fix(deps): bump transitive ws to 8.20.1 (GHSA-58qx-3vcg-4xpx)#59
Merged
Conversation
The wasmJs target's JS dev/test toolchain (webpack-dev-server / karma) pulls in the npm `ws` package transitively. Kotlin resolved it to 8.18.3, which is vulnerable to uninitialized-memory disclosure (GHSA-58qx-3vcg-4xpx, medium; affects >= 8.0.0, < 8.20.1). Pin `ws` to 8.20.1 via a Yarn resolution on the Wasm Yarn root extension (the wasmJs target uses its own store, kotlin-js-store/wasm/yarn.lock, so the override targets WasmYarnPlugin, not the JS YarnPlugin) and regenerate the lockfile with `kotlinWasmUpgradeYarnLock`. No new direct dependencies — purely a transitive lockfile/resolution pin. Verified with `./gradlew wasmJsTest` (browser toolchain still passes). Resolves Dependabot alert #1 (GHSA-58qx-3vcg-4xpx). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pins the transitive npm
wsdependency to 8.20.1 and regenerates the wasm Yarn lockfile.Why
Dependabot alert #1 flags GHSA-58qx-3vcg-4xpx — ws: uninitialized memory disclosure (medium). The vulnerable range is
>= 8.0.0, < 8.20.1; the first patched version is8.20.1.wsis pulled in transitively by the wasmJs target's JS dev/test toolchain (webpack-dev-server / karma) and locked in the Kotlin-managed lockfilekotlin-js-store/wasm/yarn.lock, which previously resolvedws@8.18.3. There is no directpackage.jsonto edit — Kotlin generates the dependency graph.Changes
build.gradle.kts— add a Yarnresolution("ws", "8.20.1")on the Wasm Yarn root extension. Kotlin 2.3.21 splits the Yarn plugin per web target, and the wasmJs target uses its own store (kotlin-js-store/wasm/yarn.lock), so the override targetsWasmYarnPlugin/WasmYarnRootExtension— not the JSYarnPlugin.kotlin-js-store/wasm/yarn.lock— regenerated via./gradlew kotlinWasmUpgradeYarnLock;wsnow resolves to8.20.1.No new direct dependencies — purely a transitive lockfile/resolution pin.
Verification
./gradlew kotlinWasmUpgradeYarnLock→ lockfile resolvesws@8.20.1./gradlew wasmJsTest→ ✅ (browser toolchain that useswsstill passes)./gradlew spotlessCheck detekt→ ✅Resolves Dependabot alert #1 (GHSA-58qx-3vcg-4xpx) — auto-closes once the default branch no longer resolves the vulnerable range.
🤖 Generated with Claude Code