Security vulnerability GHSA-6fc8-4gx4-v693 on ws ^3.2.0 dependency

[pedrosanta]

Hello, dependabot just warned me on one of my repositories that "ws": "^3.2.0" has this security vulnerability: GHSA-6fc8-4gx4-v693

The closest fixed version is 5.2.3.

Any upgrade path planned for this?

I'm going to try to help as much as I can, but I'm not familiar with the codebase of the project (just arrived here), but if I can be of help, I will do so.

Any comment from maintainers on this?

[RangerMauve]

@mafintosh @mcollina Would you like any help getting this fixed? Some of my modules are affected by it so I'd be happy to help with the upgrade.

It seems like this would make DoS really easy for anything using websocket-stream for servers which could be annoying.

[mcollina]

@RangerMauve this module needs a lot more maintenance than just this fix. ws ships with its own server implementation for the streams, so there is no need to use it all.

Anyway, if I can add you as an owner on npm. I would recommend pushing to your own repo because we do not have owner rights here.