Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution vulnerability through outdated yargs package #5431

Closed
JanErikGunnar opened this issue May 4, 2020 · 4 comments
Closed

Prototype Pollution vulnerability through outdated yargs package #5431

JanErikGunnar opened this issue May 4, 2020 · 4 comments
Assignees
@alan-agius4
Labels
type: bug

Comments

@JanErikGunnar
Copy link

Hi there!

Bug report

  • Node Version: 12.14.1
  • Protractor Version: 5.4.4
  • Angular Version: 1.7.9
  • Browser(s): N/A
  • Operating System and Version macOS 10.15.4

Protractor 5.4.4 has a dependency of "yargs", ^12.0.5.
The newest "yargs" that satisfies this dependency is 12.0.5. (The latest being 15.3.1)
"yargs" in turn has a dependency of "yargs-parser", ^11.1.1.
The newest "yargs-parser" that satisfies this dependency is 11.1.1 (the latest being 18.1.3).
This version of yargs parser has a low severity security issue, "Prototype pollution", referring to https://npmjs.com/advisories/1500 .
@alan-agius4 alan-agius4 self-assigned this May 5, 2020
alan-agius4 added a commit that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
30b595c 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes #5431
alan-agius4 added a commit to alan-agius4/protractor that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
8b56278 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes angular#5431
@alan-agius4 alan-agius4 mentioned this issue May 7, 2020
Merged
alan-agius4 added a commit to alan-agius4/protractor that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
7cb081a 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes angular#5431
alan-agius4 added a commit to alan-agius4/protractor that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
20bfc61 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes angular#5431
kyliau pushed a commit that referenced this issue May 8, 2020
@alan-agius4 @kyliau
fix: prototype Pollution vulnerability through outdated yargs package
3fc9220 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes #5431
@alan-agius4
Copy link
Contributor

Closed via #5432

We’ll cut a release next week.

@pittgoose
Copy link
Contributor

@alan-agius4 is this going to be released as 5.4.5, or do I have to upgrade to 7.0.0?

@alan-agius4
Copy link
Contributor

@pittgoose, the fix is available in version 7.0.0.

Essentially the differences between v5 and v7 are;

  • dropping support for Node.Js version 6 and 8.
  • remove element explorer, which is incompatible with Node.JS 8+

@vsravuri
Copy link

@alan-agius4 @kyliau Any plan to release Selenium4 compatible version of Protractor in near future? I saw a comment on #5436 which says
Protractor 6 has been deprecated.

@dependabot dependabot bot mentioned this issue Mar 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alan-agius4 alan-agius4

Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): bump protractor from 5.4.4 to 7.0.0 in /packages/stark-testing nicanac/stark
4 participants
@pittgoose @alan-agius4 @vsravuri @JanErikGunnar