-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(tools): update geckodriver to 4.0.4 #19558
Conversation
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring: Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎
Footnotes |
5d29258
to
b0e12e4
Compare
Codecov Report
@@ Coverage Diff @@
## develop #19558 +/- ##
========================================
Coverage 70.79% 70.79%
========================================
Files 988 988
Lines 38365 38365
Branches 10041 10041
========================================
Hits 27160 27160
Misses 11205 11205 |
Builds ready [b0e12e4]
Page Load Metrics (1517 ± 33 ms)
Bundle size diffs
|
b0e12e4
to
da4546f
Compare
da4546f
to
13c2cbe
Compare
Builds ready [13c2cbe]
Page Load Metrics (1680 ± 35 ms)
Bundle size diffs
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. i'll see if i can resolve the socket-security stuff.
These all look harmless to me, but maybe @legobeat or someone from @MetaMask/supply-chain could take a look? This is a DEV only dependency so probably not high priority to investigate -- no lavamoat changes required. |
That reminds me... are we sure that our I don't know the Yarn 3 way to do this, but the Yarn 1 way was |
@SocketSecurity ignore chainsaw@0.1.0 It does seem to be unmaintained, which is not ideal. But the author was substack, a reputable developer who deleted their account intentionally. |
@SocketSecurity ignore unzipper@0.10.14 This package is supposed to have filesystem access, that is expected and not concerning |
@SocketSecurity ignore fstream@1.0.12 It does seem to be unmaintained, but the filesystem access is expected and not concerning. |
@SocketSecurity ignore buffers@0.1.1 More substack, same situation there. |
@SocketSecurity ignore agent-base@7.1.0 Geckodriver uses this to make network requests, so it should have network access |
@SocketSecurity ignore binary@0.3.0 More substack, also this one is ancient |
@SocketSecurity ignore geckodriver@4.0.4 This package is supposed to have network access, and it uses install scripts to ensure the driver is installed. @SocketSecurity ignore web-streams-polyfill@3.2.1 All unmaintained, not ideal but not a reason to object to their usage in geckodriver. |
@SocketSecurity ignore registry-url@3.1.0 Another unmaintained package |
Regular expression denial of service attacks aren't a concern for our development tools. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Updating the Firefox testing tool to the newest version