Skip to content

chore(deps): bump ws from 8.20.1 to 8.21.0 in the npm_and_yarn group across 1 directory #1874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump ws from 8.20.1 to 8.21.0 in the npm_and_yarn group across 1 directory #1874

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion plugins/assemblyai/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
"typescript": "^5.0.0"
},
"dependencies": {
"ws": "^8.16.0"
"ws": "^8.21.0"

@devin-ai-integration devin-ai-integration Bot Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 assemblyai plugin uses hardcoded ws version instead of catalog: like all other plugins

Every other plugin in the repository (anam, baseten, cartesia, deepgram, elevenlabs, fishaudio, inworld, liveavatar, minimax, neuphonic, openai, resemble, rime, sarvam, silero, soniox, xai) specifies "ws": "catalog:" which resolves to ^8.18.0 from pnpm-workspace.yaml. The assemblyai plugin instead uses a hardcoded version (^8.21.0), which means it won't benefit from centralized version management. If the catalog ws version is updated in the future, assemblyai will be missed. The PR should have switched this to "ws": "catalog:" and, if needed, bumped the catalog version in pnpm-workspace.yaml to ^8.21.0.

Prompt for agents 
The assemblyai plugin hardcodes its ws dependency version as "^8.21.0" rather than using "catalog:" like all other plugins. To fix this consistently:

1. In plugins/assemblyai/package.json, change `"ws": "^8.21.0"` to `"ws": "catalog:"`
2. In pnpm-workspace.yaml, update the catalog entry for ws from `^8.18.0` to `^8.21.0` so all plugins get the security fix

This ensures centralized version management and that the security bump applies consistently across all plugins.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

@devin-ai-integration devin-ai-integration Bot Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Security bump scope may be incomplete across the monorepo

The pnpm-workspace.yaml catalog defines ws: ^8.18.0, which all plugins except assemblyai reference via catalog:. Since ^8.18.0 already satisfies >=8.21.0 in semver resolution, the actual installed version in the lockfile may already be 8.21.x for all plugins depending on when pnpm install was last run. However, the catalog minimum floor remains at ^8.18.0, meaning a fresh install could theoretically resolve to 8.18.0–8.20.x for the other plugins if those versions are still available. If this bump is motivated by a security fix in ws 8.21.0, the catalog version in pnpm-workspace.yaml:24 should also be bumped to ensure all plugins enforce the minimum safe version.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

},
"peerDependencies": {
"@livekit/agents": "workspace:*",
Expand Down
Loading