From e831183d38970213376443758dd9343c7cc9e510 Mon Sep 17 00:00:00 2001
From: Devanshu Rajesh Chicholikar <chicholikar.d@northeastern.edu>
Date: Wed, 17 Jun 2026 15:09:37 -0400
Subject: [PATCH] fix: bump ws to 8.21.0 via override (CVE-2026-48779) (#326)

ws@8.19.0 (HIGH, memory-exhaustion DoS) is pulled transitively by
@supabase/realtime-js and happy-dom, failing the required Trivy Security
Scan on every PR. Both parents allow 8.21.0 in-range, so an overrides
entry forces all ws to the patched version.

bun update ws was rejected: it added ws as a direct dep while leaving the
transitive consumers pinned at 8.19.0 (still vulnerable). The override
covers the whole tree.

Frontend typecheck/test/build green; no runtime API change.
---
 frontend/bun.lock     | 5 ++++-
 frontend/package.json | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/frontend/bun.lock b/frontend/bun.lock
index d8abc9b..34bb312 100644
--- a/frontend/bun.lock
+++ b/frontend/bun.lock
@@ -67,6 +67,9 @@
       },
     },
   },
+  "overrides": {
+    "ws": "^8.21.0",
+  },
   "packages": {
     "@acemir/cssom": ["@acemir/cssom@0.9.31", "", {}, "sha512-ZnR3GSaH+/vJ0YlHau21FjfLYjMpYVIzTD8M8vIEQvIGxeOXyXdzCI140rrCY862p/C/BbzWsjc1dgnM9mkoTA=="],
 
@@ -1024,7 +1027,7 @@
 
     "word-wrap": ["word-wrap@1.2.5", "", {}, "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA=="],
 
-    "ws": ["ws@8.19.0", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg=="],
+    "ws": ["ws@8.21.0", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g=="],
 
     "xml-name-validator": ["xml-name-validator@5.0.0", "", {}, "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg=="],
 
diff --git a/frontend/package.json b/frontend/package.json
index 6e83a24..309d04f 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -73,5 +73,8 @@
     "eslint-plugin-react-hooks": "^5.0.0",
     "eslint-plugin-react-refresh": "^0.4.0",
     "typescript-eslint": "^8.0.0"
+  },
+  "overrides": {
+    "ws": "^8.21.0"
   }
 }