web: Update WebdriverIO to 9.2.2, resolving advisory in `ws` #17539

dependabot · 2024-08-16T15:01:32Z

Bumps ws to 8.18.0 and updates ancestor dependencies ws, @wdio/browserstack-service, @wdio/cli, @wdio/local-runner and webdriverio. These dependencies need to be updated together.

Updates ws from 8.16.0 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

Added support for Blob (#2229).

8.17.1

Bug fixes

Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits

976c53c [dist] 8.18.0
59b9629 [feature] Add support for Blob (#2229)
0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
15f11a0 [security] Add new DoS vulnerability to SECURITY.md
3c56601 [dist] 8.17.1
e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
6a00029 [test] Increase code coverage
ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
b73b118 [dist] 8.17.0
29694a5 [test] Use the highWaterMark variable
Additional commits viewable in compare view

Updates @wdio/browserstack-service from 8.40.2 to 9.0.2

Release notes

Sourced from @wdio/browserstack-service's releases.

... (truncated)

Changelog

Sourced from @wdio/browserstack-service's changelog.

... (truncated)

Commits

e8ae5d8 v9.0.2
ae8ff7e fix(@wdio/browserstack-service): support v9 of WebdriverIO (#13374)
2a869e5 v9.0.1
9576934 v9.0.0
d0cfc16 V9 ai support (#13340)
80779bb breaking(build): migrate to Esbuild for bundling (#13338)
6376d1e fix(docs): change file name of license from LICENSE-MIT to just LICENSE
9dbc8bf fix(webdriverio): remove ts compile issue
33222e0 Support app inside appium options (v9) (#13113)
e5e157e chore: Reload session support (#13085)
Additional commits viewable in compare view

Updates @wdio/cli from 8.40.2 to 9.0.1

Release notes

Sourced from @wdio/cli's releases.

... (truncated)

Changelog

Sourced from @wdio/cli's changelog.

... (truncated)

Commits

2a869e5 v9.0.1
9576934 v9.0.0
a19519f feat(webdriverio): support (se/de)serialization of execute parameters (#13333)
b4cb9e5 chore(deps): bump inquirer from 9.3.6 to 10.1.8 (#13348)
80779bb breaking(build): migrate to Esbuild for bundling (#13338)
6376d1e fix(docs): change file name of license from LICENSE-MIT to just LICENSE
9dbc8bf fix(webdriverio): remove ts compile issue
4ffb3b9 fix(ci): revert inquirer update
65412c2 chore(deps): bump inquirer from 9.3.2 to 10.0.1 (#13168)
43868ec fix(@wdio/types): define browser and element type to namespace
Additional commits viewable in compare view

Updates @wdio/local-runner from 8.40.2 to 9.0.1

Release notes

Sourced from @wdio/local-runner's releases.

... (truncated)

Changelog

Sourced from @wdio/local-runner's changelog.

... (truncated)

Commits

2a869e5 v9.0.1
9576934 v9.0.0
a19519f feat(webdriverio): support (se/de)serialization of execute parameters (#13333)
80779bb breaking(build): migrate to Esbuild for bundling (#13338)
c81171c chore(testing): update Vitest to v2
6376d1e fix(docs): change file name of license from LICENSE-MIT to just LICENSE
3a7b08e breaking(*): better type definitions for capabilities (#12987)
c18713b chore(@wdio/local-runner): fix linting
963ddb9 feat: replace ts-node with tsx, remove autoCompileOpts (#12752)
a46cea2 Support mocking interface for Bidi (#12598)
Additional commits viewable in compare view

Updates webdriverio from 8.40.2 to 9.0.1

Release notes

Sourced from webdriverio's releases.

... (truncated)

Changelog

Sourced from webdriverio's changelog.

torokati44 · 2024-08-16T15:34:25Z

Added ChainablePromiseElement.getElement() calls manually due to API change.

danielhjacobs · 2024-08-16T15:41:47Z

There's a lot more files that would need to be changed. A simpler way to fix this might be to change all the functions in https://github.com/ruffle-rs/ruffle/blob/master/web/packages/selfhosted/test/utils.ts that take a WebdriverIO.Element to take a ChainablePromiseElement, and then add a .getElement to the start of each of those functions.

danielhjacobs · 2024-08-16T15:44:24Z

The other needed change is .getHTML(false); should now be .getHTML({"includeSelectorTag": false});. According to https://github.com/webdriverio/webdriverio/blob/e8ae5d8c577c514f571ae8760df43ea0a17ae7e3/packages/webdriverio/src/commands/element/getHTML.ts#L79, they intended backwards compatibility, but the type definitions don't actually lend themselves to that.

danielhjacobs · 2024-08-16T15:45:20Z

Linux command for that change could maybe be this:

grep -rl 'getHTML(false' | xargs sed -i 's/getHTML(false/getHTML({"includeSelectorTag": false}/g'

danielhjacobs · 2024-08-16T15:58:55Z

While we can change the code to use the new definitions for getHTML, I did open webdriverio/webdriverio#13378

torokati44 · 2024-08-16T16:01:20Z

Is it possible that the ChainablePromiseElement type is not exported? 🤔
I can't see it mentioned in the API reference, or in @wdio/types...

danielhjacobs · 2024-08-16T16:02:51Z

You can use ChainablePromiseElement, it's not WebdriverIO.ChainablePromiseElement

https://github.com/webdriverio/webdriverio/blob/main/packages/webdriverio/src/types.ts#L70

danielhjacobs · 2024-08-16T16:22:55Z

wdio.conf.ts(218,5): error TS2353: Object literal may only specify known properties, and 'capabilities' does not exist in type 'Testrunner'.

We'll need to consult the documentation for this one. https://github.com/webdriverio/webdriverio/releases/tag/v9.0.0 does mention better type definitions for capabilities as a breaking change.

torokati44 · 2024-08-16T16:40:34Z

Yep, and all the examples I've seen for this use a plain object for config, but still with a capabilities key that is an array of objects...

danielhjacobs · 2024-08-16T18:01:37Z

Errors seem to be:

Can't transform classic selector tag name to Bidi selector

danielhjacobs · 2024-08-16T18:07:14Z

Technically, ruffle-player is a valid CSS selector, not <ruffle-player>, so maybe that's the issue. Totally untested though.

torokati44 · 2024-08-16T18:09:41Z

Let's try that!

danielhjacobs · 2024-08-16T18:11:17Z

Note: If that's the issue, the same will be true of <ruffle-object /> and <ruffle-embed /> and <ruffle-object>

danielhjacobs · 2024-08-16T18:27:52Z

Nah, the error seems unrelated to that: https://github.com/ruffle-rs/ruffle/actions/runs/10424284257/job/28872786614?pr=17539#step:11:16287:

message: 'no such element: Unable to locate element: {"method":"tag name","selector":"ruffle-object"}

I also tried these commands locally:

cd web/packages/selfhosted/test/

grep -rl '<ruffle-object />' | xargs sed -i 's/<ruffle-object \/>/ruffle-object/g'

grep -rl '<ruffle-embed />' | xargs sed -i 's/<ruffle-embed \/>/ruffle-embed/g'

grep -rl '<ruffle-object>' | xargs sed -i 's/<ruffle-object>/ruffle-object/g'

After that, I tested this locally with this command:

npm run wdio --headless --chrome

I still got errors.

danielhjacobs · 2024-08-16T18:46:38Z

Actually, my errors are as follows:

[chrome-headless-shell 127.0.6533.119 linux #0-40] AssertionError: expected { error: { …(5) } } to deeply equal [ 'test' ]
[chrome-headless-shell 127.0.6533.119 linux #0-40]     at Context.<anonymous> (/home/dj/work/rust/ruffle_source/ruffle/web/packages/selfhosted/test/integration_tests/external_interface/test.ts:251:32)
[chrome-headless-shell 127.0.6533.119 linux #0-40]
[chrome-headless-shell 127.0.6533.119 linux #0-40] 4) ExternalInterface supports calling a method that doesn't exist
[chrome-headless-shell 127.0.6533.119 linux #0-40] expected 'callMethodWithDelay called with 2 arg…' to deeply equal 'callMethodWithDelay called with 1 arg…'

Which is different to the current errors.

danielhjacobs · 2024-08-16T19:57:06Z

Required commands:

cd web/packages/selfhosted/test/

grep -rl '<ruffle-object />' | xargs sed -i 's/<ruffle-object \/>/ruffle-object/g'

grep -rl '<ruffle-embed />' | xargs sed -i 's/<ruffle-embed \/>/ruffle-embed/g'

grep -rl '<ruffle-object>' | xargs sed -i 's/<ruffle-object>/ruffle-object/g'

grep -rl '<div />' | xargs sed -i 's/<div \/>/div/g'

grep -rl 'includeSelectorTag: false' | xargs sed -i 's/includeSelectorTag: false/includeSelectorTag: false, pierceShadowRoot: false/g'

npm run format

Even then, some things still need updates.

danielhjacobs · 2024-08-16T20:13:00Z

These are the failing files after those changes.

danielhjacobs · 2024-10-16T13:21:38Z

Note: This is now waiting on a fix for webdriverio/webdriverio#13763

torokati44 · 2024-10-28T11:14:20Z

The workaround is no longer needed with wdio 9.2.2, it seems! 🎉 @danielhjacobs

web/packages/selfhosted/wdio.conf.ts

danielhjacobs

Small caveat: I didn't read package-lock.json, as the changes there are incredibly long. We should probably re-generate it soon anyway though, I'm sure it's getting out of date.

torokati44 · 2024-10-28T15:27:43Z

I did exactly that:

cd ruffle/web
rm -rf node_modules/
rm -rf package-lock.json
npm install --save --save-dev --save-peer --keep --keep-dev --keep-peer

danielhjacobs · 2024-10-28T15:29:05Z

Ah, I guess that's why the changes are so long.

torokati44 · 2024-10-28T15:30:32Z

Partly, but there were some major dependency overhauls on wdio 9 itself as well.

Resolving a security advisory in the `ws` indirect dependency. Necessary manual changes: - Follow `getHTML` API change. - Take `ChainablePromiseElement` in utility functions. - Change `config` to `WebdriverIO.Config`. - Use `switchFrame` instead of `switchToFrame`.

torokati44 · 2024-10-28T15:39:24Z

Although I don't love the messages about the unsupported glob and rimraf versions still...

danielhjacobs · 2024-10-28T15:45:49Z

Following the dependency chain down, this is the issue, right: mochajs/mocha#5148?

torokati44 · 2024-10-28T17:09:04Z

Probably, and maybe something else as well.

dependabot bot added A-deps Area: Dependencies javascript Pull requests that update Javascript code labels Aug 16, 2024

dependabot bot mentioned this pull request Aug 16, 2024

build(deps): bump ws, @wdio/browserstack-service, @wdio/cli, @wdio/local-runner and webdriverio in /web #17533

Closed

danielhjacobs mentioned this pull request Aug 16, 2024

web: Update ws manually until new webdriverio major update #17028

Open

dependabot bot force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 5857258 to 75b408f Compare August 16, 2024 15:15

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 75b408f to 5680a02 Compare August 16, 2024 15:34

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 5680a02 to 7c52db6 Compare August 16, 2024 16:11

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 7c52db6 to e59bcfa Compare August 16, 2024 16:39

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch 2 times, most recently from bee03b9 to 8dc02c5 Compare August 16, 2024 17:02

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 8dc02c5 to 35becf4 Compare August 16, 2024 18:09

danielhjacobs force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 94770db to a067ead Compare August 16, 2024 20:50

torokati44 mentioned this pull request Aug 19, 2024

build(deps-dev): bump @wdio/browserstack-service from 8.40.2 to 9.0.4 in /web #17571

Merged

This was referenced Oct 14, 2024

build(deps-dev): bump webdriverio from 8.40.2 to 9.2.1 in /web #18269

Closed

build(deps-dev): bump @wdio/cli from 8.40.2 to 9.2.1 in /web #18267

Closed

build(deps-dev): bump @wdio/local-runner from 8.40.2 to 9.2.1 in /web #18268

Closed

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch 2 times, most recently from 2cb3e47 to c00bffc Compare October 14, 2024 15:06

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch 2 times, most recently from ce068b9 to a86adcd Compare October 28, 2024 10:56

danielhjacobs reviewed Oct 28, 2024

View reviewed changes

web/packages/selfhosted/wdio.conf.ts Outdated Show resolved Hide resolved

This was referenced Oct 28, 2024

build(deps-dev): bump @wdio/cli from 8.40.2 to 9.2.2 in /web #18401

Closed

build(deps-dev): bump webdriverio from 8.40.2 to 9.2.2 in /web #18403

Closed

build(deps-dev): bump @wdio/local-runner from 8.40.2 to 9.2.2 in /web #18402

Closed

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from a86adcd to e0540fd Compare October 28, 2024 14:50

torokati44 changed the title ~~Update webdriverio to 9.x, resolve ws advisory~~ web: Update webdriverio to 9.x, resolve ws advisory Oct 28, 2024

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from e0540fd to 201c2e6 Compare October 28, 2024 14:59

torokati44 changed the title ~~web: Update webdriverio to 9.x, resolve ws advisory~~ web: Update WebdriverIO to 9.2.2, resolving advisory in ws Oct 28, 2024

torokati44 marked this pull request as ready for review October 28, 2024 15:00

torokati44 requested a review from danielhjacobs October 28, 2024 15:01

danielhjacobs approved these changes Oct 28, 2024

View reviewed changes

torokati44 force-pushed the dependabot/npm_and_yarn/web/multi-4318a9323b branch from 201c2e6 to b9f695e Compare October 28, 2024 15:30

danielhjacobs merged commit 1bc1130 into master Oct 28, 2024
20 checks passed

dependabot bot deleted the dependabot/npm_and_yarn/web/multi-4318a9323b branch October 28, 2024 17:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

web: Update WebdriverIO to 9.2.2, resolving advisory in `ws` #17539

web: Update WebdriverIO to 9.2.2, resolving advisory in `ws` #17539

dependabot bot commented on behalf of github Aug 16, 2024 •

edited

Loading

torokati44 commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024

torokati44 commented Aug 16, 2024

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024

torokati44 commented Aug 16, 2024

danielhjacobs commented Aug 16, 2024

danielhjacobs commented Aug 16, 2024

torokati44 commented Aug 16, 2024

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Oct 16, 2024

torokati44 commented Oct 28, 2024

danielhjacobs left a comment

torokati44 commented Oct 28, 2024

danielhjacobs commented Oct 28, 2024

torokati44 commented Oct 28, 2024

torokati44 commented Oct 28, 2024

danielhjacobs commented Oct 28, 2024

torokati44 commented Oct 28, 2024

web: Update WebdriverIO to 9.2.2, resolving advisory in ws #17539

web: Update WebdriverIO to 9.2.2, resolving advisory in ws #17539

Conversation

dependabot bot commented on behalf of github Aug 16, 2024 • edited Loading

8.18.0

Features

8.17.1

Bug fixes

v9.0.2 (2024-08-16)

🐛 Bug Fix

Committers: 2

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

v9.0.2 (2024-08-16)

🐛 Bug Fix

Committers: 2

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

v9.0.1 (2024-08-15)

🐛 Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

💥 Breaking Change

🚀 New Feature

🐛 Bug Fix

web: Update WebdriverIO to 9.2.2, resolving advisory in `ws` #17539

web: Update WebdriverIO to 9.2.2, resolving advisory in `ws` #17539

dependabot bot commented on behalf of github Aug 16, 2024 •

edited

Loading

torokati44 commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading

danielhjacobs commented Aug 16, 2024 •

edited

Loading