search

angular / webdriver-manager

A binary manager for E2E testing
MIT License
225 stars 117 forks source link

CVE-2023-28155 wedriver-manager depends on vulnerable version of protractor #519

Open tambor81 opened 1 year ago

tambor81 commented 1 year ago

Currently the following CVE is affecting our daily build because of this CVE-2023-28155:

$ npm audit
# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install protractor@3.3.0, which is a breaking change
node_modules/request
  webdriver-manager  *
  Depends on vulnerable versions of request
  node_modules/webdriver-manager
    protractor  >=4.0.0
    Depends on vulnerable versions of webdriver-manager
    node_modules/protractor
      @angular-devkit/build-angular  >=0.1100.0-next.0
      Depends on vulnerable versions of protractor
      node_modules/@angular-devkit/build-angular

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Can someone update this and remove this vulnerable dependency?

DavidViillanueva commented 1 year ago

I'm with the same problem

tambor81 commented 1 year ago

I made a PR for fixing the xml2js patched on version 0.5.0 how do I get it approved?

CQL111 commented 1 year ago

Is there a solution to this?

bmo-at commented 1 year ago

Seems like this has been abandoned. Protractor is end-of-life as of August 2023, so this seems unlikely to be fixed.