Malicious package in protractor lib dependencies

[IgorSasovets]

Security issue

• Node Version: 8.4.0
• Protractor Version: 5.3.2

Hi, Team! Recently I found vulnerable package in protractor dependencies when was analyzing small protractor project using Snyk tool. I've opened issue in webdriver-js-extender repository and now waiting for response. Issue related to usage of outdated selenium-webdriver package version. They've already fixed it and replaced adm-zip(vulnerable package previously used by selenium-webdriver). Please pay attention to this.

Best regards,
Igor

[awarecan]

I bet this pending PR angular/webdriver-js-extender#12 will fix it.

[IgorSasovets]

Hi, @awarecan ! I think so too and waiting for feedback from core team.

[Quenty]

See https://github.com/snyk/zip-slip-vulnerability for more details, this was fixed in version 0.4.9, protractor currently uses 0.4.4 and should be updated.

cthackers/adm-zip#212

[IgorSasovets]

Hi, @Quenty ! Thanks for investigation) As I said, adm-zip replaced with jszip in selenium-webdriver package. So, update of webdriver-js-extender dependencies will fix this issue.

[IgorSasovets]

#4882

[kylecordes]

(BTW, from the point of view of a casual follower of the project, it would feel a lot better if someone tagged as a contributor/owner were to drop a comment in about the likelihood of merging+shipping a fix to a scary sounding issue ("malicious package"!) promptly.)

[IgorSasovets]

Can be closed now because of #4882.