search

angular / webdriver-manager

A binary manager for E2E testing
MIT License
224 stars 116 forks source link

Vulnerability introduced by package adm-zip #499

Open paimon0715 opened 3 years ago

paimon0715 commented 3 years ago

Hi @cnishina ,a high severity vulnerability is introduced in your package

Issue

1 vulnerability (high severity) is introduced in webdriver-manager: Vulnerability SNYK-JS-ADMZIP-1065796 (high severity) is detected in package adm-zip(versions:<0.5.2):https://snyk.io/vuln/SNYK-JS-ADMZIP-1065796 The above vulnerable package is referenced by webdriver-manager via: webdriver-manager@12.1.8 ➔ adm-zip@0.4.16

Solution

Since *_webdriver-manager@12.1._ is transitively referenced by 248** downstream projects (e.g., protractor 7.0.0 (latest version), grunt-protractor-runner 5.0.0 (latest version), gulp-protractor 4.1.1 (latest version), protractor-flake 4.0.0 (latest version), @types/protractor 4.0.0(latest version)),

*_webdriver-manager@10.3._ is referenced by 26** downstream projects (e.g., protractor-perf 0.2.3 (latest version), sabium-framework 3.10.1030 (latest version), elementor 2.1.0 (latest version), wix-node-build 1.1.220 (latest version), gulp-binarta-template 0.0.68 (latest version)),

*_webdriver-manager@12.0._ is referenced by 4** downstream projects (opal-setup 0.4.6 (latest version), @torpadev/orpa-setup 0.2.11 (latest version), @torpadev/orpa-setup-dev 0.1.3 (latest version), @telligro/opal-setup 0.3.1 (latest version)),

If webdriver-manager removes the vulnerable package from the above versions, then its fixed versions can help downstream users decrease their pain.

Could you help update packages in these versions?

Fixing suggestions

(1)In *_webdriver-manager@12.1._**, you can kindly perform the following upgrades (not crossing their major versions): adm-zip ^0.4.9 ➔ ^0.5.2;

Note: adm-zip@0.5.2(>=0.5.2) has fixed the vulnerability SNYK-JS-ADMZIP-1065796

(2)In *_webdriver-manager@10.3._**, you can kindly perform the following upgrades (not crossing their major versions): adm-zip ^0.4.7 ➔ ^0.5.2;

Note: adm-zip@0.5.2(>=0.5.2) has fixed the vulnerability SNYK-JS-ADMZIP-1065796

(3)In *_webdriver-manager@12.0._**, you can kindly perform the following upgrades (not crossing their major versions): adm-zip ^0.4.7 ➔ ^0.5.2;

Note: adm-zip@0.5.2(>=0.5.2) has fixed the vulnerability SNYK-JS-ADMZIP-1065796

Thank you for your contribution!

Best regards, Paimon

paimon0715 commented 3 years ago

Lots of active downstream users transitively use the lower versions of webdriver-manager(@10.3. and @12.0. ) (introduced vulnerablities) via unmaintained packages (cannot update their dependencies).If webdriver-manager@10.3. and @12.0. can fix the issues, the vulnerable patches can be automatically propagated into the active downstream projects.

StanislavKharchenko commented 3 years ago

adm-zip was set as non-strict version as web driver-manager dependency. With "^" it means (as far as I know) that during install you will get latest minor version of selected package.

StanislavKharchenko commented 3 years ago

Hmm, I just saw that in my case was installed adm-zip 0.4.16. I'm using webdriver-manager 13.0 where adm-zip set to 0.4.13.

StanislavKharchenko commented 3 years ago

@paimon0715 maybe you can submit a PR and @angular team will merge it?

paimon0715 commented 3 years ago

@StanislavKharchenko Thanks for your feedback. It would be better if webdriver-manager can fix this issue in versions 12.1. , 12.0. , 10.3.*, and release them to npm. Then this vulnerbility patch can be automatically propagated into a large amount of downstream projects :) I have submitted a PR https://github.com/angular/webdriver-manager/pull/500, please check it. Thanks again.

StanislavKharchenko commented 3 years ago

@paimon0715 Thanks for your PR. It should be approved by @angular team before merge. @kyliau @Splaktar could you please check? This related to security vulnerabilities.

paimon0715 commented 3 years ago

@StanislavKharchenko @kyliau @Splaktar Thanks for your help.