Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency vulnerability (hoek) #11

Closed
alexiaallanic-myob opened this issue Aug 2, 2018 · 3 comments
Closed

Dependency vulnerability (hoek) #11

alexiaallanic-myob opened this issue Aug 2, 2018 · 3 comments
Assignees

Comments

@alexiaallanic-myob
Copy link

Hi,

When running npm audit on my project using latest wdio I get some dependency vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wdio │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ wdio > selenium-standalone > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566
└───────────────┴──────────────────────────────────────────────────────────────┘
Would be could if selenium-standalone could be updated to a more up to date version as hoek fix has been released already.

Thanks.

@ziolko
Copy link
Owner

ziolko commented Aug 2, 2018

Thanks. I will take a look at this during weekend.

Cheers,
Mateusz

@ziolko ziolko self-assigned this Aug 5, 2018
@ziolko
Copy link
Owner

ziolko commented Aug 5, 2018

Hi Alexia,

I checked how each dependency in the dependency chain is used. It turned out that hoek package despite being marked as a dependency is not used in our scenario.

The fact stated above means that updating selenium-standalone is not required. Moreover #10 doesn't really allow me to do so until webdriverio/webdriverio#2406 is done.

I encourage you to check how hoek is used in sntp in the installed versions. If you have further doubts please let me know.

Mateusz

@ziolko
Copy link
Owner

ziolko commented Feb 13, 2019

This issue has been fixed in wdio 3.0.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants