Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Nightmare 3.0.2 fixes Electron 1.8.x security vulnerabilities

Description

stripes-testing depends on nightmare "^3.0.1".
Nightmare 3.0.1 depends on "electron": "^1.8.4".
This resolves to electron 1.8.8, this is the latest 1.8.x version.
The 1.8.x branch is no longer maintained, the last security fix was on 2018-08-22: https://electronjs.org/releases/stable?version=1

The 1.8.x branch misses fixes for these security vulnerabilities:

The 2.x branch still receives security fixes, the last fix went in in March 2019: https://electronjs.org/releases/stable?version=2

The FOLIO community managed to bump the version of Electron to 2.0.18:
https://github.com/segmentio/nightmare/pull/1534/files

Nightmare 3.0.2 has been released and contains Electron 2.0.18.

stripes-testing should update to this latest Nightmare version.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch September 30, 2019 at 8:03 AM

Nightmare 3.0.2 has been released and contains Electron 2.0.18: https://github.com/segmentio/nightmare/commit/98c842f7969080ee2f2725465c9231b8a312daaf

stripes-testing 1.6.0 has been released and contains Nightmare 3.0.2: https://github.com/folio-org/stripes-testing/commit/2671f3a570bcfa2121f9a978160dc46cf70e9efe

stripes-cli 1.13.0 has been released and contains stripes-testing 1.6.0: https://github.com/folio-org/stripes-cli/commit/7e005b41f5e4a4fa711224ce1d618ce9d65f4cf0

All modules that use Nightmare require stripes-cli with a version spec that allows 1.13.0:
https://github.com/search?l=JSON&p=1&q=org%3Afolio-org+stripes-cli&type=Code

Therefore this issue has been completed successfully.

Khalilah Gambrell July 8, 2019 at 9:33 PM

, has the PR tied to this story been merged?

Zak Burke May 11, 2019 at 1:27 AM

Nice PR, ! I see you have already re-opened this issue. I'll look at updating stripes-testing soon.

Zak Burke March 19, 2019 at 12:43 AM

We talked about this at #stripes-architecture last week. Jason's comment above captures nearly every point that came up during the discussion. In particular, it's good to be aware of this as we consider alternatives for managing integration testing, but it does not require immediate action.

Julian Ladisch March 12, 2019 at 2:09 AM
Edited

Nightmare has 10 pull request that can be merged from last year, they date from

  • Oct 10, 2018

  • Oct 7, 2018

  • Sep 16, 2018

  • Sep 16, 2018

  • Sep 16, 2018

  • Sep 15, 2018

  • Jun 15, 2018

  • May 25, 2018

  • May 22, 2018

  • Apr 17, 2018

The electron version bump that fixes the security vulnerabilies is from Juni 15, 2018.

Neither that pull request nor the other 9 pull request got any feedback from the maintainers. Therefore I cannot consider Nightmare as being maintained.
When the maintainers say that it is still alive then they can only mean that it is still in use.

Done

Details

Assignee

Reporter

Labels

Priority

Development Team

Prokopovych

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created March 11, 2019 at 11:18 AM
Updated September 30, 2019 at 8:03 AM
Resolved September 30, 2019 at 8:03 AM
TestRail: Cases
TestRail: Runs

Flag notifications