Malicious package in protractor lib dependencies #4844
Comments
IgorSasovets
changed the title
|
I bet this pending PR angular/webdriver-js-extender#12 will fix it. |
|
Hi, @awarecan ! I think so too and waiting for feedback from core team. |
|
See https://github.com/snyk/zip-slip-vulnerability for more details, this was fixed in version |
|
Hi, @Quenty ! Thanks for investigation) As I said, adm-zip replaced with jszip in selenium-webdriver package. So, update of webdriver-js-extender dependencies will fix this issue. |
|
(BTW, from the point of view of a casual follower of the project, it would feel a lot better if someone tagged as a contributor/owner were to drop a comment in about the likelihood of merging+shipping a fix to a scary sounding issue ("malicious package"!) promptly.) |
|
Can be closed now because of #4882. |
Security issue
8.4.05.3.2Hi, Team! Recently I found vulnerable package in protractor dependencies when was analyzing small protractor project using Snyk tool. I've opened issue in webdriver-js-extender repository and now waiting for response. Issue related to usage of outdated selenium-webdriver package version. They've already fixed it and replaced adm-zip(vulnerable package previously used by selenium-webdriver). Please pay attention to this.
Best regards,
Igor
The text was updated successfully, but these errors were encountered: