Address App Dependencies Currently Requiring Vulnerable Versions of ws (Bump ws from v8.11.0 to v8.17.1)

[aaronskiba]

Please complete the following fields as applicable:

What version of the DMPRoadmap code are you running? (e.g. v2.2.0)
4.1.1+portage-4.1.2

Expected behaviour:

• It would be easiest if dependabot could generate a PR to resolve this security vulnerabilty: https://github.com/portagenetwork/roadmap/security/dependabot/186

Actual behaviour:

• The PR fails to generate due to the following:
  • karma@6.4.1 requires ws@~8.11.0 via a transitive dependency on socket.io-adapter@2.5.2

[aaronskiba]

yarn upgrade karma should solve the issue.

$ yarn why ws
yarn why v1.22.22
[1/4] Why do we have the module "ws"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "ws@8.11.0"
info Reasons this module exists
   - "karma#socket.io#socket.io-adapter" depends on it
   - Hoisted from "karma#socket.io#socket.io-adapter#ws"
info Disk size without dependencies: "180KB"
info Disk size with unique dependencies: "180KB"
info Disk size with transitive dependencies: "180KB"
info Number of shared dependencies: 0
=> Found "engine.io#ws@8.17.1"
info This module exists because "karma#socket.io#engine.io" depends on it.
Done in 0.20s.

// yarn.lock
ws@~8.11.0:
  version "8.11.0"
  resolved "https://registry.yarnpkg.com/ws/-/ws-8.11.0.tgz#6a0d36b8edfd9f96d8b25683db2f8d7de6e8e143"
  integrity sha512-HPG3wQd9sNQoT9xHyNCXoDUa+Xw/VevmY9FoHyQ+g+rrMn4j6FB4np7Z0OhdTgjx6MgQLK7jwSy1YecU1+4Asg==

ws@~8.17.1:
  version "8.17.1"
  resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b"
  integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==

$ yarn upgrade karma
yarn upgrade v1.22.22
warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.
[1/4] Resolving packages...
warning eslint > file-entry-cache > flat-cache > rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
warning eslint > file-entry-cache > flat-cache > rimraf > glob@7.2.3: Glob versions prior to v9 are no longer supported
warning eslint > file-entry-cache > flat-cache > rimraf > glob > inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
warning karma-webpack > glob@7.2.3: Glob versions prior to v9 are no longer supported
warning karma > glob@7.2.3: Glob versions prior to v9 are no longer supported
warning karma > rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Rebuilding all packages...
success Saved lockfile.
success Saved 88 new dependencies.
info Direct dependencies
└─ karma@6.4.4
info All dependencies
├─ @colors/colors@1.5.0
├─ @socket.io/component-emitter@3.1.2
├─ @types/cookie@0.4.1
├─ @types/cors@2.8.17
├─ ansi-regex@5.0.1
├─ balanced-match@1.0.2
├─ base64id@2.0.0
├─ binary-extensions@2.3.0
├─ body-parser@1.20.2
├─ brace-expansion@1.1.11
├─ cliui@7.0.4
├─ color-convert@2.0.1
├─ color-name@1.1.4
├─ concat-map@0.0.1
├─ connect@3.7.0
├─ content-type@1.0.5
├─ cookie@0.4.2
├─ custom-event@1.0.1
├─ define-data-property@1.1.4
├─ destroy@1.2.0
├─ di@0.0.1
├─ dom-serialize@2.2.1
├─ emoji-regex@8.0.0
├─ encodeurl@1.0.2
├─ engine.io-parser@5.2.3
├─ engine.io@6.5.5
├─ ent@2.2.1
├─ escape-html@1.0.3
├─ eventemitter3@4.0.7
├─ extend@3.0.2
├─ fill-range@7.1.1
├─ finalhandler@1.1.2
├─ flatted@3.3.1
├─ follow-redirects@1.15.6
├─ fs-extra@8.1.0
├─ fs.realpath@1.0.0
├─ get-caller-file@2.0.5
├─ glob@7.2.3
├─ hasown@2.0.2
├─ http-proxy@1.18.1
├─ inflight@1.0.6
├─ inherits@2.0.4
├─ is-extglob@2.1.1
├─ is-fullwidth-code-point@3.0.0
├─ is-number@7.0.0
├─ isbinaryfile@4.0.10
├─ jsonfile@4.0.0
├─ karma@6.4.4
├─ log4js@6.9.1
├─ media-typer@0.3.0
├─ mime-db@1.52.0
├─ mime@2.6.0
├─ mkdirp@0.5.6
├─ negotiator@0.6.3
├─ object-assign@4.1.1
├─ on-finished@2.4.1
├─ path-is-absolute@1.0.1
├─ qjobs@1.2.0
├─ qs@6.11.0
├─ range-parser@1.2.1
├─ raw-body@2.5.2
├─ require-directory@2.1.1
├─ requires-port@1.0.0
├─ rfdc@1.4.1
├─ safer-buffer@2.1.2
├─ set-function-length@1.2.2
├─ setprototypeof@1.2.0
├─ socket.io-adapter@2.5.5
├─ socket.io-parser@4.2.4
├─ socket.io@4.7.5
├─ statuses@2.0.1
├─ streamroller@3.1.5
├─ string-width@4.2.3
├─ tmp@0.2.3
├─ to-regex-range@5.0.1
├─ toidentifier@1.0.1
├─ type-is@1.6.18
├─ ua-parser-js@0.7.38
├─ undici-types@6.13.0
├─ universalify@0.1.2
├─ unpipe@1.0.0
├─ utils-merge@1.0.1
├─ vary@1.1.2
├─ void-elements@2.0.1
├─ wrap-ansi@7.0.0
├─ y18n@5.0.8
├─ yargs-parser@20.2.9
└─ yargs@16.2.0
Done in 4.15s.
aaron@ubuntu:~/Documents/GitHub/roadmap
$ yarn why ws
yarn why v1.22.22
[1/4] Why do we have the module "ws"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "ws@8.17.1"
info Reasons this module exists
   - "karma#socket.io#engine.io" depends on it
   - Hoisted from "karma#socket.io#engine.io#ws"
   - Hoisted from "karma#socket.io#socket.io-adapter#ws"
info Disk size without dependencies: "180KB"
info Disk size with unique dependencies: "180KB"
info Disk size with transitive dependencies: "180KB"
info Number of shared dependencies: 0
Done in 0.18s.

(ws@~8.11.0 is removed from yarn.lock)