Comments (18)
Hmm. I only ask because I'm not sure how long I have before somebody starts breathing down my neck about why we are using packages that have unfixed "critical vulnerabilities," even if by my understanding those vulnerabilities won't actually affect us in practice. A lot of people see the npm audit message "8 critical vulnerabilities" and go into panic mode. As the point person for Selenium/Webdriverio stuff at my company, I've already gotten several concerned emails from various internal parties.
from webdriverio.
Can we please calm down? I'm not trying to be nasty about this. When do you expect v9 to release?
from webdriverio.
When do you expect v9 to release?
Within the next 1-2 month.
from webdriverio.
Thanks for reporting!
We greatly appreciate any contributions that help resolve the bug. While we understand that active contributors have their own priorities, we kindly request your assistance if you rely on this bug being fixed. We encourage you to take a look at our contribution guidelines or join our friendly Discord development server, where you can ask any questions you may have. Thank you for your support, and cheers!
from webdriverio.
Like I said: #13038 (comment)
from webdriverio.
It looks like this might have been (inadvertently?) fixed in #12300.
from webdriverio.
It looks like this might have been (inadvertently?) fixed in #12300.
That PR was merged into main
which is our development branch for v9
. I am not sure if we can fix this for v8
as we can't update Puppeteer due to missing Node.js v16 support.
from webdriverio.
Just for reference, how much do we care about supporting Node 16, which has been dead for nine months?
from webdriverio.
Just for reference, how much do we care about supporting Node 16, which has been dead for nine months?
Not much which is why we remove support in v9 but removing support for a Node.js version requires us to make a breaking change which needs to be carefully planned.
from webdriverio.
Would bumping this dependency to 22.11.2 help?
from webdriverio.
@isc-aray I would recommend then to update WDIO to v9 which will likely resolve this issue for you.
@torokati44 this reference points to the main
branch which is our current v9 development branch.
from webdriverio.
@christian-bromann Do I understand correctly that you're telling me that the only way to resolve the critical vulnerability is to upgrade my production testing code to a major version that hasn't even been released yet? I'm sorry, but that's an absurd thing to suggest.
from webdriverio.
Unfortunately there is nothing I can do at this point. We can't update Puppeteer to the latest version as this would break a lot of tests for other WebdriverIO users. What would you suggest?
from webdriverio.
You say that updating Puppeteer to 2.11.2 would "break a lot of tests" but I'm looking at Puppeteer's changelogs and there aren't supposed to be any breaking changes between 2.9.0 and 2.11.2, so I'm not sure where that idea is coming from. Other than that, I don't have any suggestions, but if you want corporate users, you absolutely can't have critical vulnerabilities sitting unfixed in the current release for weeks at a time.
I just did an assessment of Playwright last month and concluded that there were limited benefits to switching from WebdriverIO, but this sort of thing makes me wonder if sticking with WDIO was the right decision after all.
from webdriverio.
so I'm not sure where that idea is coming from.
It is semantic versioning. We can't release breaking changes without a major release. What do we tell users still on node 16 when their CI/CD pipelines suddenly fail after a minor release with nodejs version requrements update?
I'm looking at Puppeteer's changelogs and there aren't supposed to be any breaking changes between 2.9.0 and 2.11.2
you absolutely can't have critical vulnerabilities sitting unfixed in the current release for weeks at a time.
You can still use the power of your package manager to resolve dependencies as you wish. For example for npm
from webdriverio.
there aren't supposed to be any breaking changes between 2.9.0 and 2.11.2
Currently the @latest
version of WebdriverIO uses v20.9.0
while latest version would be v22.12.1
. There are quite significant breaking changes, the biggest one as part of the v22.0.0
release which drops Node.js v16 support.
but if you want corporate users, you absolutely can't have critical vulnerabilities sitting unfixed in the current release for weeks at a time.
If it actually would be a critical vulnerability I would be concerned but it isn't. You are likely not even using Puppeteer in your WebdriverIO setup. I understand your frustration but please understand that this is not a trivial problem to solve. Again, if I would update Puppeteer and release it as a fix in v8, I would get a lot of issues tomorrow saying that it broke other peoples build which is an actual problem compared to yours which is literally NPM yelling at you for no good reason.
I just did an assessment of Playwright last month and concluded that there were limited benefits to switching from WebdriverIO, but this sort of thing makes me wonder if sticking with WDIO was the right decision after all.
Very nice move to threaten non paid maintainers to migrate off their project, good luck with the migration then!
from webdriverio.
Given that it seems you and I are in agreement that this particular issue won't actually manifest in our projects, I think we can wait that long. I'll try to convey that to concerned parties on my end. I had misread the current Puppeteer-core version we're using as 22.9.0 instead of 20.9.0, hence my confusion about breaking changes above.
from webdriverio.
Related Issues (20)
- [🐛 Bug]: ERROR webdriver: Failed downloading chromedriver v125.0.6422.141: Download failed: server returned code 404 HOT 3
- [🐛 Bug]: Spec CLI arg breakable on Windows HOT 6
- [🐛 Bug]: Error installing @wdio/cli during project initialization HOT 2
- [🐛 Bug]: <@wdio/config:ConfigParser: Failed loading configuration file in CircleCi> HOT 1
- [🐛 Bug]: Error: There isn't any active suite! HOT 2
- [🐛 Bug]: Inconsistency with driver.lock HOT 3
- [🐛 Bug]: ts-node performs type check regardless of configuration HOT 1
- [📖 Docs]: <title> Fix mock.restore docs HOT 2
- [💡 Feature]: Improve `browser.mock` by enabling partial responses HOT 1
- [🐛 Bug]: allure-reporter - setting a custom message in matcher options makes the test to be reported as broken instead of failed HOT 5
- [🐛 Bug]: scrollIntoView does not scroll to the center of the viewport when used inside an iframe. HOT 3
- [🐛 Bug]: Jasmine and the JUnit reporter output empty spec files since v8.15.9 due to suite file property not including path HOT 1
- [🐛 Bug]: moz:debuggerAddress does not accept boolean value HOT 1
- [🐛 Bug]: <Scenarios with duplicated steps not failing> HOT 1
- [🐛 Bug]: V9 - TSC fails on Windows machine HOT 1
- [🐛 Bug]: Submit/ Save Button Remains Disabled After Using setValue Method in WebDriverIO Sync HOT 1
- [🐛 Bug]: Using the action function cannot accomplish the double-tap functionality of touchAction. HOT 6
- [🐛 Bug]: [V9][@wdio/logger]: Top-level await is currently not supported with the "cjs" output format HOT 2
- [🐛 Bug]: browser.mock throwing ErrorEvent HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webdriverio.