fix(security): override @expo/cli ws to ^8.20.1 (GHSA-58qx-3vcg-4xpx) (#92) #94

Merged

maximus merged 1 commit from issue-92-ws-override into master

2026-05-31 19:21:23 +00:00

Author	SHA1	Message	Date
le king fu	9ee5372404	fix(security): override @expo/cli ws to ^8.20.1 (GHSA-58qx-3vcg-4xpx) (#92 ) npm audit flagged ws 8.0.0-8.20.0 (moderate, uninitialized memory disclosure) pulled in via expo > @expo/cli > ws@8.20.0. Scope the override to @expo/cli so only the vulnerable 8.x instance is bumped (resolved to 8.21.0); metro's ws@7.5.10 and react-native's ws@6.2.3 stay on their majors to avoid breaking the Metro dev server. All ws here is dev/build tooling (Expo CLI, Metro, react-devtools), absent from the shipped APK, so this was not exploitable in production - but the override clears npm audit and stops the Defenseur re-flagging. npm audit: 0 vulnerabilities. Root smoke green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 15:05:10 -04:00

Author

SHA1

Message

Date

le king fu

9ee5372404

fix(security): override @expo/cli ws to ^8.20.1 (GHSA-58qx-3vcg-4xpx) (#92 )

npm audit flagged ws 8.0.0-8.20.0 (moderate, uninitialized memory
disclosure) pulled in via expo > @expo/cli > ws@8.20.0. Scope the
override to @expo/cli so only the vulnerable 8.x instance is bumped
(resolved to 8.21.0); metro's ws@7.5.10 and react-native's ws@6.2.3
stay on their majors to avoid breaking the Metro dev server.

All ws here is dev/build tooling (Expo CLI, Metro, react-devtools),
absent from the shipped APK, so this was not exploitable in production
- but the override clears npm audit and stops the Defenseur re-flagging.

npm audit: 0 vulnerabilities. Root smoke green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-30 15:05:10 -04:00