From 0d0fecad22ee36445cb4ac9ec28276350ab8e1f4 Mon Sep 17 00:00:00 2001 From: Sunny Wu Date: Fri, 17 Jul 2026 12:20:37 +1000 Subject: [PATCH] UID2-7491: bump websocket-driver to 0.7.5 (CVE-2026-54466) Add an npm overrides entry ("websocket-driver": "^0.7.5") to the two affected React example projects and regenerate their package-lock.json, upgrading websocket-driver 0.7.4 -> 0.7.5 to resolve CVE-2026-54466 (CRITICAL). websocket-driver is a dev-only transitive dependency (webpack-dev-server hot reload); the deployed examples are static builds, so the attack vector is not reachable in production. Co-Authored-By: Claude Opus 4.8 Ticket: UID2-7491 Branch: syw-UID2-7491-websocket-driver --- .../react-client-side/package-lock.json | 6 +++--- .../google-secure-signals/react-client-side/package.json | 3 ++- .../javascript-sdk/react-client-side/package-lock.json | 6 +++--- .../javascript-sdk/react-client-side/package.json | 3 ++- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/web-integrations/google-secure-signals/react-client-side/package-lock.json b/web-integrations/google-secure-signals/react-client-side/package-lock.json index 2a52790..1d27259 100644 --- a/web-integrations/google-secure-signals/react-client-side/package-lock.json +++ b/web-integrations/google-secure-signals/react-client-side/package-lock.json @@ -16308,9 +16308,9 @@ } }, "node_modules/websocket-driver": { - "version": "0.7.4", - "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.4.tgz", - "integrity": "sha512-b17KeDIQVjvb0ssuSDF2cYXSg2iztliJ4B9WdsuB6J952qCPKmnVq4DyW5motImXHDC1cBT/1UezrJVsKw5zjg==", + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.5.tgz", + "integrity": "sha512-ZL2+3c7kMBdIRCMz6l8jQMHyGVxj+UL+xVk74Ombiciboca8rHa15L86B19E5oh1pL9Ii/uj54gtsIrZGMo6zA==", "dependencies": { "http-parser-js": ">=0.5.1", "safe-buffer": ">=5.1.0", diff --git a/web-integrations/google-secure-signals/react-client-side/package.json b/web-integrations/google-secure-signals/react-client-side/package.json index c8e97ac..85961e3 100644 --- a/web-integrations/google-secure-signals/react-client-side/package.json +++ b/web-integrations/google-secure-signals/react-client-side/package.json @@ -41,7 +41,8 @@ "@babel/plugin-transform-modules-systemjs": ">=7.29.4", "fast-uri": ">=3.1.2", "shell-quote": "^1.8.4", - "ws": ">=7.5.11" + "ws": ">=7.5.11", + "websocket-driver": "^0.7.5" }, "scripts": { "start": "node server.js", diff --git a/web-integrations/javascript-sdk/react-client-side/package-lock.json b/web-integrations/javascript-sdk/react-client-side/package-lock.json index 1c4583e..36fa71b 100644 --- a/web-integrations/javascript-sdk/react-client-side/package-lock.json +++ b/web-integrations/javascript-sdk/react-client-side/package-lock.json @@ -16284,9 +16284,9 @@ } }, "node_modules/websocket-driver": { - "version": "0.7.4", - "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.4.tgz", - "integrity": "sha512-b17KeDIQVjvb0ssuSDF2cYXSg2iztliJ4B9WdsuB6J952qCPKmnVq4DyW5motImXHDC1cBT/1UezrJVsKw5zjg==", + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/websocket-driver/-/websocket-driver-0.7.5.tgz", + "integrity": "sha512-ZL2+3c7kMBdIRCMz6l8jQMHyGVxj+UL+xVk74Ombiciboca8rHa15L86B19E5oh1pL9Ii/uj54gtsIrZGMo6zA==", "dependencies": { "http-parser-js": ">=0.5.1", "safe-buffer": ">=5.1.0", diff --git a/web-integrations/javascript-sdk/react-client-side/package.json b/web-integrations/javascript-sdk/react-client-side/package.json index 662395b..35f1d38 100644 --- a/web-integrations/javascript-sdk/react-client-side/package.json +++ b/web-integrations/javascript-sdk/react-client-side/package.json @@ -41,7 +41,8 @@ "@babel/plugin-transform-modules-systemjs": ">=7.29.4", "fast-uri": ">=3.1.2", "shell-quote": "^1.8.4", - "ws": ">=7.5.11" + "ws": ">=7.5.11", + "websocket-driver": "^0.7.5" }, "scripts": { "start": "node server.js",