upgrade ws to 8.17.1 & jsdom to 24.1.0

[rschnekenbu]

What it does

Fixes #13848

This is a simple update on dependent library, known to have a risk of DoS. I tested the tool, no changes in behavior, and I also di not notice any changes in the logs.

How to test

Since this updates websocket lib, build and open the tool. Observe the logs to make sure we don't get any new entries.

Follow-ups

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[msujew]

Question: Is the dependency to 8.16.0 a runtime dependency? As far as I can tell, it is pulled from jsdom. We should probably update that as well.

[rschnekenbu]

@msujew, thanks for having a look to this PR!
Yes, the ^8.13.0 dependency comes from jsdom 21.1.1. The latest version of jsdom 24.1.0) depends on ws as ^8.17.0.

Shall I update jdom to this latest version?
I could also change ws reexported dependency from package/core/package.json to ^8.17.1 instead of ^8.18.0. Not sure what has been the best practice in the project in the past. 8.18.0 is the latest available, 8.17.1 is the first being know without DoS vulnerabiltity.

[msujew]

Looks good to me 👍

[martin-fleck-at]

@rschnekenbu @msujew All CI jobs are now failing because of the minimum Node 18 version in jsdom, i.e.,

error jsdom@24.1.0: The engine "node" is incompatible with this module. Expected version ">=18". Got "16.20.1"
error Found incompatible module.

See for instance: https://github.com/eclipse-theia/theia/actions/runs/9992821246

[rschnekenbu]

Thanks for noticing, @martin-fleck-at! The latest version to support minimum node 16 is the 22.1.0 release. I will create a task and push a fix for it.