates pnpm overrides from package.json to pnpm-workspace.yaml, since pnpm v11 no longer reads them from package.json.

@joetannenbaum joetannenbaum merged commit 5401704 into 2.x Jun 3, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant