From 9ee5372404e6943e51876518f8a1ed7bdf48a08c Mon Sep 17 00:00:00 2001
From: le king fu <lekingfu@protonmail.com>
Date: Sat, 30 May 2026 15:05:10 -0400
Subject: [PATCH] fix(security): override @expo/cli ws to ^8.20.1
 (GHSA-58qx-3vcg-4xpx) (#92)

npm audit flagged ws 8.0.0-8.20.0 (moderate, uninitialized memory
disclosure) pulled in via expo > @expo/cli > ws@8.20.0. Scope the
override to @expo/cli so only the vulnerable 8.x instance is bumped
(resolved to 8.21.0); metro's ws@7.5.10 and react-native's ws@6.2.3
stay on their majors to avoid breaking the Metro dev server.

All ws here is dev/build tooling (Expo CLI, Metro, react-devtools),
absent from the shipped APK, so this was not exploitable in production
- but the override clears npm audit and stops the Defenseur re-flagging.

npm audit: 0 vulnerabilities. Root smoke green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 package-lock.json | 10 +++++-----
 package.json      |  5 ++++-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 44ba083..098334d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "simpl-liste",
-  "version": "1.6.3",
+  "version": "1.6.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "simpl-liste",
-      "version": "1.6.3",
+      "version": "1.6.4",
       "dependencies": {
         "@expo-google-fonts/inter": "^0.4.2",
         "@expo/ngrok": "^4.1.3",
@@ -6464,9 +6464,9 @@
       }
     },
     "node_modules/expo/node_modules/ws": {
-      "version": "8.20.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
-      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "version": "8.21.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
diff --git a/package.json b/package.json
index b910cd8..4eecdca 100644
--- a/package.json
+++ b/package.json
@@ -68,7 +68,10 @@
     "esbuild": "^0.25.0",
     "@xmldom/xmldom": "^0.8.13",
     "uuid": "^11.1.1",
-    "postcss": "^8.5.10"
+    "postcss": "^8.5.10",
+    "@expo/cli": {
+      "ws": "^8.20.1"
+    }
   },
   "private": true
 }
-- 
2.45.2