From ab18e77de0ea2496e8d55ea090551f52d2d0983b Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Sat, 20 Jun 2026 12:32:53 -0700 Subject: [PATCH 1/2] Bump 'ws' to mitigate CVE-2026-48779. --- apps/playwright-browser-tunnel/package.json | 4 +- .../rush/bump-ws_2026-06-20-19-32-28.json | 10 ++++ .../bump-ws_2026-06-20-19-32-28.json | 10 ++++ .../config/subspaces/default/pnpm-lock.yaml | 49 ++++++++----------- .../config/subspaces/default/repo-state.json | 2 +- rush-plugins/rush-serve-plugin/package.json | 4 +- 6 files changed, 46 insertions(+), 33 deletions(-) create mode 100644 common/changes/@microsoft/rush/bump-ws_2026-06-20-19-32-28.json create mode 100644 common/changes/@rushstack/playwright-browser-tunnel/bump-ws_2026-06-20-19-32-28.json diff --git a/apps/playwright-browser-tunnel/package.json b/apps/playwright-browser-tunnel/package.json index c2b956d536..b329c9df48 100644 --- a/apps/playwright-browser-tunnel/package.json +++ b/apps/playwright-browser-tunnel/package.json @@ -48,7 +48,7 @@ "@rushstack/terminal": "workspace:*", "@rushstack/ts-command-line": "workspace:*", "string-argv": "~0.3.1", - "ws": "~8.20.0", + "ws": "~8.21.0", "playwright": "1.56.1" }, "devDependencies": { @@ -56,7 +56,7 @@ "eslint": "~9.37.0", "local-node-rig": "workspace:*", "@types/semver": "7.7.1", - "@types/ws": "8.5.5", + "@types/ws": "8.18.1", "playwright-core": "~1.56.1", "@playwright/test": "~1.56.1", "@types/node": "20.17.19" diff --git a/common/changes/@microsoft/rush/bump-ws_2026-06-20-19-32-28.json b/common/changes/@microsoft/rush/bump-ws_2026-06-20-19-32-28.json new file mode 100644 index 0000000000..6dad7d39d8 --- /dev/null +++ b/common/changes/@microsoft/rush/bump-ws_2026-06-20-19-32-28.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@microsoft/rush", + "comment": "Bump `ws` in `rush-serve-plugin` to mitigate CVE-2026-48779.", + "type": "none" + } + ], + "packageName": "@microsoft/rush" +} \ No newline at end of file diff --git a/common/changes/@rushstack/playwright-browser-tunnel/bump-ws_2026-06-20-19-32-28.json b/common/changes/@rushstack/playwright-browser-tunnel/bump-ws_2026-06-20-19-32-28.json new file mode 100644 index 0000000000..e57c626eee --- /dev/null +++ b/common/changes/@rushstack/playwright-browser-tunnel/bump-ws_2026-06-20-19-32-28.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/playwright-browser-tunnel", + "comment": "Bump `ws` in `rush-serve-plugin` to mitigate CVE-2026-48779.", + "type": "patch" + } + ], + "packageName": "@rushstack/playwright-browser-tunnel" +} \ No newline at end of file diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index ffc1682b24..c7f7ad8771 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -326,8 +326,8 @@ importers: specifier: ~0.3.1 version: 0.3.2 ws: - specifier: ~8.20.0 - version: 8.20.0 + specifier: ~8.21.0 + version: 8.21.0 devDependencies: '@playwright/test': specifier: ~1.56.1 @@ -342,8 +342,8 @@ importers: specifier: 7.7.1 version: 7.7.1 '@types/ws': - specifier: 8.5.5 - version: 8.5.5 + specifier: 8.18.1 + version: 8.18.1 eslint: specifier: ~9.37.0 version: 9.37.0 @@ -5162,8 +5162,8 @@ importers: specifier: ~1.0.7 version: 1.0.7(@types/express@4.17.21) ws: - specifier: ~8.20.0 - version: 8.20.0 + specifier: ~8.21.0 + version: 8.21.0 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -5181,8 +5181,8 @@ importers: specifier: 4.17.21 version: 4.17.21 '@types/ws': - specifier: 8.5.5 - version: 8.5.5 + specifier: 8.18.1 + version: 8.18.1 eslint: specifier: ~9.37.0 version: 9.37.0 @@ -10433,9 +10433,6 @@ packages: '@types/ws@8.18.1': resolution: {integrity: sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==} - '@types/ws@8.5.5': - resolution: {integrity: sha512-lwhs8hktwxSjf9UaZ9tG5M03PGogvFaH8gUgLNbN9HKIg0dvv6q+gkSuJ8HN4/VbyxkuLzCjlN7GquQ0gUJfIg==} - '@types/xmldoc@1.1.4': resolution: {integrity: sha512-a/ONNCf9itbmzEz1ohx0Fv5TLJzXIPQTapxFu+DlYlDtn9UcAa1OhnrOOMwbU8125hFjrkJKL3qllD7vO5Bivw==} @@ -18924,8 +18921,8 @@ packages: utf-8-validate: optional: true - ws@8.20.0: - resolution: {integrity: sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==} + ws@8.21.0: + resolution: {integrity: sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -24320,7 +24317,7 @@ snapshots: sockjs: 0.3.24 spdy: 4.0.2 webpack-dev-middleware: 7.4.5(@types/webpack@4.41.32)(webpack@5.105.4) - ws: 8.20.0 + ws: 8.21.0 transitivePeerDependencies: - '@types/webpack' - bufferutil @@ -24903,7 +24900,7 @@ snapshots: fs-extra: 9.1.0 remeda: 0.0.32 source-map-support: 0.5.21 - ws: 8.20.0 + ws: 8.21.0 yargs: 15.4.1 transitivePeerDependencies: - aws-crt @@ -24949,7 +24946,7 @@ snapshots: semver: 7.7.4 typescript: 4.9.5 uuid: 8.3.2 - ws: 8.20.0 + ws: 8.21.0 xstate: 4.26.1 zip-local: 0.3.5 optionalDependencies: @@ -26048,7 +26045,7 @@ snapshots: util-deprecate: 1.0.2 watchpack: 2.4.0 webpack: 4.47.0 - ws: 8.20.0 + ws: 8.21.0 optionalDependencies: typescript: 5.8.2 transitivePeerDependencies: @@ -26975,10 +26972,6 @@ snapshots: dependencies: '@types/node': 22.9.3 - '@types/ws@8.5.5': - dependencies: - '@types/node': 22.9.3 - '@types/xmldoc@1.1.4': {} '@types/yargs-parser@21.0.3': {} @@ -33572,7 +33565,7 @@ snapshots: whatwg-encoding: 3.1.1 whatwg-mimetype: 4.0.0 whatwg-url: 14.2.0 - ws: 8.20.0 + ws: 8.21.0 xml-name-validator: 5.0.0 transitivePeerDependencies: - bufferutil @@ -36752,7 +36745,7 @@ snapshots: esbuild-register: 3.6.0(esbuild@0.25.12) recast: 0.23.11 semver: 7.7.4 - ws: 8.20.0 + ws: 8.21.0 optionalDependencies: prettier: 3.8.1 transitivePeerDependencies: @@ -37944,7 +37937,7 @@ snapshots: '@types/serve-index': 1.9.4 '@types/serve-static': 1.15.10 '@types/sockjs': 0.3.36 - '@types/ws': 8.5.5 + '@types/ws': 8.18.1 ansi-html-community: 0.0.8 anymatch: 3.1.3 bonjour-service: 1.3.0 @@ -37968,7 +37961,7 @@ snapshots: spdy: 4.0.2 webpack: 4.47.0 webpack-dev-middleware: 5.3.4(@types/webpack@4.41.32)(webpack@4.47.0) - ws: 8.20.0 + ws: 8.21.0 optionalDependencies: '@types/webpack': 4.41.32 transitivePeerDependencies: @@ -38007,7 +38000,7 @@ snapshots: sockjs: 0.3.24 spdy: 4.0.2 webpack-dev-middleware: 7.4.5(@types/webpack@4.41.32)(webpack@4.47.0) - ws: 8.20.0 + ws: 8.21.0 optionalDependencies: '@types/webpack': 4.41.32 webpack: 4.47.0 @@ -38048,7 +38041,7 @@ snapshots: sockjs: 0.3.24 spdy: 4.0.2 webpack-dev-middleware: 7.4.5(@types/webpack@4.41.32)(webpack@5.105.4) - ws: 8.20.0 + ws: 8.21.0 optionalDependencies: '@types/webpack': 4.41.32 webpack: 5.105.4 @@ -38308,7 +38301,7 @@ snapshots: ws@7.5.10: {} - ws@8.20.0: {} + ws@8.21.0: {} wsl-utils@0.1.0: dependencies: diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index 38def97e85..4479a8d416 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "c5b2dfbe3a23108c497986663aea20fa32e5b27c", + "pnpmShrinkwrapHash": "265008d6cb4e700aad22dea81810ed1f363cbf31", "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c" } diff --git a/rush-plugins/rush-serve-plugin/package.json b/rush-plugins/rush-serve-plugin/package.json index 746c2f1f3a..f09b4ae39e 100644 --- a/rush-plugins/rush-serve-plugin/package.json +++ b/rush-plugins/rush-serve-plugin/package.json @@ -27,7 +27,7 @@ "cors": "~2.8.5", "express": "4.21.1", "http2-express-bridge": "~1.0.7", - "ws": "~8.20.0" + "ws": "~8.21.0" }, "devDependencies": { "@rushstack/heft": "workspace:*", @@ -37,7 +37,7 @@ "@types/compression": "~1.7.2", "@types/cors": "~2.8.12", "@types/express": "4.17.21", - "@types/ws": "8.5.5" + "@types/ws": "8.18.1" }, "exports": { ".": { From 82c3b2eaf1c11f884ee519325c674f536ef99f7a Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Sat, 20 Jun 2026 12:33:36 -0700 Subject: [PATCH 2/2] Make the next release of Rush a patch bump. --- common/config/rush/version-policies.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/config/rush/version-policies.json b/common/config/rush/version-policies.json index c045348b81..18bdeaaf7f 100644 --- a/common/config/rush/version-policies.json +++ b/common/config/rush/version-policies.json @@ -103,7 +103,7 @@ "policyName": "rush", "definitionName": "lockStepVersion", "version": "5.177.0", - "nextBump": "minor", + "nextBump": "patch", "mainProject": "@microsoft/rush" } ]