Skip to content

security: vulnerability remediation#291

Open
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation
Open

security: vulnerability remediation#291
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal

@kernel-internal kernel-internal Bot commented Jun 17, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Vulnerability Remediation

This PR was generated by the Socket-centric vulnerability remediation workflow. Review the planned dependency changes and confirmation evidence before merging.

Fixed

CVE/GHSA Package Ecosystem Old Version New Version Manifest Confirmation
GHSA-96hv-2xvq-fx4p ws None 8.20.1 8.21.0 confirmed

Not Included

  • Deferred by batch limit: 7 advisories. They will be considered by future runs.
  • Other deferred scanner findings: 2.
  • Unconfirmed attempted fixes: 0.
Deferred details
CVE/GHSA Package Reason
Unavailable from detector google.golang.org/grpc Non-CVE alert is not handled by dependency remediation.
Unavailable from detector puppeteer-core Non-CVE alert is not handled by dependency remediation.

Note

Low Risk
Dependency-only patch in an e2e test package with no runtime or auth logic changes.

Overview
Bumps the direct ws dependency in server/e2e/bidi from 8.20.1 to 8.21.0 in package.json and package-lock.json, addressing GHSA-96hv-2xvq-fx4p. No application or test source changes—only the BiDi e2e npm manifest and lockfile.

Reviewed by Cursor Bugbot for commit 9a2e72c. Bugbot is set up for automated code reviews on this repo. Configure here.

@socket-security

socket-security Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​ws@​8.20.1 ⏵ 8.21.099 +1100 +1610094100

View full report

@firetiger-agent

firetiger-agent Bot commented Jun 17, 2026

Copy link
Copy Markdown

Created a monitoring plan for this PR.

What this PR does: Patches a security vulnerability (GHSA-96hv-2xvq-fx4p) in the ws WebSocket library used only by the BiDi end-to-end test harness (server/e2e/bidi/). No production code or deployed images are changed.

Intended effect: This is a CI-only dependency bump with no production deployment. There are no production telemetry signals to measure — confirmation is a passing CI run for the server/e2e/bidi test suite after merge.

Risks:

  • e2e test regression — CI server/e2e/bidi suite, alert if tests fail to pass on the merged commit (ws 8.21.0 introduces an API incompatibility with the BiDi test scripts)

View monitor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulziibay-kernel ulziibay-kernel Awaiting requested review from ulziibay-kernel

At least 1 approving review is required to merge this pull request.

Assignees

@ulziibay-kernel ulziibay-kernel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulziibay-kernel