chore: upgrade ws to ^8.21.0 to address CVE-2026-48779

[brendan-kellam]

Fixes SOU-1342

Addresses CVE-2026-48779, a memory exhaustion DoS in ws where a malicious client can send many tiny WebSocket fragments to cause unbounded memory accumulation before a message is processed. Fixed in ws@8.21.0.

ws is pulled in transitively (via @google/genai, jsdom, and socket.io/engine.io). Refreshing the lockfile bumped most consumers to 8.21.0, but engine.io and socket.io-adapter request ~8.20.1, which cannot reach 8.21.0. Since the only top-level path is react-email → socket.io (a breaking upgrade), a qualified resolutions override keyed to the ~8.20.1 range pins those requesters to ^8.21.0.

Verified with yarn why ws --recursive that all instances now resolve to 8.21.0.

[coderabbitai]

Warning

Review limit reached

@brendan-kellam, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 minute and 59 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 526756bb-673e-45fb-98d9-b294585d38fc

📥 Commits

Reviewing files that changed from the base of the PR and between a6d1d6c and 5f9576f.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch linear/sou-1342-sourcebot-devsourcebot-cve-2026-48779-ws-memory-3590

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2139
Resolved (non-standard)	20
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.11	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (20)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab) LICENSE file
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab) LICENSE file
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab) LICENSE file
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo (livebook-dev/codemirror-lang-elixir) LICENSE file
element-source	0.0.3	UNKNOWN	MIT	GitHub repo (aidenybai/element-source) LICENSE file
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo (livebook-dev/lezer-elixir) LICENSE file
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo (dominictarr/map-stream) package.json
memorystream	0.3.1	UNKNOWN	MIT	npm registry 'licenses' object (type field = MIT)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo (ogt/valid-url) LICENSE file
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo (PostHog/posthog-js) LICENSE file (own code Apache-2.0; bundles MIT third-party code)
pause-stream	0.0.11	MIT,Apache2	MIT OR Apache-2.0	extracted from license array in npm registry
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry (Functional Source License 1.1, MIT future grant; source-available, non-copyleft)