Bump ws to 8.20.1 to address GHSA-58qx-3vcg-4xpx#13978
Conversation
🦋 Changeset detectedLatest commit: e338bee The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Codeowners approval required for this PR:
Show detailed file reviewers |
There was a problem hiding this comment.
Pull request overview
This PR bumps the workspace catalog version of ws to pick up the patched 8.20.1 release for GHSA-58qx-3vcg-4xpx across workspace packages that consume ws via the catalog.
Changes:
- Updates
wsinpnpm-workspace.yamlfrom8.18.0to8.20.1. - Regenerates
pnpm-lock.yamlfor the updated catalog dependency. - Adds a patch changeset for
miniflare,wrangler, and@cloudflare/vite-plugin.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
pnpm-workspace.yaml |
Updates the catalog entry for ws. |
pnpm-lock.yaml |
Updates lockfile resolutions for the catalog ws bump. |
.changeset/bump-ws-8-20-1.md |
Adds release notes for affected packages. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
The workspace catalog pinned ws@8.18.0, which is vulnerable to an uninitialized memory disclosure when a TypedArray is passed as the reason argument to WebSocket.close() (GHSA-58qx-3vcg-4xpx / CVE-2026-45736, fixed upstream in ws@8.20.1). This bump propagates the patched release to miniflare, wrangler, and @cloudflare/vite-plugin, all of which consume `ws` via catalog:default. Two transitive consumers (@cloudflare/puppeteer@1.0.4 and an older miniflare@4.20260317.1 snapshot pulled in elsewhere in the lockfile) still pin 8.18.0 directly — those are outside the scope of a catalog bump and need their own upstream fixes.
e5b89e0 to
e338bee
Compare
petebacondarwin
left a comment
There was a problem hiding this comment.
I cleaned up the lockfile for you. LGTM - thanks
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
Rework the prod/staging npm-audit check to classify by advisory (GHSA) rather than by package, and add an AUDIT_EXCEPTIONS allowlist. Exempt GHSA-96hv-2xvq-fx4p (ws memory-exhaustion DoS): it reaches us only via wrangler -> miniflare, the local dev/test simulator, which never runs in production (the deployed Worker uses Cloudflare's runtime, not miniflare). miniflare pins ws@8.20.1 exactly; the fix is ws@8.21.0, awaiting an upstream bump (follow-up to cloudflare/workers-sdk#13978). Allowlisted advisories surface as a non-blocking WARN, never hidden. Any other high/critical -- including a different future ws advisory, since a new advisory carries a new id -- still fails the gate. Remove the entry once wrangler/miniflare ships the ws bump.
Describe your change...
Bumps the workspace catalog entry for
wsfrom8.18.0to8.20.1so thatminiflare,wrangler, and@cloudflare/vite-plugin(the three workspace packages that consumewsviacatalog:default) pick up the patched release for GHSA-58qx-3vcg-4xpx / CVE-2026-45736.The vulnerability is an uninitialized-memory disclosure in
WebSocket.close()when aTypedArrayis passed as thereasonargument. The fix shipped upstream inws@8.20.1(commitc0327ec) on 2026-05-12; this PR is the downstream propagation.Diff summary
pnpm-workspace.yaml: catalogws: 8.18.0→8.20.1(one line).pnpm-lock.yaml: regenerated viapnpm install..changeset/bump-ws-8-20-1.md: patch changeset forminiflare,wrangler,@cloudflare/vite-plugin.Out of scope (separate upstreams)
The lockfile still resolves
ws@8.18.0from two transitive paths that pin it directly rather than via the catalog:@cloudflare/puppeteer@1.0.4declaresws@8.18.0in its own publishedpackage.json.miniflare@4.20260317.1is pulled in vianode_modules/.pnpm/...for some dev-dep path.Both would need their own bumps in their respective repositories to fully clear the audit warning, and are outside the scope of a catalog change.
Verification
pnpm install --filter "miniflare..."produces a clean lockfile diff (onlywsentries change).pnpm run build --filter miniflaresucceeds (6/6 tasks, types bundled with 0 errors / 0 warnings).pnpm test:ci --filter miniflare: 787 tests pass; 20 failures all intest/plugins/browser/index.spec.ts(anundiciJSON-parse failure in browser-rendering tests) — confirmed pre-existing onmainat the same commit without this change, so unrelated to the bump.ws@8.20.1release notes confirm the change is security-only with no breaking changes or behavior differences.ws@8.18.0→8.20.1); the patched release's notes confirm security-fix only with no API or behavior change, and the existing miniflare test suite (787 unrelated passes) covers the WebSocket surface.A picture of a cute animal (not mandatory, but encouraged)
🦊