upgrade ws package to to 7.5.1

Jimmy Lai · facebook-github-bot · commit 4c4127772e37 · 2021-07-26T08:41:14.000-07:00
Summary: # Context #674 >There is a security vulnerability with the current version of ws, that requires it to be upgraded to 5.2.3. # In this diff > At a glance, we're affected by at least websockets/ws#1099 in v3.x (here) and websockets/ws@63e275e in v4.x (here). Probably a few other changes as well. Like motiz88 mentioned in the issue, there's only 2 API changes that needed to be fixed: - `upgradeReq` was removed from the web socket object, the fix being to take the URL from the request param instead - `onError` now correctly passes an `ErrorEvent` instead of an `Error` object Those are the only usages of ws in metro that i've seen Reviewed By: GijsWeterings Differential Revision: D29517185 fbshipit-source-id: bac12e7106f09b88877e2e138472a0d981d55200
diff --git a/packages/metro/package.json b/packages/metro/package.json
@@ -63,7 +63,7 @@
     "strip-ansi": "^6.0.0",
     "temp": "0.8.3",
     "throat": "^5.0.0",
-    "ws": "^1.1.5",
+    "ws": "^7.5.1",
     "yargs": "^15.3.1"
   },
   "devDependencies": {
diff --git a/packages/metro/src/HmrServer.js b/packages/metro/src/HmrServer.js
@@ -226,10 +226,10 @@ class HmrServer<TClient: Client> {
     return Promise.resolve();
   }
 
-  onClientError(client: TClient, e: Error): void {
+  onClientError(client: TClient, e: ErrorEvent): void {
     this._config.reporter.update({
       type: 'hmr_client_error',
-      error: e,
+      error: e.error,
     });
     this.onClientDisconnect(client);
   }
diff --git a/packages/metro/src/lib/attachWebsocketServer.js b/packages/metro/src/lib/attachWebsocketServer.js
@@ -19,7 +19,7 @@ type WebsocketServiceInterface<T> = interface {
     sendFn: (data: string) => void,
   ) => Promise<?T>,
   +onClientDisconnect?: (client: T) => mixed,
-  +onClientError?: (client: T, e: Error) => mixed,
+  +onClientError?: (client: T, e: ErrorEvent) => mixed,
   +onClientMessage?: (
     client: T,
     message: string,
@@ -56,9 +56,9 @@ module.exports = function attachWebsocketServer<TClient: Object>({
     path,
   });
 
-  wss.on('connection', async ws => {
+  wss.on('connection', async (ws, req) => {
     let connected = true;
-    const url = ws.upgradeReq.url;
+    const url = req.url;
 
     const sendFn = (...args) => {
       if (connected) {
diff --git a/yarn.lock b/yarn.lock
@@ -7070,6 +7070,11 @@ ws@^7.2.3:
   resolved "https://registry.yarnpkg.com/ws/-/ws-7.2.5.tgz#abb1370d4626a5a9cd79d8de404aa18b3465d10d"
   integrity sha512-C34cIU4+DB2vMyAbmEKossWq2ZQDr6QEyuuCzWrM9zfw1sGc0mYiJ0UnG9zzNykt49C2Fi34hvr2vssFQRS6EA==
 
+ws@^7.5.1:
+  version "7.5.1"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.1.tgz#44fc000d87edb1d9c53e51fbc69a0ac1f6871d66"
+  integrity sha512-2c6faOUH/nhoQN6abwMloF7Iyl0ZS2E9HGtsiLrWn0zOOMWlhtDmdf/uihDt6jnuCxgtwGBNy6Onsoy2s2O2Ow==
+
 xml-name-validator@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-3.0.0.tgz#6ae73e06de4d8c6e47f9fb181f78d648ad457c6a"

Original file line number	Diff line number	Diff line change
`@@ -226,10 +226,10 @@ class HmrServer<TClient: Client> {`
`226`	`226`	`return Promise.resolve();`
`227`	`227`	`}`
`228`	`228`
`229`		`- onClientError(client: TClient, e: Error): void {`
	`229`	`+ onClientError(client: TClient, e: ErrorEvent): void {`
`230`	`230`	`this._config.reporter.update({`
`231`	`231`	`type: 'hmr_client_error',`
`232`		`- error: e,`
	`232`	`+ error: e.error,`
`233`	`233`	`});`
`234`	`234`	`this.onClientDisconnect(client);`
`235`	`235`	`}`