Skip to content

Add Deno WebSocket fixed release reference#8593

Draft
cookesan wants to merge 2 commits into
github:cookesan/advisory-improvement-8593from
cookesan:deno-55517-nvd-reference
Draft

Add Deno WebSocket fixed release reference#8593
cookesan wants to merge 2 commits into
github:cookesan/advisory-improvement-8593from
cookesan:deno-55517-nvd-reference

Conversation

@cookesan

@cookesan cookesan commented Jul 7, 2026

Copy link
Copy Markdown

Summary

  • Add the NVD advisory reference for CVE-2026-55517 to GHSA-x2qc-cmh9-f4hf.
  • Add the upstream Deno WebSocket fix PR and v2.7.5 fixed release references.
  • Set the NVD published timestamp to match the NVD record.
  • Keep the affected range, severity, summary, and review metadata otherwise unchanged.

Validation

  • Confirmed the advisory ID is GHSA-x2qc-cmh9-f4hf and its alias is CVE-2026-55517.
  • Confirmed GitHub Advisory metadata maps the advisory to crates.io package deno, fixed in 2.7.5, with vulnerable range <= 2.7.4.
  • Confirmed upstream PR denoland/deno#32594 is merged as commit 0ee75392669d26bc1e051ecd5bdc90b1997ad963 and appears in the v2.7.4...v2.7.5 compare.
  • Confirmed the v2.7.5 release notes include the WebSocket non-ASCII response header fix and reference PR 32594.
  • Confirmed the v2.7.4 source tag has the WebSocket response header to_str().unwrap() markers and lacks the non-ASCII regression test, while v2.7.5 replaces those unwraps with fallible header handling and includes the non-ASCII WebSocket regression test.
  • Confirmed crates.io publishes non-yanked deno versions 2.7.4 and 2.7.5; downloaded artifacts match crates.io SHA-256 checksums 853c7758280f48dd5455dbea0cb6af353e04c9159d2d4ce2624feda5d600aefe and 711d420c34f9d79b4683662c99af12062751722dbddedfce194166b357499faa.
  • Confirmed the NVD API returns exactly one record for CVE-2026-55517, with status Analyzed, source identifier security-advisories@github.com, and published timestamp 2026-06-23T18:18:09.787.
  • Confirmed NVD references the upstream security advisory.
  • Confirmed all advisory reference URLs, including the upstream advisory, NVD detail URL, PR 32594, v2.7.5 release, and package URL, return HTTP 200 with a standard browser user agent.
  • Confirmed there are no duplicate advisory reference URLs.
  • Ran jq empty and git diff --check.

@github-actions github-actions Bot changed the base branch from main to cookesan/advisory-improvement-8593 July 7, 2026 11:23
@cookesan cookesan force-pushed the deno-55517-nvd-reference branch from 2a73f05 to 26c1822 Compare July 7, 2026 12:26
@cookesan cookesan changed the title Add Deno CVE-2026-55517 NVD reference Add Deno WebSocket fixed release reference Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant