diff --git a/build.gradle.kts b/build.gradle.kts index 821bae8..2c355cb 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -1,3 +1,6 @@ +import org.jetbrains.kotlin.gradle.targets.wasm.yarn.WasmYarnPlugin +import org.jetbrains.kotlin.gradle.targets.wasm.yarn.WasmYarnRootExtension + plugins { alias(libs.plugins.android.kotlin.multiplatform.library) apply false alias(libs.plugins.androidApplication) apply false @@ -41,3 +44,17 @@ val resolvedVersion: String = allprojects { version = resolvedVersion } + +// --------------------------------------------------------------------------- +// Security: pin the transitive npm `ws` dependency to a patched version. +// The wasmJs target's JS dev/test toolchain (webpack-dev-server / karma) pulls +// in `ws`, which Kotlin otherwise resolves to a version vulnerable to +// uninitialized-memory disclosure (GHSA-58qx-3vcg-4xpx; fixed in 8.20.1). +// The wasmJs target uses its own Yarn store (kotlin-js-store/wasm/yarn.lock), +// so the override targets the Wasm Yarn plugin/extension — not the JS one. +// After changing this pin, regenerate the lockfile with: +// ./gradlew kotlinWasmUpgradeYarnLock +// --------------------------------------------------------------------------- +plugins.withType { + the().resolution("ws", "8.20.1") +} diff --git a/kotlin-js-store/wasm/yarn.lock b/kotlin-js-store/wasm/yarn.lock index fd812f3..3e1c851 100644 --- a/kotlin-js-store/wasm/yarn.lock +++ b/kotlin-js-store/wasm/yarn.lock @@ -2,7 +2,7 @@ # yarn lockfile v1 -ws@8.18.3: - version "8.18.3" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.3.tgz#b56b88abffde62791c639170400c93dcb0c95472" - integrity sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg== +ws@8.18.3, ws@8.20.1: + version "8.20.1" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.20.1.tgz#91a9ae2b312ccf98e0a85ec499b48cef45ab0ddb" + integrity sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==