[🐛 Bug]: WebdriverIO security vulnerability in dependency on puppeteer-core about webdriverio HOT 18 OPEN

Hmm. I only ask because I'm not sure how long I have before somebody starts breathing down my neck about why we are using packages that have unfixed "critical vulnerabilities," even if by my understanding those vulnerabilities won't actually affect us in practice. A lot of people see the npm audit message "8 critical vulnerabilities" and go into panic mode. As the point person for Selenium/Webdriverio stuff at my company, I've already gotten several concerned emails from various internal parties.

from webdriverio.

Can we please calm down? I'm not trying to be nasty about this. When do you expect v9 to release?

from webdriverio.

When do you expect v9 to release?

Within the next 1-2 month.

from webdriverio.

Thanks for reporting!

We greatly appreciate any contributions that help resolve the bug. While we understand that active contributors have their own priorities, we kindly request your assistance if you rely on this bug being fixed. We encourage you to take a look at our contribution guidelines or join our friendly Discord development server, where you can ask any questions you may have. Thank you for your support, and cheers!

from webdriverio.

Like I said: #13038 (comment)

from webdriverio.

It looks like this might have been (inadvertently?) fixed in #12300.

from webdriverio.

It looks like this might have been (inadvertently?) fixed in #12300.

That PR was merged into main which is our development branch for v9. I am not sure if we can fix this for v8 as we can't update Puppeteer due to missing Node.js v16 support.

from webdriverio.

Just for reference, how much do we care about supporting Node 16, which has been dead for nine months?

from webdriverio.

Just for reference, how much do we care about supporting Node 16, which has been dead for nine months?

Not much which is why we remove support in v9 but removing support for a Node.js version requires us to make a breaking change which needs to be carefully planned.

from webdriverio.

Would bumping this dependency to 22.11.2 help?

from webdriverio.

@isc-aray I would recommend then to update WDIO to v9 which will likely resolve this issue for you.

@torokati44 this reference points to the main branch which is our current v9 development branch.

from webdriverio.

@christian-bromann Do I understand correctly that you're telling me that the only way to resolve the critical vulnerability is to upgrade my production testing code to a major version that hasn't even been released yet? I'm sorry, but that's an absurd thing to suggest.

from webdriverio.

Unfortunately there is nothing I can do at this point. We can't update Puppeteer to the latest version as this would break a lot of tests for other WebdriverIO users. What would you suggest?

from webdriverio.

You say that updating Puppeteer to 2.11.2 would "break a lot of tests" but I'm looking at Puppeteer's changelogs and there aren't supposed to be any breaking changes between 2.9.0 and 2.11.2, so I'm not sure where that idea is coming from. Other than that, I don't have any suggestions, but if you want corporate users, you absolutely can't have critical vulnerabilities sitting unfixed in the current release for weeks at a time.

I just did an assessment of Playwright last month and concluded that there were limited benefits to switching from WebdriverIO, but this sort of thing makes me wonder if sticking with WDIO was the right decision after all.

from webdriverio.

so I'm not sure where that idea is coming from.

It is semantic versioning. We can't release breaking changes without a major release. What do we tell users still on node 16 when their CI/CD pipelines suddenly fail after a minor release with nodejs version requrements update?

I'm looking at Puppeteer's changelogs and there aren't supposed to be any breaking changes between 2.9.0 and 2.11.2
you absolutely can't have critical vulnerabilities sitting unfixed in the current release for weeks at a time.

You can still use the power of your package manager to resolve dependencies as you wish. For example for npm

from webdriverio.

there aren't supposed to be any breaking changes between 2.9.0 and 2.11.2

Currently the @latest version of WebdriverIO uses v20.9.0 while latest version would be v22.12.1. There are quite significant breaking changes, the biggest one as part of the v22.0.0 release which drops Node.js v16 support.

but if you want corporate users, you absolutely can't have critical vulnerabilities sitting unfixed in the current release for weeks at a time.

If it actually would be a critical vulnerability I would be concerned but it isn't. You are likely not even using Puppeteer in your WebdriverIO setup. I understand your frustration but please understand that this is not a trivial problem to solve. Again, if I would update Puppeteer and release it as a fix in v8, I would get a lot of issues tomorrow saying that it broke other peoples build which is an actual problem compared to yours which is literally NPM yelling at you for no good reason.

I just did an assessment of Playwright last month and concluded that there were limited benefits to switching from WebdriverIO, but this sort of thing makes me wonder if sticking with WDIO was the right decision after all.

Very nice move to threaten non paid maintainers to migrate off their project, good luck with the migration then!

from webdriverio.

Given that it seems you and I are in agreement that this particular issue won't actually manifest in our projects, I think we can wait that long. I'll try to convey that to concerned parties on my end. I had misread the current Puppeteer-core version we're using as 22.9.0 instead of 20.9.0, hence my confusion about breaking changes above.

from webdriverio.