a high severity vulnerability introduced in selenium-cucumber-js

[ayaka-kms]

Hi, a vulnerability https://www.npmjs.com/advisories/1464 is introduced in selenium-cucumber-js via: ● selenium-cucumber-js@1.8.1 ➔ phantomjs-prebuilt@2.1.12 ➔ request@2.74.0 ➔ hawk@3.1.3 ➔ cryptiles@2.0.5

phantomjs-prebuilt is a legacy package. It has not been maintained for about 3 years, and is not likely to be updated. Is it possible to migrate phantomjs-prebuilt to other package to remediate this vulnerability?

I noticed several migration records for phantomjs-prebuilt in other js repos, such as

1. in backstopjs, version 3.8.9 ➔ 3.9.0, remove phantomjs-prebuilt via commit
2. in aegir, version 8.1.2 ➔ 9.0.0, remove phantomjs-prebuilt via commit

Are there any efforts planned that would remediate this vulnerability or migrate phantomjs-prebuilt?

Thanks ; )

[john-doherty]

Nothing planned, but happy to accept a PR :)

[Potherca]

I think that PR is https://github.com/john-doherty/selenium-cucumber-js/pull/108 ?