fix: bump ws to 8.21.0 via override (CVE-2026-48779) (#326)

[DevanshuNEU]

Summary

Forces ws to 8.21.0 across the dependency tree via a package.json overrides, clearing CVE-2026-48779 (HIGH, memory-exhaustion DoS) that was failing the required Trivy Security Scan on every PR.

Closes / implements

• Closes fix(deps): bump ws to 8.21.0 (CVE-2026-48779, HIGH, DoS) #326
• ADR: n/a - under ADR threshold (single dependency security bump)
• Branch: fix/bump-ws-cve-2026-48779

What changed

Frontend (frontend/...):

• package.json - add overrides: { "ws": "^8.21.0" } to force the patched version across the whole tree.
• bun.lock - ws resolves 8.19.0 -> 8.21.0; no nested 8.19.0 remains.

Why the override (not bun update ws)

ws is transitive only (@supabase/realtime-js -> ws@^8.18.2, happy-dom -> ws@^8.18.3). bun update ws added ws as a direct dep at 8.21.0 but left both transitive consumers pinned at the vulnerable 8.19.0. An overrides entry is the correct mechanism: it rewrites every ws resolution in the tree. Verified: grep ws@8.19.0 bun.lock returns nothing after the change.

How to test

1. cd frontend && bun install
2. grep -E 'ws@8\.' bun.lock - expect only ws@8.21.0 (and @types/ws, type defs, unrelated)
3. bun run typecheck && bun run test && bun run build

Expected: no ws@8.19.0 anywhere; typecheck clean, 13 tests pass, build succeeds. Trivy Security Scan goes green.

Deployment notes

• No new env vars
• No DB migration
• No off-limits files modified (this is bun.lock, not the off-limits bun.lockb)
• No runtime API change (patch-level WebSocket lib bump, same 8.x major)

Risk and rollback

• Symptom: if a ws 8.21.0 behavior change regressed the Supabase realtime WebSocket (indexing-progress events), clients would see WS reconnect issues.
• Blast radius: Supabase realtime channel (indexing progress) + happy-dom test env. Low: same 8.x major, patch+minor bump only.
• Rollback: revert this PR. Lockfile-only, no migration.
• Time-to-rollback: < 5 min.

Summary by CodeRabbit

• Chores
  • Updated package dependency configuration to enforce a specific version resolution for the ws library.

[vercel]

@DevanshuNEU is attempting to deploy a commit to the Dev's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 292fb6b8-330a-40fa-9a10-ed60614d039b

📥 Commits

Reviewing files that changed from the base of the PR and between 42d6b1c and e831183.

⛔ Files ignored due to path filters (1)

• frontend/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• frontend/package.json

---

📝 Walkthrough

Walkthrough

A top-level overrides section is added to frontend/package.json to force the transitive ws dependency to resolve to ^8.21.0, overriding the versions pulled in by @supabase/realtime-js and happy-dom.

Changes

ws Dependency Override

Layer / File(s)	Summary
Pin ws to ^8.21.0 via overrides frontend/package.json	Adds a top-level overrides block setting ws to ^8.21.0, forcing all transitive dependents to resolve to this version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A tiny ws lurked, exhausted and slow,
So the rabbit patched up package.json just so.
With ^8.21.0 pinned in place,
No more DoS danger, no memory race.
🐇 One override block, the vuln gate goes green!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: bumping ws to 8.21.0 via package.json override to fix CVE-2026-48779.
Linked Issues check	✅ Passed	The PR successfully addresses issue #326 by adding an override entry to force ws@^8.21.0 resolution, resolving CVE-2026-48779 per the requirement.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to resolving CVE-2026-48779; the override addition to frontend/package.json is the focused, necessary fix with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
opencodeintel	Ready	Preview, Comment	Jun 17, 2026 7:12pm