npm audit alert being triggered - alchemy-sdk tied to 3-year-old @ethersproject/providers 5.7.2 - with ws 7.x

[respectabiggle]

Sorry if this has been addressed or if I'm missing something obvious.

[REQUIRED] Environment

Win10

• Browser version: none
• Alchemy SDK version: 3.4.7

[REQUIRED] Describe the problem

npm audit shows

ws 7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - GHSA-3h5v-q93c-6h6q
No fix available
node_modules/@ethersproject/providers/node_modules/ws
@ethersproject/providers <=5.7.2
Depends on vulnerable versions of ws
node_modules/@ethersproject/providers
alchemy-sdk *
Depends on vulnerable versions of @ethersproject/providers
node_modules/alchemy-sdk

How to reproduce:

npm audit

Relevant code or sample repro:

all my Alchemy code works fine (thanks)

[doctorloaf]

This has been an ongoing issue. We previously fixed by manually updating the package-lock to the proper versions of ws and elliptic but with the 3.5.0 release it seems like the problem has returned and we have not been able to find the correct versions to override with yet.

This was supposedly fixed in 3.4.3 but we still had to do the manual override. You can see a closed issue here where we raised the problem.

#457

[peterpeterparker]

Sharing in case it's useful to anyone — instead of a manual update, you can also use the overrides field in your package.json, as we do in OISY (here).

"overrides": {
  "ws": "^7.5.10",
  "elliptic": "^6.6.1",
},

This tells npm to override the specific dependency versions, making it less likely they'll be unintentionally updated by other dependency updates.