Security: Outdated puppeteer and ws versions [High Severity]

[MaxHamscher]

Outdated puppeteer and ws versions

Reproducing steps

Dependencies in package.json on npm install:

  "dependencies": {
    "react": "^18.3.1",
    "@atlaskit/pragmatic-drag-and-drop": "^1.5.0",
    "@atlaskit/pragmatic-drag-and-drop-react-accessibility": "^1.3.1",
    "@atlaskit/pragmatic-drag-and-drop-react-drop-indicator": "^1.2.0",
}

Terminal Output:

# npm audit report

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/@atlaskit/icon/node_modules/ws
  puppeteer  11.0.0 - 18.1.0
  Depends on vulnerable versions of ws
  node_modules/@atlaskit/icon/node_modules/puppeteer
    @atlaskit/icon  >=23.7.1
    Depends on vulnerable versions of puppeteer
    node_modules/@atlaskit/icon

3 high severity vulnerabilities

Desired fixes

• Update the peer dependencies puppeteer and ws
• By the way: Add React 18.3 support

Current workaround

Add the following overrides to the package.json.

  "overrides": {
    "ws": "^8.18.0",
    "puppeteer": "^22.13.1",
    "@atlaskit/icon": "^23.7.0"
  }

[declan-warn]

Hey @MaxHamscher thanks for raising this.

The affected dependency appears to be coming in transitively from @atlaskit/icon where, as far as I can see, it's only used for some dev-time scripts. I've asked about it internally.

Using NPM overrides or Yarn resolutions is a reasonable workaround until this is resolved 👍