Protractor 3.2.2 depends on a vulnerable version of request

[jedrichards]

Protractor depends on [email protected] which has a vulnerability:

https://snyk.io/vuln/npm:request:20160119

I know this vulnerability is only applicable when request is used in a web app, but any users that are automating vulnerability checking (with Node Security Project or snyk etc.) will have failed builds with [email protected].

Maybe you should add some vulnerability checking in your build pipeline? This is the second time in a week I've raised an issue on this project about vulnerable dependencies.

[cnishina]

Request dependency is being removed from protractor. It will (in the future #3068) use webdriver-tool as a dependency and it uses 2.69.0. See https://github.com/angular/webdriver-tool/blob/master/package.json

If this issue is causing a problem for your testing, feel free to reopen this bug with an example of the test with logs to show how this is causing a security problem for you. This is already a planned pull request and does not seem to be an issue for the next release of protractor.

[jedrichards]

In this case this isn't a security problem, rather an automation problem. But good news it looks like it'll naturally go away in the near future. Cheers!