kurento-client ws package vulnerability

[agonza1]

KMS Version:

Kurento Media Server version: 6.10.0
Found modules:
        'core' version 6.10.0
        'elements' version 6.10.0
        'filters' version 6.10.0

Ubuntu Version

Ubuntu 16.04

Client libraries

• Repo: https://github.com/Kurento/kurento-client-js
• Language: Node.js
• Version: 6.10.0 (latest)

What steps will reproduce the problem?

1. npm install kurento-client
2. npm audit
3. Result: found 3 vulnerabilities (1 low, 2 high)

What is the expected result?
0 vulnerabilities

What happens instead?
found 3 vulnerabilities (1 low, 2 high)

Level	Vulnerability
High	Denial of Service
High	DoS due to excessively large websocket message
Low	Remote Memory Disclosure

Package: ws
Patched in: >= 1.0.1

Does it happen with one of the tutorials?
Yes, all

[agonza1]

Seems to work fine with the following changes. It needs to merge:
Kurento/kurento-jsonrpc-js#1
and
progre/reconnect-ws#1

So we might need to additionally update the reconnect-ws and kurento-jsonrpc-js modules in the package.json

[RobotnickIsrael]

There us another problem with the way it's packed.

Since reconnect-ws, qunit-cli and qunit-reporter-junit are going to github,
it makes kurento-client not installable on computers connected to an idependent artifactory and not to the internet (and therfore no connection to github).
Can you please not use forks as these?

[N-Olbert]

@j1elo Are there any updates on this? I haven't investigated the vulnerabilities, but since two are marked as "high", the current situation does not seem ideal.

[koendhondt]

Hi @j1elo, any idea on when this issue will be picked up? This issue appears to be open for more than 3.5 years now and keeps showing up in our security scans.

[j1elo]

Using #439 to track this.