We've been getting dependabot alerts for ws and traced this back to our use of https://www.npmjs.com/package/pm2-metrics. https://github.com/saikatharryc/pm2-prometheus-exporter/blob/master/package.json specifies "pm2": "^4.4.0", which pulls in the old pm2/agent 1.0.8 that pulls in ws ~7.2.0, which is affected by GHSA-6fc8-4gx4-v693. I've seen that pm2@5.1.2's dependencies ultimately pull in an updated ws, so perhaps this could address the dependabot alerts for consumers of pm2-metrics.

Thanks!