Vulnerability introduced by package adm-zip

[paimon0715]

Hi @cnishina ,a high severity vulnerability is introduced in your package

Issue

1 vulnerability (high severity) is introduced in webdriver-manager:
Vulnerability SNYK-JS-ADMZIP-1065796 (high severity) is detected in package adm-zip(versions:<0.5.2):https://snyk.io/vuln/SNYK-JS-ADMZIP-1065796
The above vulnerable package is referenced by webdriver-manager via:
webdriver-manager@12.1.8 ➔ adm-zip@0.4.16

Solution

Since webdriver-manager@12.1.* is transitively referenced by 248 downstream projects (e.g., protractor 7.0.0 (latest version),
grunt-protractor-runner 5.0.0 (latest version), gulp-protractor 4.1.1 (latest version), protractor-flake 4.0.0 (latest version), @types/protractor 4.0.0(latest version)),

webdriver-manager@10.3.* is referenced by 26 downstream projects (e.g., protractor-perf 0.2.3 (latest version), sabium-framework 3.10.1030 (latest version), elementor 2.1.0 (latest version), wix-node-build 1.1.220 (latest version), gulp-binarta-template 0.0.68 (latest version)),

webdriver-manager@12.0.* is referenced by 4 downstream projects (opal-setup 0.4.6 (latest version), @torpadev/orpa-setup 0.2.11 (latest version), @torpadev/orpa-setup-dev 0.1.3 (latest version), @telligro/opal-setup 0.3.1 (latest version)),

If webdriver-manager removes the vulnerable package from the above versions, then its fixed versions can help downstream users decrease their pain.

Could you help update packages in these versions?

Fixing suggestions

(1）In webdriver-manager@12.1.*, you can kindly perform the following upgrades (not crossing their major versions):
adm-zip ^0.4.9 ➔ ^0.5.2;

Note:
adm-zip@0.5.2(>=0.5.2) has fixed the vulnerability SNYK-JS-ADMZIP-1065796

(2）In webdriver-manager@10.3.*, you can kindly perform the following upgrades (not crossing their major versions):
adm-zip ^0.4.7 ➔ ^0.5.2;

Note:
adm-zip@0.5.2(>=0.5.2) has fixed the vulnerability SNYK-JS-ADMZIP-1065796

(3）In webdriver-manager@12.0.*, you can kindly perform the following upgrades (not crossing their major versions):
adm-zip ^0.4.7 ➔ ^0.5.2;

Note:
adm-zip@0.5.2(>=0.5.2) has fixed the vulnerability SNYK-JS-ADMZIP-1065796

Thank you for your contribution!

Best regards,
Paimon

[paimon0715]

Lots of active downstream users transitively use the lower versions of webdriver-manager(@10.3.* and @12.0.* ) (introduced vulnerablities) via unmaintained packages (cannot update their dependencies).If webdriver-manager@10.3.* and @12.0.* can fix the issues, the vulnerable patches can be automatically propagated into the active downstream projects.

[StanislavKharchenko]

adm-zip was set as non-strict version as web driver-manager dependency.
With "^" it means (as far as I know) that during install you will get latest minor version of selected package.

[StanislavKharchenko]

Hmm, I just saw that in my case was installed adm-zip 0.4.16.
I'm using webdriver-manager 13.0 where adm-zip set to 0.4.13.

[StanislavKharchenko]

@paimon0715 maybe you can submit a PR and @angular team will merge it?

[paimon0715]

@StanislavKharchenko
Thanks for your feedback. It would be better if webdriver-manager can fix this issue in versions 12.1.* , 12.0.* , 10.3.*, and release them to npm. Then this vulnerbility patch can be automatically propagated into a large amount of downstream projects :) I have submitted a PR #500, please check it. Thanks again.

[StanislavKharchenko]

@paimon0715 Thanks for your PR.
It should be approved by @angular team before merge.
@kyliau @Splaktar could you please check? This related to security vulnerabilities.

[paimon0715]

@StanislavKharchenko @kyliau @Splaktar Thanks for your help.