fix(deps): update dependency ws to ^8.21.0#345
Conversation
📝 WalkthroughSummary by CodeRabbitОбновления
WalkthroughОбновлена версия WebSocket библиотеки ChangesОбновление ws зависимостей
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested reviewers
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 2 warnings)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/api/package.json`:
- Line 30: Заменить несущетсвующую версию зависимости "ws": "^8.21.0" в
packages/api/package.json на реальную опубликованную версию (рекомендую
"8.20.1") или явно пометить и задокументировать причину использования
prerelease/локального таргета; добавить в PR/коммит ссылку на
релиз-ноуты/чейнджлог и краткое обоснование обновления (включая упоминание
security-фикса, например CVE-2026-45736, если применимо); проверить и
синхронизировать эту версию "ws" во всех Dockerfile/шаблонах/конфигурациях
проекта либо документировать допустимое расхождение и причины (файлы/места
поиска: packages/api/package.json и соответствующие Docker/шаблоны).
In `@packages/app/package.json`:
- Line 124: The devDependency bump of "ws" to "^8.21.0" in packages/app's
package.json lacks justification and conflicts with the pinned "[email protected]" used
in the project's Docker/playwright template and the change in
packages/api/package.json; update the PR or create an associated issue that
documents the reason for the upgrade (security/bug/feature), an assessment of
breaking changes, and a plan to reconcile/sync the version used in the
Docker/playwright template (or intentionally explain why they may differ), and
ensure the package.json change to "ws": "^8.21.0" is either aligned with the
template or accompanied by the documented rationale.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: db564067-e098-4461-ad9b-4ce80b3b51f1
⛔ Files ignored due to path filters (1)
bun.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
packages/api/package.jsonpackages/app/package.json
📜 Review details
⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)
- GitHub Check: E2E (Clone auto-open SSH)
- GitHub Check: E2E (Login context)
- GitHub Check: E2E (Runtime volumes + SSH)
- GitHub Check: E2E (Browser command)
- GitHub Check: E2E (OpenCode)
- GitHub Check: E2E (Clone cache)
- GitHub Check: Build
- GitHub Check: E2E (Local package CLI)
- GitHub Check: Test
- GitHub Check: Lint
- GitHub Check: Final build (windows-latest)
🧰 Additional context used
📓 Path-based instructions (3)
**/*.{js,ts,jsx,tsx,py,java,go,rb,php,sh,bash,yml,yaml,json,env*,toml,cfg,config,dockerfile,dockerignore}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files expose credentials, tokens, private-keys, or PII in source, generated config, logs, or CI output
Files:
packages/app/package.jsonpackages/api/package.json
**/{package*.json,requirements*.txt,setup.py,setup.cfg,Pipfile,Pipfile.lock,pyproject.toml,pom.xml,build.gradle,Gemfile,Gemfile.lock,go.mod,go.sum,composer.json,Cargo.toml,Cargo.lock}
📄 CodeRabbit inference engine (Custom checks)
Fail if dependency or package-manager changes materially increase supply-chain risk without justification
Files:
packages/app/package.jsonpackages/api/package.json
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
packages/app/package.jsonpackages/api/package.json
| "effect": "^3.21.2", | ||
| "node-pty": "^1.1.0", | ||
| "ws": "^8.20.1" | ||
| "ws": "^8.21.0" |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
ws npm package version 8.21.0 release notes and changelog
💡 Result:
As of May 22, 2026, there is no version 8.21.0 of the ws npm package. The most recent version available is 8.20.1, which was published on May 12, 2026 [1][2]. The ws package maintains its changelog and release notes directly through GitHub Releases [1][3]. You can view the history of all releases, including the latest version 8.20.1, at the official repository: https://github.com/websockets/ws/releases [4].
Citations:
- 1: https://www.npmjs.com/package/ws
- 2: https://github.com/websockets/ws/releases/tag/8.20.1
- 3: https://github.com/websockets/ws?adobe_mc=MCMID%3D68100076860616526616487674078326858807%7CMCORGID%3DA8833BC75245AF9E0A490D4D%40AdobeOrg%7CTS%3D1773792000
- 4: https://github.com/websockets/ws/releases
🌐 Web query:
ws npm package security vulnerabilities and advisories 2026
💡 Result:
As of today (2026-05-22), the key npm package security vulnerability/advisory I found for the ws package is: 1) ws (websockets/ws) uninitialized memory disclosure (CVE-2026-45736) - Advisory (GitHub/ GHSA-58qx-3vcg-4xpx): A vulnerability in ws’s websocket.close allows uninitialized memory disclosure when a TypedArray is passed as the reason argument; it affects ws versions >= 8.0.0 and < 8.20.1, and was patched in ws 8.20.1 [1]. - CVE: The issue is tracked as CVE-2026-45736 and fixed in ws 8.20.1 [1]. - Examples of the vulnerable behavior and fix guidance are reflected in the broader vulnerability writeups: upgrading ws to 8.20.1+ mitigates [2]. 2) “Direct vulnerabilities” status for the latest ws version - The Snyk package page for ws (based on latest version 8.20.1) reports “No known security issues” affecting the latest version, and notes that although there are vulnerabilities in older versions, none affect 8.20.1 [3]. 3) Additional (older) ws advisories you may still want to account for (if you run older ws versions) - DoS due to many HTTP headers (CVE-2024-37890 / GHSA-3h5v-q93c-6h6q): affects ws versions >= 2.1.0 < 5.2.4, >= 6.0.0 < 6.2.3, >= 7.0.0 < 7.5.10, and >= 8.0.0 < 8.17.1; patched in 5.2.4, 6.2.3, 7.5.10, 8.17.1 [4]. - ReDoS in Sec-Websocket-Protocol header (CVE-2021-32640 / GHSA-6fc8-4gx4-v693): affects ws versions >= 5.0.0 < 5.2.3, >= 6.0.0 < 6.2.2, >= 7.0.0 < 7.4.6; patched in 5.2.3, 6.2.2, 7.4.6 [5]. Recommended remediation (practical) - Upgrade ws to at least 8.20.1 (to address CVE-2026-45736) [1]. - If you cannot upgrade immediately, ensure you’re not calling websocket.close with a TypedArray as the “reason” argument, since the disclosure occurs under that usage condition [1]. If you want, tell me which ws version(s) you use (and whether it’s direct or transitive), and I can map the precise affected ranges to your dependency tree and suggest an upgrade target.
Citations:
- 1: GHSA-58qx-3vcg-4xpx
- 2: https://security.snyk.io/vuln/SNYK-JS-WS-16722635
- 3: https://security.snyk.io/package/npm/ws
- 4: GHSA-3h5v-q93c-6h6q
- 5: GHSA-6fc8-4gx4-v693
🏁 Script executed:
#!/bin/bash
# Проверка использования ws в api package для оценки impact
rg -n "from ['\"]ws['\"]|require\(['\"]ws['\"]" packages/api/src/ -A 2 -B 2Repository: ProverCoderAI/docker-git
Length of output: 2221
Обязательна правка версии ws и обоснование обновления
- В
packages/api/package.json(стр. 30) задано"ws": "^8.21.0", но версии8.21.0дляwsна npm/GitHub Releases на текущую дату не существует (самая свежая —8.20.1). Уточните цель/источник (например, это prerelease) или замените на существующую версию, чтобы избежать проблем с установкой. - Обновление зависимости не сопровождается ссылкой на issue/спецификацию и описанием изменений/целей: добавьте релиз-ноуты/чейнджлог и обоснование (в т.ч. по security, например CVE-2026-45736 закрывается начиная с
8.20.1). - Проверьте и синхронизируйте версии
wsв Docker/шаблонах: либо синхронизируйте, либо объясните, почему допускается расхождение.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/api/package.json` at line 30, Заменить несущетсвующую версию
зависимости "ws": "^8.21.0" в packages/api/package.json на реальную
опубликованную версию (рекомендую "8.20.1") или явно пометить и
задокументировать причину использования prerelease/локального таргета; добавить
в PR/коммит ссылку на релиз-ноуты/чейнджлог и краткое обоснование обновления
(включая упоминание security-фикса, например CVE-2026-45736, если применимо);
проверить и синхронизировать эту версию "ws" во всех
Dockerfile/шаблонах/конфигурациях проекта либо документировать допустимое
расхождение и причины (файлы/места поиска: packages/api/package.json и
соответствующие Docker/шаблоны).
| "vite": "^8.0.14", | ||
| "vitest": "^4.1.7", | ||
| "ws": "^8.20.1" | ||
| "ws": "^8.21.0" |
There was a problem hiding this comment.
Требуется обоснование обновления dev-зависимости (дублирует проблему в api package).
Аналогично production-зависимости в packages/api/package.json, обновление ws до ^8.21.0 в devDependencies не имеет:
- Документированной спецификации или обоснования
- Информации о том, какие изменения требуют этого обновления в dev-окружении
- Согласованности с версией, зафиксированной в Docker-шаблоне (
[email protected]вpackages/app/src/lib/core/templates/playwright.ts:8)
Хотя это dev-зависимость с меньшим runtime-воздействием, она все равно представляет supply-chain риск и должна иметь обоснование согласно coding guidelines.
Рекомендуется добавить в description PR или связанный issue информацию о:
- Причине обновления (security fix, bug fix, required feature)
- Оценке breaking changes
- Плане синхронизации версий в Docker-шаблонах
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/app/package.json` at line 124, The devDependency bump of "ws" to
"^8.21.0" in packages/app's package.json lacks justification and conflicts with
the pinned "[email protected]" used in the project's Docker/playwright template and the
change in packages/api/package.json; update the PR or create an associated issue
that documents the reason for the upgrade (security/bug/feature), an assessment
of breaking changes, and a plan to reconcile/sync the version used in the
Docker/playwright template (or intentionally explain why they may differ), and
ensure the package.json change to "ws": "^8.21.0" is either aligned with the
template or accompanied by the documented rationale.
1 participant
This PR contains the following updates:
^8.20.1→^8.21.0cc @skulidropek
Release Notes
websockets/ws (ws)
v8.21.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.