bin-wrapper is problematic #134
Assignees
Labels
Comments
|
FWIW, using |
|
Further:
|
|
I can take a look at it tomorrow @boneskull |
|
@wswebcreation Any thoughts? If you don't have the cycles, I am happy to work on this. |
boneskull
added a commit
that referenced
this issue
Jan 10, 2022
* initial fix for issue 134 * chore(binWrapper): fix formatting w/ eslint * chore: ignore .vscode * chore: add .prettierrc * test: provide instances export * chore: fix formatting in src/index.js; remove unused var * test: fix binWrapper tests This change removes the `bin-wrapper` mock file, which we no longer need since we no longer use `bin-wrapper`. Instead, it moves the mock for `src/binWrapper.js` into the test file, since this seems to be how we mock local modules (as opposed to dependencies). This is not ideal, because now that `bin-wrapper` is _our_ code, we should not be mocking it at all. It'd make sense to then create a mock for `download`. As a result, `src/binWrapper.js` _has no test coverage_, which is bad. If we want to keep it, we should consider copying (and likely converting to jest) `bin-wrapper`'s tests into our repo. * chore(pkg): update lockfile * test: fix reference to fs/promises, which is different in node v12 * Update src/index.js Co-authored-by: Christopher Hiller <[email protected]> * chore: refactor after feedback * chore: remove consoles * fix: broken var reference - fix bad formatting - refactor generation of `scData` to use `reduce()` - if e2e tests are run outside of CI, use `(local)` instead of `undefined` in the tunnel name * chore: add .eslintignore * fix: simplify and fix chmod behavior 1. we don't need to iterate through `SAUCE_CONNECT_PLATFORM_DATA` because we know what platform we're on. just use the platform as the key and reference it. 2. we don't need to chmod _everything_ to 755 (I think). we _do_ need to ensure the `sc` bin is executable (but not on windows) 3. we don't need to retain the `options` object for anything 4. added a guard against unsupported platforms and a test 5. further simplify `sauceConnectLoader` * test: increase coverage to threshold * test: try to simplify some things Co-authored-by: Christopher Hiller <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bin-wrapper is seemingly unmaintained. There's a ReDoS vuln in a deep transitive dependency (
semver-regex). Sending a PR to address this problem (tobin-wrapper) is probably futile. Here are our options:bin-wrapperand replace it with something else. That something else might mean "DIY".bin-wrapperwhich has already addressed the vuln, and use that instead (probably unlikely).bin-wrapper, update thebin-version-checkdependency to v5 or newer, and re-publish (under e.g.,@saucelabs/bin-wrapper). However,bin-version-check@5is an ESM-only module, which will probably be painful to deal with.Thoughts? We are getting complaints.
The text was updated successfully, but these errors were encountered: