CVE-2021-3807 in ansi-regex

[SymbioticKilla]

-- protractor@7.0.0 +-- chalk@1.1.3 | -- has-ansi@2.0.0 |-- ansi-regex@2.1.1

Hi,

is there any chance to update chalk V2+? The dropped has-ansi dependency.

Thank you!

[StanislavKharchenko]

Good question for maintainers. @IgorMinar @dgp1130 @mgechev Do you have information about the next steps of maintain this package?

[dgp1130]

The issue here is about a regex DDOS vulnerability. This is pretty low risk as Protractor is not intended for production use or running on untrusted inputs.

The fix seems pretty easy, as our usage of chalk is quite minimal and an update should be straightforward. The trickier part is that the repository is not currently in a releaseable state. I'm hoping to spend some time soon to clean things up, fix CI, and get things back into a good state. Once that happens, this should be an easy and uncontroversial fix.

[StanislavKharchenko]

@dgp1130 Thanks for the update! Do you have plans also to consider https://github.com/angular/protractor/pull/5516 and release a Protractor with w3c compliant Selenium? Hope that we won't back to v7 with deprecated control flow...

[shubham0827]

I am facing a facing a high security issue and the affected component in asi-regex@2.1.1. -- protractor@5.4.4 +-- chalk@1.1.3 | -- has-ansi@2.0.0 |-- ansi-regex@2.1.1

How can I resolve this? @dgp1130

[StanislavKharchenko]

@shubham0827 I suggest to make own forks of Protractor and maintain by yourself. Due to lack of responses and activities from Angular team this is very huge risk for business to rely on official Angular solutions. There was 2 years no activities on repo and no any plan/roadmap.

[alan-agius4]

There was 2 years no activities on repo and no any plan/roadmap.

@StanislavKharchenko, see https://github.com/angular/protractor/issues/5502

[StanislavKharchenko]

@alan-agius4 In regards to #5502 there was final decision and agreement to continue Protractor in form of v6. But repository still abandoned.

[alan-agius4]

@StanislavKharchenko, there wasn't a final decision about that, in-fact the following is stated in the linked comment.

For point (3), we are exploring the possibility of a shared ownership of the project with other enterprise partners. This effort will keep Protractor going in the form of version 6

To my knowledge, there wasn't much interest from enterprise partners about shared ownership. Although probably @dgp1130 and @mgechev will know more about it.

---

Back to the original issue, the mentioned CVE doesn't seem to effect the ansi-regex@2.1.1 at least from the CVE report https://nvd.nist.gov/vuln/detail/CVE-2021-3807. In fact the effected versions are 3.0.0 up to 5.0.1 and 6.0.0 up to 6.0.1.

I also tried this out locally and NPM didn't report any vulnerability.

 npm i protractor@7
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

+ protractor@7.0.0
added 151 packages from 190 contributors and audited 151 packages in 6.785s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

[StanislavKharchenko]

To my knowledge, there wasn't much interest from enterprise partners about shared ownership. Although probably @dgp1130 and @mgechev will know more about it.

@alan-agius4 This also not true. Me and not only contacted with Keen at first, then with Angular devrel and the last what I heard that Protractor shared ownership possibility is under consideration (we talked about this in the summer of 2021). I personally proposed help in upgrade and maintenance of Protractor (https://github.com/angular/protractor/pull/5516 here were first attempts). I don't know what happened with Angular team in general, but any proposals with Protractor continuation were rejected one by one. Finally, I decided to fix Protractor v6-ish in forked repo and use my own solution. And advised make the similar approach for everyone whose e2e business suffered from indecision and your (Angular team) inactions.