Skip to content

UID2-7491: bump websocket-driver to 0.7.5 (CVE-2026-54466)#1046

Merged
sunnywu merged 1 commit into
mainfrom
syw-UID2-7491-websocket-driver-cve
Jul 17, 2026
Merged

UID2-7491: bump websocket-driver to 0.7.5 (CVE-2026-54466)#1046
sunnywu merged 1 commit into
mainfrom
syw-UID2-7491-websocket-driver-cve

Conversation

@sunnywu

@sunnywu sunnywu commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates CVE-2026-54466 (CRITICAL) in websocket-driver 0.7.4 → 0.7.5, flagged by the scheduled Trivy vulnerability scan.

Fix

Adds an npm overrides entry "websocket-driver": "^0.7.5" and regenerates package-lock.json. This matches the existing convention in this repo of pinning transitive security fixes in the overrides block (ws, shell-quote, minimatch, …).

Impact assessment

websocket-driver is a dev-only transitive dependency:

@docusaurus/core → webpack-dev-server → sockjs / faye-websocket → websocket-driver

webpack-dev-server only runs during local npm start; the deployed site is a static docusaurus build, so the "message corruption via protocol abuse" attack (which needs a live WS server) is not reachable in production. A clean patch-level fix is available, so we upgrade rather than suppress — this permanently clears the CRITICAL alarm instead of a time-limited .trivyignore.

Jira: UID2-7491

🤖 Generated with Claude Code

Add npm override forcing websocket-driver ^0.7.5 to remediate
CVE-2026-54466 (CRITICAL) flagged by Trivy. websocket-driver is a
dev-only transitive dependency (webpack-dev-server -> sockjs/
faye-websocket) and is not reachable in the static production build,
but a clean patch-level fix is available so we upgrade rather than
suppress.

UID2-7491

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Ticket: UID2-7491
Branch: syw-UID2-7491-websocket-driver-cve
@sunnywu
sunnywu merged commit 0a204c9 into main Jul 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants