Skip to content

Bump ws to 8.20.1 to address GHSA-58qx-3vcg-4xpx#13978

Merged
petebacondarwin merged 1 commit into
cloudflare:mainfrom
sassyconsultingllc:bump-miniflare-ws-8.20.1
May 20, 2026
Merged

Bump ws to 8.20.1 to address GHSA-58qx-3vcg-4xpx#13978
petebacondarwin merged 1 commit into
cloudflare:mainfrom
sassyconsultingllc:bump-miniflare-ws-8.20.1

Conversation

@sassyconsultingllc

@sassyconsultingllc sassyconsultingllc commented May 19, 2026

Copy link
Copy Markdown
Contributor

Describe your change...

Bumps the workspace catalog entry for ws from 8.18.0 to 8.20.1 so that miniflare, wrangler, and @cloudflare/vite-plugin (the three workspace packages that consume ws via catalog:default) pick up the patched release for GHSA-58qx-3vcg-4xpx / CVE-2026-45736.

The vulnerability is an uninitialized-memory disclosure in WebSocket.close() when a TypedArray is passed as the reason argument. The fix shipped upstream in ws@8.20.1 (commit c0327ec) on 2026-05-12; this PR is the downstream propagation.

Diff summary

  • pnpm-workspace.yaml: catalog ws: 8.18.08.20.1 (one line).
  • pnpm-lock.yaml: regenerated via pnpm install.
  • .changeset/bump-ws-8-20-1.md: patch changeset for miniflare, wrangler, @cloudflare/vite-plugin.

Out of scope (separate upstreams)

The lockfile still resolves ws@8.18.0 from two transitive paths that pin it directly rather than via the catalog:

  • @cloudflare/puppeteer@1.0.4 declares ws@8.18.0 in its own published package.json.
  • An older miniflare@4.20260317.1 is pulled in via node_modules/.pnpm/... for some dev-dep path.

Both would need their own bumps in their respective repositories to fully clear the audit warning, and are outside the scope of a catalog change.

Verification

  • pnpm install --filter "miniflare..." produces a clean lockfile diff (only ws entries change).
  • pnpm run build --filter miniflare succeeds (6/6 tasks, types bundled with 0 errors / 0 warnings).
  • pnpm test:ci --filter miniflare: 787 tests pass; 20 failures all in test/plugins/browser/index.spec.ts (an undici JSON-parse failure in browser-rendering tests) — confirmed pre-existing on main at the same commit without this change, so unrelated to the bump.
  • ws@8.20.1 release notes confirm the change is security-only with no breaking changes or behavior differences.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because: this is a dependency-only patch bump (ws@8.18.08.20.1); the patched release's notes confirm security-fix only with no API or behavior change, and the existing miniflare test suite (787 unrelated passes) covers the WebSocket surface.
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: no user-facing behavior change; bump is transparent to consumers.

A picture of a cute animal (not mandatory, but encouraged)

🦊


Open in Devin Review

Copilot AI review requested due to automatic review settings May 19, 2026 22:54
@changeset-bot

changeset-bot Bot commented May 19, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: e338bee

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
miniflare Patch
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/pages-shared Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@workers-devprod workers-devprod requested review from a team and edmundhung and removed request for a team May 19, 2026 22:55
@workers-devprod

workers-devprod commented May 19, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps the workspace catalog version of ws to pick up the patched 8.20.1 release for GHSA-58qx-3vcg-4xpx across workspace packages that consume ws via the catalog.

Changes:

  • Updates ws in pnpm-workspace.yaml from 8.18.0 to 8.20.1.
  • Regenerates pnpm-lock.yaml for the updated catalog dependency.
  • Adds a patch changeset for miniflare, wrangler, and @cloudflare/vite-plugin.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
pnpm-workspace.yaml Updates the catalog entry for ws.
pnpm-lock.yaml Updates lockfile resolutions for the catalog ws bump.
.changeset/bump-ws-8-20-1.md Adds release notes for affected packages.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pnpm-lock.yaml Outdated

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@pkg-pr-new

pkg-pr-new Bot commented May 20, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13978

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13978

miniflare

npm i https://pkg.pr.new/miniflare@13978

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13978

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13978

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13978

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13978

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13978

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13978

wrangler

npm i https://pkg.pr.new/wrangler@13978

commit: e338bee

The workspace catalog pinned ws@8.18.0, which is vulnerable to an
uninitialized memory disclosure when a TypedArray is passed as the
reason argument to WebSocket.close() (GHSA-58qx-3vcg-4xpx /
CVE-2026-45736, fixed upstream in ws@8.20.1).

This bump propagates the patched release to miniflare, wrangler, and
@cloudflare/vite-plugin, all of which consume `ws` via catalog:default.

Two transitive consumers (@cloudflare/puppeteer@1.0.4 and an older
miniflare@4.20260317.1 snapshot pulled in elsewhere in the lockfile)
still pin 8.18.0 directly — those are outside the scope of a catalog
bump and need their own upstream fixes.
@petebacondarwin petebacondarwin force-pushed the bump-miniflare-ws-8.20.1 branch from e5b89e0 to e338bee Compare May 20, 2026 12:44

@petebacondarwin petebacondarwin left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cleaned up the lockfile for you. LGTM - thanks

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 20, 2026
@petebacondarwin petebacondarwin merged commit fa1f61f into cloudflare:main May 20, 2026
71 of 73 checks passed
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 20, 2026
becked pushed a commit to becked/per-ankh that referenced this pull request Jun 17, 2026
Rework the prod/staging npm-audit check to classify by advisory (GHSA)
rather than by package, and add an AUDIT_EXCEPTIONS allowlist. Exempt
GHSA-96hv-2xvq-fx4p (ws memory-exhaustion DoS): it reaches us only via
wrangler -> miniflare, the local dev/test simulator, which never runs in
production (the deployed Worker uses Cloudflare's runtime, not miniflare).
miniflare pins ws@8.20.1 exactly; the fix is ws@8.21.0, awaiting an
upstream bump (follow-up to cloudflare/workers-sdk#13978).

Allowlisted advisories surface as a non-blocking WARN, never hidden. Any
other high/critical -- including a different future ws advisory, since a
new advisory carries a new id -- still fails the gate. Remove the entry
once wrangler/miniflare ships the ws bump.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

4 participants