Fix CVE-2026-45736: Bump ws to ^8.20.1

xuhdev · meta-codesync[bot] · commit a63c99b3fc47 · 2026-05-22T00:00:35.000-07:00
Summary: Bump the `ws` direct dependency in `fbandroid/native/redex/website/package.json` from `^8.18.0` to `^8.20.1` and regenerate `yarn.lock` to fix GHSA-58qx-3vcg-4xpx / CVE-2026-45736, which affects `ws` versions >= 8.0.0 and < 8.20.1 (the project was resolving to 8.18.3). After the bump, the only `ws@8.x` entry in `yarn.lock` resolves to 8.20.1, which includes the security patch. The unrelated `ws@^7.3.1` entry (resolves to 7.5.10, pulled in by `webpack-bundle-analyzer`) is outside the affected range and left untouched. Reviewed By: wsanville Differential Revision: D105980457 fbshipit-source-id: ee6c3a1be8282eba329728a8fc7b3e1e87ed97d1
diff --git a/website/package.json b/website/package.json
@@ -27,7 +27,7 @@
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router": "7.12.0",
-    "ws": "^8.18.0"
+    "ws": "^8.20.1"
   },
   "resolutions": {
     "on-headers": "^1.1.0",
diff --git a/website/yarn.lock b/website/yarn.lock
@@ -11641,13 +11641,13 @@ write-file-atomic@^3.0.3:
 
 ws@^7.3.1:
   version "7.5.10"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.10.tgz#58b5c20dc281633f6c19113f39b349bd8bd558d9"
+  resolved "https://registry.facebook.net/ws/-/ws-7.5.10.tgz#58b5c20dc281633f6c19113f39b349bd8bd558d9"
   integrity sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==
 
-ws@^8.18.0:
-  version "8.18.3"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.3.tgz#b56b88abffde62791c639170400c93dcb0c95472"
-  integrity sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==
+ws@^8.18.0, ws@^8.20.1:
+  version "8.20.1"
+  resolved "https://registry.facebook.net/ws/-/ws-8.20.1.tgz#91a9ae2b312ccf98e0a85ec499b48cef45ab0ddb"
+  integrity sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==
 
 wsl-utils@^0.1.0:
   version "0.1.0"
