Skip to content

fix: remove bogus ncc dependency that introduces ws vulnerabilities#275

Open
GJaubert wants to merge 1 commit intomachulav:mainfrom
GJaubert:fix/remove-bogus-ncc-dependency
Open

fix: remove bogus ncc dependency that introduces ws vulnerabilities#275
GJaubert wants to merge 1 commit intomachulav:mainfrom
GJaubert:fix/remove-bogus-ncc-dependency

Conversation

@GJaubert
Copy link
Copy Markdown

@GJaubert GJaubert commented Apr 20, 2026
edited
Loading

Summary

  • Remove ncc (node-chrome-canvas) from dependencies — it was accidentally added in PR added the code from pull #224 #230 and is unrelated to @vercel/ncc (the actual build tool, already in devDependencies)
  • This bogus dependency pulls in ws@2.3.1, which has multiple known high-severity vulnerabilities:
    • GHSA-3648-7jhf-9vrq — DoS when handling a request with many HTTP headers
    • CVE-2024-37890 — Denial of Service in ws
  • Regenerate package-lock.json to remove all transitive dependencies from the bogus package

Closes #273

@GJaubert
fix: remove bogus ncc dependency that introduces ws vulnerabilities
4ae2523 
PR machulav#230 accidentally added `ncc` (node-chrome-canvas) to dependencies.
This is unrelated to `@vercel/ncc` (already in devDependencies) and
pulls in ws@2.3.1 which has multiple known vulnerabilities:

- GHSA-3648-7jhf-9vrq (DoS via many HTTP headers — high)
- CVE-2024-37890 (Denial of Service in ws — high)

Remove the bogus dependency and regenerate the lock file.

Closes machulav#273
@GJaubert GJaubert force-pushed the fix/remove-bogus-ncc-dependency branch from b3296c9 to 4ae2523 Compare April 20, 2026 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incorrect ncc package in dependencies introduces ws security vulnerabilities

1 participant

@GJaubert