Skip to content

chore: upgrade ws to ^8.21.0 to address CVE-2026-45736#1286

Open
brendan-kellam wants to merge 1 commit into
mainfrom
cursor/cve/ws
Open

chore: upgrade ws to ^8.21.0 to address CVE-2026-45736#1286
brendan-kellam wants to merge 1 commit into
mainfrom
cursor/cve/ws

Conversation

@brendan-kellam
Copy link
Copy Markdown
Contributor

@brendan-kellam brendan-kellam commented Jun 5, 2026

Fixes SOU-1171

Addresses CVE-2026-45736 (ws uninitialized memory disclosure via TypedArray reason). Refreshed the lockfile for the ws@npm:^8.18.0 requester and added a qualified resolution ws@npm:~8.17.1 -> ^8.20.1 for the socket.io/engine.io tilde-locked requester, which could not reach a patched version via a plain refresh. Both requester trees now resolve to ws@8.21.0.

🤖 Generated with Claude Code

@brendan-kellam @claude
chore: upgrade ws to ^8.21.0 to address CVE-2026-45736
e9641a2 
Refresh the lockfile for the `ws@npm:^8.18.0` requester and add a
qualified resolution `ws@npm:~8.17.1` -> `^8.20.1` for the
socket.io/engine.io tilde-locked requester. Both trees now resolve to
ws 8.21.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

Review Change Stack

Warning

Review limit reached

@brendan-kellam, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5e82dc7f-7d9e-429e-ab80-ad73e2fda039

📥 Commits

Reviewing files that changed from the base of the PR and between 4c9dfe0 and e9641a2.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • CHANGELOG.md
  • package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/cve/ws

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

License Audit

⚠️ Status: PASS

Metric Count
Total packages 2132
Resolved (non-standard) 20
Unresolved 0
Strong copyleft 0
Weak copyleft 39

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
dompurify 3.4.0 (MPL-2.0 OR Apache-2.0)
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (20)
Package Version Original Resolved Source
@react-grab/cli 0.1.23 UNKNOWN MIT GitHub repo (github.com/aidenybai/react-grab LICENSE)
@react-grab/cli 0.1.29 UNKNOWN MIT GitHub repo (github.com/aidenybai/react-grab LICENSE)
@react-grab/mcp 0.1.29 UNKNOWN MIT GitHub repo (github.com/aidenybai/react-grab LICENSE)
@sentry/cli 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-darwin 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-linux-arm 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-linux-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-linux-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-linux-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-win32-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-win32-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
@sentry/cli-win32-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry metadata (Functional Source License 1.1, MIT future grant; verified @sentry/cli@2.58.5)
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 npm registry metadata
element-source 0.0.3 UNKNOWN MIT GitHub repo (github.com/aidenybai/element-source LICENSE)
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 npm registry metadata (top-level license)
map-stream 0.1.0 UNKNOWN MIT npm registry metadata (top-level license)
memorystream 0.3.1 UNKNOWN MIT extracted from object (npm registry licenses: [{type:MIT}])
pause-stream 0.0.11 ["MIT","Apache2"] MIT OR Apache-2.0 extracted from object (license array ["MIT","Apache2"])
posthog-js 1.369.0 SEE LICENSE IN LICENSE Apache-2.0 GitHub repo (github.com/PostHog/posthog-js LICENSE)
valid-url 1.0.9 UNKNOWN MIT GitHub repo (github.com/ogt/valid-url LICENSE)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam