From a64982f226f0be6e44e8de27a5db0b40bff278f4 Mon Sep 17 00:00:00 2001 From: Marc Codina Date: Tue, 16 Jun 2026 10:21:39 +0200 Subject: [PATCH 1/2] fix(vercel/sandbox): bump ws package to v8.21.0 --- packages/sandbox/package.json | 2 +- pnpm-lock.yaml | 170 ++-------------------------------- 2 files changed, 7 insertions(+), 165 deletions(-) diff --git a/packages/sandbox/package.json b/packages/sandbox/package.json index 36e27c0..88dd5ba 100644 --- a/packages/sandbox/package.json +++ b/packages/sandbox/package.json @@ -41,7 +41,7 @@ "@vercel/sandbox": "workspace:*", "async-retry": "1.3.3", "debug": "^4.4.1", - "ws": "^8.18.3", + "ws": "^8.21.0", "zod": "^4.1.1" }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e647078..2989473 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -291,8 +291,8 @@ importers: specifier: ^4.4.1 version: 4.4.3(supports-color@8.1.1) ws: - specifier: ^8.18.3 - version: 8.18.3 + specifier: ^8.21.0 + version: 8.21.0 zod: specifier: ^4.1.1 version: 4.1.5 @@ -2947,14 +2947,6 @@ packages: b4a@1.6.7: resolution: {integrity: sha512-OnAYlL5b7LEkALw87fUVafQw5rVR9RjwGd4KUwNQ6DrrNmaVaUCgLipfVlzrPQ4tWOR9P0IXGNOx50jYCCdSJg==} - b4a@1.8.1: - resolution: {integrity: sha512-aiqre1Nr0B/6DgE2N5vwTc+2/oQZ4Wh1t4NznYY4E00y8LCt6NqdRv81so00oo27D8MVKTpUa/MwUUtBLXCoDw==} - peerDependencies: - react-native-b4a: '*' - peerDependenciesMeta: - react-native-b4a: - optional: true - bail@2.0.2: resolution: {integrity: sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw==} @@ -2968,47 +2960,6 @@ packages: bare-events@2.6.1: resolution: {integrity: sha512-AuTJkq9XmE6Vk0FJVNq5QxETrSA/vKHarWVBG5l/JbdCL1prJemiyJqUS0jrlXO0MftuPq4m3YVYhoNc5+aE/g==} - bare-events@2.9.1: - resolution: {integrity: sha512-Z0oHEHAFDZkffN8Qc39zNZjQlMDkPJRyyyZieU1VH7u8c5S+qHZ2S8ixdKIAxEjfHO7FJxXmJWgteOghVanIsg==} - peerDependencies: - bare-abort-controller: '*' - peerDependenciesMeta: - bare-abort-controller: - optional: true - - bare-fs@4.7.2: - resolution: {integrity: sha512-aTvMFUWkBmjzKtEQMDGGDNF8bkfpD5N1b/FCwt7A3wrU4t1o/e/85Wzkluh6JlODCjqVESYCkQCdTXqZ9G7VFg==} - engines: {bare: '>=1.16.0'} - peerDependencies: - bare-buffer: '*' - peerDependenciesMeta: - bare-buffer: - optional: true - - bare-os@3.9.1: - resolution: {integrity: sha512-6M5XjcnsygQNPMCMPXSK379xrJFiZ/AEMNBmFEmQW8d/789VQATvriyi5r0HYTL9TkQ26rn3kgdTG3aisbrXkQ==} - engines: {bare: '>=1.14.0'} - - bare-path@3.0.1: - resolution: {integrity: sha512-ghj2DSK/2e99a1anTVPCV4m4YIYtrbXhfM7V3D7XZLOTsybnYyaJloymGqssQc8l/or0UoDyRtNQkmkEF/ysgQ==} - - bare-stream@2.13.1: - resolution: {integrity: sha512-Vp0cnjYyrEC4whYTymQ+YZi6pBpfiICZO3cfRG8sy67ZNWe951urv1x4eW1BKNngw3U+3fPYb5JQvHbCtxH7Ow==} - peerDependencies: - bare-abort-controller: '*' - bare-buffer: '*' - bare-events: '*' - peerDependenciesMeta: - bare-abort-controller: - optional: true - bare-buffer: - optional: true - bare-events: - optional: true - - bare-url@2.4.3: - resolution: {integrity: sha512-Kccpc7ACfXaxfeInfqKcZtW4pT5YBn1mesc4sCsun6sRwtbJ4h+sNOaksUpYEJUKfN65YWC6Bw2OJEFiKxq8nQ==} - base64-js@1.5.1: resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==} @@ -3622,9 +3573,6 @@ packages: eventemitter3@5.0.1: resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==} - events-universal@1.0.1: - resolution: {integrity: sha512-LUd5euvbMLpwOF8m6ivPCbhQeSiYVNb8Vs0fQ8QjXo0JTkEHpz8pxdQf0gStltaPpw0Cca8b39KxvK9cfKRiAw==} - eventsource-parser@3.0.6: resolution: {integrity: sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==} engines: {node: '>=18.0.0'} @@ -5435,9 +5383,6 @@ packages: streamx@2.22.1: resolution: {integrity: sha512-znKXEBxfatz2GBNK02kRnCXjV+AA4kjZIUxeWSr3UGirZMJfTE9uiwKHobnbgxWyL/JWro8tTq+vOqAK1/qbSA==} - streamx@2.26.0: - resolution: {integrity: sha512-VvNG1K72Po/xwJzxZFnZ++Tbrv4lwSptsbkFuzXCJAYZvCK5nnxsvXU6ajqkv7chyiI1Y0YXq2Jh8Iy8Y7NF/A==} - string-argv@0.3.2: resolution: {integrity: sha512-aqD2Q0144Z+/RqG52NeHEkZauTAUWJO8c6yTftGJKO3Tja5tUgIfmIl6kExvhtxSDP7fXB6DvzkfMpCd/F3G+Q==} engines: {node: '>=0.6.19'} @@ -5576,16 +5521,10 @@ packages: tar-stream@3.1.7: resolution: {integrity: sha512-qJj60CXt7IU1Ffyc3NJMjh6EkuCFej46zUqJ4J7pqYlThyd9bO0XBTmcOIhSzZJVWfsLks0+nle/j538YAW9RQ==} - tar-stream@3.2.0: - resolution: {integrity: sha512-ojzvCvVaNp6aOTFmG7jaRD0meowIAuPc3cMMhSgKiVWws1GyHbGd/xvnyuRKcKlMpt3qvxx6r0hreCNITP9hIg==} - tar@7.4.3: resolution: {integrity: sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==} engines: {node: '>=18'} - teex@1.0.1: - resolution: {integrity: sha512-eYE6iEI62Ni1H8oIa7KlDU6uQBtqr4Eajni3wX7rpfXD8ysFx8z0+dri+KWEPWpBsxXfxu58x/0jvTVT1ekOSg==} - term-size@2.2.1: resolution: {integrity: sha512-wK0Ri4fOGjv/XPy8SBHZChl8CM7uMc5VML7SqiQ0zG7+J5Vr+RMQDoHa2CNT6KHUnTGIXH34UDMkPzAUyapBZg==} engines: {node: '>=8'} @@ -5597,9 +5536,6 @@ packages: text-decoder@1.2.3: resolution: {integrity: sha512-3/o9z3X0X0fTupwsYvR03pJ/DjWuqqrfwBgTQzdWDiQSm9KitAyz/9WqsT2JQW7KV2m+bC2ol/zqpW37NHxLaA==} - text-decoder@1.2.7: - resolution: {integrity: sha512-vlLytXkeP4xvEq2otHeJfSQIRyWxo/oZGEbXrtEEF9Hnmrdly59sUbzZ/QgyWuLYHctCHxFF4tRQZNQ9k60ExQ==} - throttleit@2.1.0: resolution: {integrity: sha512-nt6AMGKW1p/70DF/hGBdJB57B8Tspmbp5gfJ8ilhLnt7kkr2ye7hzD6NVG8GGErk2HWF34igrL2CXmNIkzKqKw==} engines: {node: '>=18'} @@ -6063,8 +5999,8 @@ packages: wrappy@1.0.2: resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==} - ws@8.18.3: - resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==} + ws@8.21.0: + resolution: {integrity: sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -7781,9 +7717,6 @@ snapshots: optionalDependencies: chokidar: 5.0.0 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@swc/core-darwin-arm64@1.15.3': @@ -8631,20 +8564,14 @@ snapshots: '@xhmikosr/os-filter-obj': 3.0.0 bin-version-check: 5.1.0 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@xhmikosr/decompress-tar@8.1.0': dependencies: file-type: 20.5.0 is-stream: 2.0.1 - tar-stream: 3.2.0 + tar-stream: 3.1.7 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@xhmikosr/decompress-tarbz2@8.1.0': @@ -8655,9 +8582,6 @@ snapshots: seek-bzip: 2.0.0 unbzip2-stream: 1.4.3 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@xhmikosr/decompress-targz@8.1.0': @@ -8666,9 +8590,6 @@ snapshots: file-type: 20.5.0 is-stream: 2.0.1 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@xhmikosr/decompress-unzip@7.1.0': @@ -8688,9 +8609,6 @@ snapshots: graceful-fs: 4.2.11 strip-dirs: 3.0.0 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@xhmikosr/downloader@15.2.0': @@ -8705,9 +8623,6 @@ snapshots: get-stream: 6.0.1 got: 13.0.0 transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - supports-color '@xhmikosr/os-filter-obj@3.0.0': @@ -8835,8 +8750,6 @@ snapshots: b4a@1.6.7: {} - b4a@1.8.1: {} - bail@2.0.2: {} balanced-match@1.0.2: {} @@ -8846,38 +8759,6 @@ snapshots: bare-events@2.6.1: optional: true - bare-events@2.9.1: {} - - bare-fs@4.7.2: - dependencies: - bare-events: 2.9.1 - bare-path: 3.0.1 - bare-stream: 2.13.1(bare-events@2.9.1) - bare-url: 2.4.3 - fast-fifo: 1.3.2 - transitivePeerDependencies: - - bare-abort-controller - - react-native-b4a - - bare-os@3.9.1: {} - - bare-path@3.0.1: - dependencies: - bare-os: 3.9.1 - - bare-stream@2.13.1(bare-events@2.9.1): - dependencies: - streamx: 2.26.0 - teex: 1.0.1 - optionalDependencies: - bare-events: 2.9.1 - transitivePeerDependencies: - - react-native-b4a - - bare-url@2.4.3: - dependencies: - bare-path: 3.0.1 - base64-js@1.5.1: {} better-path-resolve@1.0.0: @@ -9486,12 +9367,6 @@ snapshots: eventemitter3@5.0.1: {} - events-universal@1.0.1: - dependencies: - bare-events: 2.9.1 - transitivePeerDependencies: - - bare-abort-controller - eventsource-parser@3.0.6: {} execa@1.0.0: @@ -11656,15 +11531,6 @@ snapshots: optionalDependencies: bare-events: 2.6.1 - streamx@2.26.0: - dependencies: - events-universal: 1.0.1 - fast-fifo: 1.3.2 - text-decoder: 1.2.7 - transitivePeerDependencies: - - bare-abort-controller - - react-native-b4a - string-argv@0.3.2: {} string-width@1.0.2: @@ -11797,17 +11663,6 @@ snapshots: fast-fifo: 1.3.2 streamx: 2.22.1 - tar-stream@3.2.0: - dependencies: - b4a: 1.8.1 - bare-fs: 4.7.2 - fast-fifo: 1.3.2 - streamx: 2.26.0 - transitivePeerDependencies: - - bare-abort-controller - - bare-buffer - - react-native-b4a - tar@7.4.3: dependencies: '@isaacs/fs-minipass': 4.0.1 @@ -11817,13 +11672,6 @@ snapshots: mkdirp: 3.0.1 yallist: 5.0.0 - teex@1.0.1: - dependencies: - streamx: 2.26.0 - transitivePeerDependencies: - - bare-abort-controller - - react-native-b4a - term-size@2.2.1: {} terminal-link@5.0.0: @@ -11835,12 +11683,6 @@ snapshots: dependencies: b4a: 1.6.7 - text-decoder@1.2.7: - dependencies: - b4a: 1.8.1 - transitivePeerDependencies: - - react-native-b4a - throttleit@2.1.0: {} through@2.3.8: {} @@ -12338,7 +12180,7 @@ snapshots: wrappy@1.0.2: {} - ws@8.18.3: {} + ws@8.21.0: {} wsl-utils@0.1.0: dependencies: From 113036dc5fbc9ceebf008c80a140afadb4934905 Mon Sep 17 00:00:00 2001 From: Marc Codina Date: Tue, 16 Jun 2026 10:23:42 +0200 Subject: [PATCH 2/2] add changeset --- .changeset/bump-ws-cve-2026-48779.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/bump-ws-cve-2026-48779.md diff --git a/.changeset/bump-ws-cve-2026-48779.md b/.changeset/bump-ws-cve-2026-48779.md new file mode 100644 index 0000000..ec81e4d --- /dev/null +++ b/.changeset/bump-ws-cve-2026-48779.md @@ -0,0 +1,5 @@ +--- +"sandbox": patch +--- + +Bump `ws` from `^8.18.3` to `^8.21.0` to address CVE-2026-48779, a high-severity memory exhaustion DoS triggered by a high volume of tiny fragments and data chunks.