-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-3807 in ansi-regex #5534
Comments
Good question for maintainers. |
The issue here is about a regex DDOS vulnerability. This is pretty low risk as Protractor is not intended for production use or running on untrusted inputs. The fix seems pretty easy, as our usage of |
I am facing a facing a high security issue and the affected component in asi-regex@2.1.1. How can I resolve this? @dgp1130 |
@shubham0827 I suggest to make own forks of Protractor and maintain by yourself. |
|
@alan-agius4 In regards to #5502 there was final decision and agreement to continue Protractor in form of v6. |
@StanislavKharchenko, there wasn't a final decision about that, in-fact the following is stated in the linked comment.
To my knowledge, there wasn't much interest from enterprise partners about shared ownership. Although probably @dgp1130 and @mgechev will know more about it. Back to the original issue, the mentioned CVE doesn't seem to effect the I also tried this out locally and NPM didn't report any vulnerability.
|
@alan-agius4 This also not true. Me and not only contacted with Keen at first, then with Angular devrel and the last what I heard that Protractor shared ownership possibility is under consideration (we talked about this in the summer of 2021). I personally proposed help in upgrade and maintenance of Protractor (#5516 here were first attempts). I don't know what happened with Angular team in general, but any proposals with Protractor continuation were rejected one by one. Finally, I decided to fix Protractor v6-ish in forked repo and use my own solution. And advised make the similar approach for everyone whose e2e business suffered from indecision and your (Angular team) inactions. |
-- protractor@7.0.0
+-- chalk@1.1.3
|
-- has-ansi@2.0.0 |
-- ansi-regex@2.1.1Hi,
is there any chance to update chalk V2+? The dropped has-ansi dependency.
Thank you!
The text was updated successfully, but these errors were encountered: