Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(tools): update geckodriver to 4.0.4 #19558

Merged
merged 1 commit into from
Jun 23, 2023

Conversation

HowardBraham
Copy link
Contributor

Updating the Firefox testing tool to the newest version

@HowardBraham HowardBraham requested a review from a team as a code owner June 10, 2023 08:02
@github-actions
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@socket-security
Copy link

socket-security bot commented Jun 10, 2023

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: semver@5.4.1, semver@5.7.1, semver@6.3.0, semver@7.0.0, semver@7.3.7, semver@7.3.8, binary@0.3.0, buffers@0.1.1, chainsaw@0.1.0, traverse@0.3.9, web-streams-polyfill@3.2.1, fstream@1.0.12, buffer-indexof-polyfill@1.0.2, formdata-polyfill@4.0.10, node-domexception@1.0.0, listenercount@1.0.1, registry-url@3.1.0, loglevel-plugin-prefix@0.8.4, geckodriver@4.0.4, agent-base@7.1.0, unzipper@0.10.14

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

@socket-security
Copy link

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives1 Size Publisher
geckodriver ⬆️ 3.2.0...4.0.4 network +21/-3 8.89 MB wdio-user

Footnotes

  1. https://docs.socket.dev

@codecov
Copy link

codecov bot commented Jun 10, 2023

Codecov Report

Merging #19558 (13c2cbe) into develop (9acd4b4) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop   #19558   +/-   ##
========================================
  Coverage    70.79%   70.79%           
========================================
  Files          988      988           
  Lines        38365    38365           
  Branches     10041    10041           
========================================
  Hits         27160    27160           
  Misses       11205    11205           

@metamaskbot
Copy link
Collaborator

Builds ready [b0e12e4]
Page Load Metrics (1517 ± 33 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint107151119115
domContentLoaded1396160214995225
load1396164915177033
domInteractive1396160214995225
Bundle size diffs
  • background: 0 bytes
  • ui: 0 bytes
  • common: 0 bytes

@metamaskbot
Copy link
Collaborator

Builds ready [13c2cbe]
Page Load Metrics (1680 ± 35 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1122661343517
domContentLoaded1536181716567938
load1577183816807235
domInteractive1536181716567938
Bundle size diffs
  • background: 0 bytes
  • ui: 0 bytes
  • common: 0 bytes

Copy link
Contributor

@brad-decker brad-decker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. i'll see if i can resolve the socket-security stuff.

@brad-decker
Copy link
Contributor

These all look harmless to me, but maybe @legobeat or someone from @MetaMask/supply-chain could take a look? This is a DEV only dependency so probably not high priority to investigate -- no lavamoat changes required.

@HowardBraham
Copy link
Contributor Author

This is a DEV only dependency so probably not high priority to investigate -- no lavamoat changes required.

That reminds me... are we sure that our devDependencies do not leak into the release? I have not investigated here, but I have seen other projects that are misconfigured in this way.

I don't know the Yarn 3 way to do this, but the Yarn 1 way was yarn install --production on the build machine.

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore chainsaw@0.1.0

It does seem to be unmaintained, which is not ideal. But the author was substack, a reputable developer who deleted their account intentionally.

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore unzipper@0.10.14

This package is supposed to have filesystem access, that is expected and not concerning

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore fstream@1.0.12

It does seem to be unmaintained, but the filesystem access is expected and not concerning.

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore buffers@0.1.1
@SocketSecurity ignore traverse@0.3.9

More substack, same situation there.

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore agent-base@7.1.0

Geckodriver uses this to make network requests, so it should have network access

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore binary@0.3.0

More substack, also this one is ancient

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore geckodriver@4.0.4

This package is supposed to have network access, and it uses install scripts to ensure the driver is installed.

@SocketSecurity ignore web-streams-polyfill@3.2.1
@SocketSecurity ignore buffer-indexof-polyfill@1.0.2
@SocketSecurity ignore formdata-polyfill@4.0.10
@SocketSecurity ignore node-domexception@1.0.0
@SocketSecurity ignore listenercount@1.0.1
@SocketSecurity ignore loglevel-plugin-prefix@0.8.4

All unmaintained, not ideal but not a reason to object to their usage in geckodriver.

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore registry-url@3.1.0

Another unmaintained package

@Gudahtt
Copy link
Member

Gudahtt commented Jun 22, 2023

@SocketSecurity ignore semver@5.4.1
@SocketSecurity ignore semver@5.7.1
@SocketSecurity ignore semver@6.3.0
@SocketSecurity ignore semver@7.0.0
@SocketSecurity ignore semver@7.3.7
@SocketSecurity ignore semver@7.3.8

Regular expression denial of service attacks aren't a concern for our development tools.

Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@HowardBraham HowardBraham merged commit ed06926 into develop Jun 23, 2023
@HowardBraham HowardBraham deleted the chore/update_geckodriver branch June 23, 2023 04:00
@github-actions github-actions bot locked and limited conversation to collaborators Jun 23, 2023
@metamaskbot metamaskbot added the release-10.34.0 Issue or pull request that will be included in release 10.34.0 label Jun 23, 2023
@HowardBraham HowardBraham added the contributor experience An issue that impacts, or planned improvement to, the contributor experience. label Oct 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
contributor experience An issue that impacts, or planned improvement to, the contributor experience. release-10.34.0 Issue or pull request that will be included in release 10.34.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants