Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[🐛 Bug]: <Update strip-ansi to 7.0.1> #8806

Closed
3 tasks done
KuznetsovRoman opened this issue Sep 5, 2022 · 2 comments
Closed
3 tasks done

[🐛 Bug]: <Update strip-ansi to 7.0.1> #8806

KuznetsovRoman opened this issue Sep 5, 2022 · 2 comments
Labels
Bug 🐛 Needs Triaging ⏳ No one has looked into the issue yet

Comments

@KuznetsovRoman
Copy link
Contributor

Have you read the Contributing Guidelines on issues?

WebdriverIO Version

latest

Node.js Version

latest

Mode

WDIO Testrunner

Which capabilities are you using?

No response

What happened?

strip-ansi (used by wdio/logger) uses ansi-regex@6.0.0 up to 7.0.0 (https://github.com/chalk/strip-ansi/blame/v7.0.1/package.json#L50)
ansi-regex has potential ReDoS vulnerability: chalk/ansi-regex#37
could you please update the dependency? (wdio-logger: strip-ansi@6.0.0 -> strip-ansi@7.0.1)

P.S: not exactly a bug, more like a secure vulnerability, but i didn't want to disturb you via email because of a trifle.

What is your expected behavior?

No response

How to reproduce the bug.

npm audit

Relevant log output

┌───────────────┬──────────────────────────────────────────────────────────────┐
 High           Inefficient Regular Expression Complexity in                 
                chalk/ansi-regex                                             
├───────────────┼──────────────────────────────────────────────────────────────┤
 Package        ansi-regex                                                   
├───────────────┼──────────────────────────────────────────────────────────────┤
 Dependency of  @wdio/utils                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
 Path           @wdio/utils > @wdio/logger > strip-ansi > ansi-regex         │
├───────────────┼──────────────────────────────────────────────────────────────┤
 More info      https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Code of Conduct

  • I agree to follow this project's Code of Conduct

Is there an existing issue for this?

  • I have searched the existing issues
@KuznetsovRoman KuznetsovRoman added Bug 🐛 Needs Triaging ⏳ No one has looked into the issue yet labels Sep 5, 2022
@christian-bromann
Copy link
Member

The dependency in @wdio/logger is defined as:

"strip-ansi": "^6.0.0"

a fix was backported to v6.0.1 so you should automatically get this update since we don't ship with a package-lock.json.

@christian-bromann
Copy link
Member

The security vulnerability was patched with v5.0.1. No update is needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug 🐛 Needs Triaging ⏳ No one has looked into the issue yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christian-bromann @KuznetsovRoman