search

admc / wd

A node.js client for webdriver/selenium 2.
Other
1.53k stars 404 forks source link

Two vulnerabilities are introduced in the package #628

Open paimon0715 opened 3 years ago

paimon0715 commented 3 years ago

Hi @admc ,I’d like to report two vulnerabilities

Issue

There are two vulnerabilities (1 high and 1 low severity) introduced in wd.The details are as follows: In wd@0.3.*:Vulnerability npmjs-advisories-1464 (high severity) is detected in package cryptiles(versions:>=0.0.1 <4.1.2):https://www.npmjs.com/advisories/1464 In wd@0.2.*: One is vulnerability npmjs-advisories-1464,the other is vulnerability CVE-2017-16137 (low severity),which is detected in package debug(versions:>=1.0.0 <2.6.9,>=3.0.0 <3.1.0):https://snyk.io/vuln/npm:debug:20170905 The above vulnerable packages are referenced by wd via: 1.wd@0.3.12 ➔ request@2.55.0 ➔ hawk@2.3.1 ➔ cryptiles@2.0.5 2.wd@0.2.27 ➔ request@2.36.0 ➔ hawk@1.0.0 ➔ cryptiles@0.2.2 wd@0.2.27 ➔ archiver@0.10.1 ➔ zip-stream@0.3.7 ➔ debug@1.0.5

Solution

Since *_wd@0.3._ is transitively referenced by 83** downstream projects (e.g., gulp-metal 2.2.3 (latest version),duo 0.15.7 (latest version), duo-test 0.4.1 (latest version), grunt-mocha-webdriver 1.2.2 (latest version), skatejs-build 12.2.0(latest version)),

*_wd@0.2._ is referenced by 47** downstream projects (e.g., yiewd 0.6.0 (latest version), yeti 0.2.29 (latest version), yogi 0.1.13 (latest version), wd-sync 1.2.5 (latest version), awesome 0.0.7 (latest version)),

If wd removes the vulnerable package from the above versions, then its fixed versions can help downstream users decrease their pain.It’s kind of you to update packages in these versions.

Fixing suggestions

(1)In *_wd@0.3._**, you can kindly try to perform the following upgrade (not crossing its major versions): request ~2.55.0 ➔ 2.84.0;

Note: request 2.84.0 transitively depends on cryptiles@4.1.3(a vulnerability npmjs-advisories-1464 patched version)

(2)In *_wd@0.2._**, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. request ~2.36.0 ➔ 2.84.0;

Note: request 2.84.0 transitively depends on cryptiles@4.1.3(a vulnerability npmjs-advisories-1464 patched version)

  1. archiver ~0.10.0 ➔ ~0.6.1;

Note: archiver@0.6.1,(>=0.6.1 <0.8.0) transitively depends on debug@0.7.4(a version without vulnerability CVE-2017-16137)

Thank you for your attention to this issue!

Sincerely yours, Paimon

paimon0715 commented 3 years ago

Many active downstream users transitively use the lower versions of wd (@0.3. and @0.2. ) (introduced vulnerablities) via unmaintained packages (cannot update their dependencies).If wd@0.3. ,@0.2. can fix the issues, the vulnerable patches can be automatically propagated into the active downstream projects.

jlipps commented 2 years ago

Hi @paimon0715 unfortunately this project isn't maintained. If you want to make the appropriate vuln fixes and submit as a PR, I'm happy to merge and publish a new version.

timstallmann commented 4 months ago

Opened #641 to address this