Skip to content
This repository has been archived by the owner on Jul 29, 2024. It is now read-only.

Prototype Pollution vulnerability through outdated yargs package #5431

Closed
JanErikGunnar opened this issue May 4, 2020 · 4 comments
Closed

Prototype Pollution vulnerability through outdated yargs package #5431

JanErikGunnar opened this issue May 4, 2020 · 4 comments
Assignees
@alan-agius4
Labels
type: bug

Comments

@JanErikGunnar
Copy link

Hi there!

Bug report

  • Node Version: 12.14.1
  • Protractor Version: 5.4.4
  • Angular Version: 1.7.9
  • Browser(s): N/A
  • Operating System and Version macOS 10.15.4

Protractor 5.4.4 has a dependency of "yargs", ^12.0.5.
The newest "yargs" that satisfies this dependency is 12.0.5. (The latest being 15.3.1)
"yargs" in turn has a dependency of "yargs-parser", ^11.1.1.
The newest "yargs-parser" that satisfies this dependency is 11.1.1 (the latest being 18.1.3).
This version of yargs parser has a low severity security issue, "Prototype pollution", referring to https://npmjs.com/advisories/1500 .
@alan-agius4 alan-agius4 self-assigned this May 5, 2020
alan-agius4 added a commit that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
30b595c 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes #5431
alan-agius4 added a commit to alan-agius4/protractor that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
8b56278 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes angular#5431
@alan-agius4 alan-agius4 mentioned this issue May 7, 2020
Merged
alan-agius4 added a commit to alan-agius4/protractor that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
7cb081a 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes angular#5431
alan-agius4 added a commit to alan-agius4/protractor that referenced this issue May 7, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
20bfc61 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes angular#5431
kyliau pushed a commit that referenced this issue May 8, 2020
@alan-agius4
fix: prototype Pollution vulnerability through outdated yargs package
3fc9220 
BREAKING CHANGE:

Node.Js version 6 and 8 are no longer supported. Please update to Node.Js 10+

Closes #5431
@alan-agius4
Copy link
Contributor

Closed via #5432

We’ll cut a release next week.

@pittgoose
Copy link
Contributor

@alan-agius4 is this going to be released as 5.4.5, or do I have to upgrade to 7.0.0?

@alan-agius4
Copy link
Contributor

@pittgoose, the fix is available in version 7.0.0.

Essentially the differences between v5 and v7 are;

  • dropping support for Node.Js version 6 and 8.
  • remove element explorer, which is incompatible with Node.JS 8+

@vsravuri
Copy link

@alan-agius4 @kyliau Any plan to release Selenium4 compatible version of Protractor in near future? I saw a comment on #5436 which says
Protractor 6 has been deprecated.

@dependabot dependabot bot mentioned this issue Mar 17, 2021
Closed
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@alan-agius4 alan-agius4

Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): bump protractor from 5.4.4 to 7.0.0 in /packages/stark-testing nicanac/stark
4 participants
@pittgoose @alan-agius4 @vsravuri @JanErikGunnar