Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency chromedriver to v119 [security] #4280

Merged
merged 1 commit into from
Nov 13, 2023
Merged

chore(deps): update dependency chromedriver to v119 [security] #4280

merged 1 commit into from
Nov 13, 2023

Conversation

renovate-bot
Copy link
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
chromedriver 116.0.0 -> 119.0.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26156

Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.

Note:

An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.

Release Notes

giggio/node-chromedriver (chromedriver)

v119.0.1

Compare Source

v119.0.0

Compare Source

v118.0.1

Compare Source

v118.0.0

Compare Source

v117.0.3

Compare Source

v117.0.2

Compare Source

v117.0.1

Compare Source

v117.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested a review from a team November 9, 2023 22:25
@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Nov 9, 2023
@codecov Codecov
Copy link

codecov bot commented Nov 9, 2023
edited
Loading

Codecov Report

Merging #4280 (e657ec6) into main (f5ef8de) will not change coverage.
The diff coverage is n/a.

❗ Current head e657ec6 differs from pull request most recent head f889bed. Consider uploading reports for the commit f889bed to get more accurate results

@@           Coverage Diff           @@
##             main    #4280   +/-   ##
=======================================
  Coverage   92.31%   92.31%           
=======================================
  Files         330      330           
  Lines        9419     9419           
  Branches     1995     1995           
=======================================
  Hits         8695     8695           
  Misses        724      724

@pichlermarc pichlermarc merged commit b41cada into open-telemetry:main Nov 13, 2023
18 checks passed
@renovate-bot renovate-bot deleted the renovate/npm-chromedriver-vulnerability branch November 13, 2023 13:56
dyladan added a commit that referenced this pull request Nov 15, 2023
@dyladan @legendecas
@martinkuba @renovate-bot @seemk @pichlermarc @david-luna @edosrecki @trentm @Lp-Francois @HyunnoH @satazor @ArtAhmetaj @drewcorlin1
Update next branch (#4294)
0f8aa79 
* chore: track package-lock.json (#4238)

* chore: track package-lock.json

* Pin to old versions for node 14

* Use version range

* Remove unused cached directories

* Temporarily disable other tests

* Temporarily enable only api test

* Enable only some packages

* Test only api packages

* Test trace exporters

* Fix line ordering

* Test all packages except otlp exporters

* Add trace http exporter

* Add trace proto exporter

* Test all but grpc exporters

* chore: use npm workspaces and degrade lerna to v6

* chore: get rid of lerna bootstrap

* chore: use npx

* chore: allow install scripts to setup buf

* chore: fix w3c-integration-test cache key

* chore: fix cache key

* chore: disable resource compat test

* chore: fix node_modules assumptions

* chore: fix hoisted karma issue

* chore: fix markdown linter complaints

* chore: lock @grpc/grpc-js to v1.8.21

* Break caches

* chore: remove cache

* chore: fixup inline commands

---------

Co-authored-by: Daniel Dyla <dyladan@users.noreply.github.com>

* docs: fixed link to benchmark results (#4233)

Co-authored-by: Chengzhong Wu <legendecas@gmail.com>

* chore(deps): update all patch versions (#4215)

* fix: otlp json encoding (#4220)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* fix: remove duplicate export star from version.ts (#4225)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* docs: fix sdk-node config instructions (#4249)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* feat(api): publish api esnext target (#4231)

* chore: release API 1.7.0/Core 1.18.0/Experimental 0.45.0 (#4254)

* fix(sdk-metrics): hand-roll MetricAdvice type as older API versions do not include it (#4260)

* chore: prepare release 1.18.1/0.45.1 (#4261)

* chore: no need for 'packages' in "lerna.json" (#4264)

* Benchmark tests for trace OTLP transform and BatchSpanProcessor (#4218)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* chore: type reference on zone.js (#4257)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* docs: add docker-compose to run prometheus for the experimental example (#4268)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* fix(sdk-logs): avoid map attribute set when count limit exceeded (#4195)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

* chore(deps): update dependency chromedriver to v119 [security] (#4280)

* chore(deps): update actions/setup-node action to v4 (#4236)

* fix(sdk-trace-base): processor onStart called with a span having empty attributes (#4277)

Co-authored-by: artahmetaj <artahmetaj@yahoo.com>

* Update fetch instrumentation to be runtime agnostic (#4063)

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>

---------

Co-authored-by: Chengzhong Wu <legendecas@gmail.com>
Co-authored-by: Martin Kuba <martin@martinkuba.com>
Co-authored-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Siim Kallas <siimkallas@gmail.com>
Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>
Co-authored-by: David Luna <david.luna@elastic.co>
Co-authored-by: Dinko Osrecki <dinko.osrecki@emarsys.com>
Co-authored-by: Trent Mick <trentm@gmail.com>
Co-authored-by: François <32224751+Lp-Francois@users.noreply.github.com>
Co-authored-by: Hyun Oh <hyunnoh01@gmail.com>
Co-authored-by: André Cruz <andremiguelcruz@msn.com>
Co-authored-by: artahmetaj <artahmetaj@yahoo.com>
Co-authored-by: drewcorlin1 <82601620+drewcorlin1@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pichlermarc pichlermarc pichlermarc approved these changes

Assignees

@dyladan dyladan

@legendecas legendecas

@pichlermarc pichlermarc

@blumamir blumamir

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@renovate-bot @pichlermarc @dyladan @legendecas @blumamir