[Improvement]: @coveo/headless depends on an insecure version of ws

[bbellmyers]

Which product are you using?

Headless

product version

2.73.0

bug description

@coveo/headless version 2.73.0 depends on [email protected], which is flagged as insecure by GitHub (GHSA-3h5v-q93c-6h6q)

Steps to reproduce

While some versions have been back-patched, GitHub still flags if ws version is less than 8.17.1

Relevant log output

npm explain ws: 

[email protected] peer
node_modules/react-native/node_modules/ws
  ws@"^6.2.2" from [email protected]
  node_modules/react-native
    peer react-native@"*" from @react-native/[email protected]
    node_modules/@react-native/virtualized-lists
      @react-native/virtualized-lists@"0.74.85" from [email protected]
    peer react-native@">=0.56" from [email protected]
    node_modules/react-native-get-random-values
      react-native-get-random-values@"^1.11.0" from [email protected]
      node_modules/coveo.analytics
        coveo.analytics@"2.30.6" from @coveo/[email protected]
        node_modules/@coveo/headless
          @coveo/headless@"2.73.0" from the root project

[louis-bompart]

Hi @bbellmyers, We do not automatically consider supply chain vulnerability as bugs: the vulnerable code needs to be used for the product to be vulnerable (and thus qualify as a bug).

In this specific case, ws is only used by react-native-get-random-values, which is used only when using coveo.analytics in a react-native context.
Headless doesn't do so, nor does it support it.

So, while we'll try to 'plug' this hole in the future, we don't think this a bug and will not prioritize it like one.