Vulnerability Warning Tracking Issue

[clydin]

Two project-level development only packages currently produce vulnerability warnings upon package install of a new project.

• Protractor (1 warning) -- dependency webdriver-js-extender uses an outdated version of selenium-webdriver (UPDATE: Protractor 4.5.0 has been released with a fix)

• Karma (2.0: 6 warnings) -- dependency log4js uses an outdated version of loggly. Note also that log4js (and as a result karma) produce the following deprecated package warnings upon install:

  npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See   https://nodemailer.com/status/
  npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
  npm WARN deprecated socks@1.1.10: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
  npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
  npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained
  npm WARN deprecated buildmail@4.0.1: This project is unmaintained
  npm WARN deprecated uws@9.14.0: stop using this version
  

[devoto13]

As for Protractor there was a discussion about updating/removing webdriver-js-extender dependency, but it is silent for a while.

[IgorMinar]

We should also clarify that these vulnerabilities are not an actual security threat to Angular developers because they affect only tools used for development and not production code.

Having said that we need to resolve these issues regardless because they are confusing and ruin first time experience for Angular users.

[qiyigg]

webdriver-js-extender cannot be removed since we found it is still active, therefore we have to fix it; however the fix is a breaking change might affect lots of existing tests. We are still trying to collect more information to make sure it is ok to make the change.
The fix PR is here

[brgrz]

So npm audit fix --force is not the way to go? Coz it fixes everything and the builds still work :)

[rajarshi-singh]

Can someone please get the potential PR moving and get it fixed? This is breaking our protractor pipeline because the vulnerability is considered as an "error".

[hodo92]

that work for me :
npm set audit false

[rajarshi-singh]

Since the author of the original PR went on vacation and never came back, I have replicated those changes in a new PR here: angular/webdriver-js-extender#20

Someone please take a look.