ws@<8.20.1 as a moderate-severity runtime vulnerability
(GHSA-58qx-3vcg-4xpx).
It enters our tree transitively through @remotion/renderer and jsdom.
npm audit fix --force wasn't the right callnpm audit fix --force
Will install @remotion/renderer@3.0.23, which is a breaking change
Forcing the fix downgrades @remotion/renderer from 4.0.457 to 3.0.23 — a
major-version regression. Our demo videos rely on Remotion 4 APIs.
overrides// orchestkit-demos/package.json
"overrides": {
"webpack": "^5.104.1",
"ajv": "^8.17.1",
"yauzl": "^3.2.1",
"ws": "^8.20.1" ← new
}
overrides forces transitive deps to a chosen version without
touching direct dependency declarations. @remotion stays at 4.0.457; its
nested ws dep gets resolved to the patched 8.20.1.
$ npm install added 496 packages, audited 497 packages in 5s found 0 vulnerabilities $ npm ls ws orchestkit-demos@1.0.0 ├─┬ @remotion/renderer@4.0.457 │ └── ws@8.20.1 └─┬ jsdom@27.4.0 └── ws@8.20.1 deduped