ruffle icon indicating copy to clipboard operation
ruffle copied to clipboard

Published 20 hours ago verified publisher icon ruffle-rs

Update webdriverio to 9.x, resolve ws advisory

Open dependabot[bot] opened this issue 1 year ago • 23 comments

Bumps ws to 8.18.0 and updates ancestor dependencies ws, @wdio/browserstack-service, @wdio/cli, @wdio/local-runner and webdriverio. These dependencies need to be updated together.

Updates ws from 8.16.0 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;


for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;


for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

if (++count === 2000) break;
}



}


headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';


const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});


request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits
  • 976c53c [dist] 8.18.0
  • 59b9629 [feature] Add support for Blob (#2229)
  • 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
  • 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • Additional commits viewable in compare view

Updates @wdio/browserstack-service from 8.40.2 to 9.0.2

Release notes

Sourced from @​wdio/browserstack-service's releases.

v9.0.2 (2024-08-16)

:bug: Bug Fix

Committers: 2

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

... (truncated)

Changelog

Sourced from @​wdio/browserstack-service's changelog.

v9.0.2 (2024-08-16)

:bug: Bug Fix

Committers: 2

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

  • wdio-appium-service

... (truncated)

Commits

Updates @wdio/cli from 8.40.2 to 9.0.1

Release notes

Sourced from @​wdio/cli's releases.

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

:nail_care: Polish

  • webdriver
  • wdio-cli, wdio-config, wdio-local-runner, wdio-runner, wdio-types, webdriverio

:house: Internal

... (truncated)

Changelog

Sourced from @​wdio/cli's changelog.

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

:nail_care: Polish

  • webdriver
  • wdio-cli, wdio-config, wdio-local-runner, wdio-runner, wdio-types, webdriverio

:house: Internal

... (truncated)

Commits
  • 2a869e5 v9.0.1
  • 9576934 v9.0.0
  • a19519f feat(webdriverio): support (se/de)serialization of execute parameters (#13333)
  • b4cb9e5 chore(deps): bump inquirer from 9.3.6 to 10.1.8 (#13348)
  • 80779bb breaking(build): migrate to Esbuild for bundling (#13338)
  • 6376d1e fix(docs): change file name of license from LICENSE-MIT to just LICENSE
  • 9dbc8bf fix(webdriverio): remove ts compile issue
  • 4ffb3b9 fix(ci): revert inquirer update
  • 65412c2 chore(deps): bump inquirer from 9.3.2 to 10.0.1 (#13168)
  • 43868ec fix(@​wdio/types): define browser and element type to namespace
  • Additional commits viewable in compare view

Updates @wdio/local-runner from 8.40.2 to 9.0.1

Release notes

Sourced from @​wdio/local-runner's releases.

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

:nail_care: Polish

  • webdriver
  • wdio-cli, wdio-config, wdio-local-runner, wdio-runner, wdio-types, webdriverio

:house: Internal

... (truncated)

Changelog

Sourced from @​wdio/local-runner's changelog.

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

:nail_care: Polish

  • webdriver
  • wdio-cli, wdio-config, wdio-local-runner, wdio-runner, wdio-types, webdriverio

:house: Internal

... (truncated)

Commits
  • 2a869e5 v9.0.1
  • 9576934 v9.0.0
  • a19519f feat(webdriverio): support (se/de)serialization of execute parameters (#13333)
  • 80779bb breaking(build): migrate to Esbuild for bundling (#13338)
  • c81171c chore(testing): update Vitest to v2
  • 6376d1e fix(docs): change file name of license from LICENSE-MIT to just LICENSE
  • 3a7b08e breaking(*): better type definitions for capabilities (#12987)
  • c18713b chore(@​wdio/local-runner): fix linting
  • 963ddb9 feat: replace ts-node with tsx, remove autoCompileOpts (#12752)
  • a46cea2 Support mocking interface for Bidi (#12598)
  • Additional commits viewable in compare view

Updates webdriverio from 8.40.2 to 9.0.1

Release notes

Sourced from webdriverio's releases.

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

:nail_care: Polish

  • webdriver
  • wdio-cli, wdio-config, wdio-local-runner, wdio-runner, wdio-types, webdriverio

:house: Internal

... (truncated)

Changelog

Sourced from webdriverio's changelog.

v9.0.1 (2024-08-15)

:bug: Bug Fix

Committers: 1

v9.0.0 (2024-08-15)

:boom: Breaking Change

  • wdio-cli, wdio-devtools-service, wdio-lighthouse-service, wdio-utils, webdriver, webdriverio
  • wdio-allure-reporter, wdio-appium-service, wdio-browser-runner, wdio-browserstack-service, wdio-cli, wdio-concise-reporter, wdio-config, wdio-cucumber-framework, wdio-devtools-service, wdio-firefox-profile-service, wdio-jasmine-framework, wdio-json-reporter, wdio-junit-reporter, wdio-local-runner, wdio-mocha-framework, wdio-reporter, wdio-runner, wdio-sauce-service, wdio-shared-store-service, wdio-spec-reporter, wdio-testingbot-service, wdio-types, wdio-utils, wdio-webdriver-mock-service, webdriver, webdriverio
  • @wdio/protocols

:rocket: New Feature

:bug: Bug Fix

dependabot[bot] avatar Aug 16 '24 15:08 dependabot[bot]

Added ChainablePromiseElement.getElement() calls manually due to API change.

torokati44 avatar Aug 16 '24 15:08 torokati44

There's a lot more files that would need to be changed. A simpler way to fix this might be to change all the functions in https://github.com/ruffle-rs/ruffle/blob/master/web/packages/selfhosted/test/utils.ts that take a WebdriverIO.Element to take a ChainablePromiseElement, and then add a .getElement to the start of each of those functions.

danielhjacobs avatar Aug 16 '24 15:08 danielhjacobs

The other needed change is .getHTML(false); should now be .getHTML({"includeSelectorTag": false});. According to https://github.com/webdriverio/webdriverio/blob/e8ae5d8c577c514f571ae8760df43ea0a17ae7e3/packages/webdriverio/src/commands/element/getHTML.ts#L79, they intended backwards compatibility, but the type definitions don't actually lend themselves to that.

danielhjacobs avatar Aug 16 '24 15:08 danielhjacobs

Linux command for that change could maybe be this:

grep -rl 'getHTML(false' | xargs sed -i 's/getHTML(false/getHTML({"includeSelectorTag": false}/g'

danielhjacobs avatar Aug 16 '24 15:08 danielhjacobs

While we can change the code to use the new definitions for getHTML, I did open https://github.com/webdriverio/webdriverio/issues/13378

danielhjacobs avatar Aug 16 '24 15:08 danielhjacobs

Is it possible that the ChainablePromiseElement type is not exported? :thinking: I can't see it mentioned in the API reference, or in @wdio/types...

torokati44 avatar Aug 16 '24 16:08 torokati44

You can use ChainablePromiseElement, it's not WebdriverIO.ChainablePromiseElement

https://github.com/webdriverio/webdriverio/blob/main/packages/webdriverio/src/types.ts#L70

danielhjacobs avatar Aug 16 '24 16:08 danielhjacobs

wdio.conf.ts(218,5): error TS2353: Object literal may only specify known properties, and 'capabilities' does not exist in type 'Testrunner'.

We'll need to consult the documentation for this one. https://github.com/webdriverio/webdriverio/releases/tag/v9.0.0 does mention better type definitions for capabilities as a breaking change.

danielhjacobs avatar Aug 16 '24 16:08 danielhjacobs

We'll need to consult the documentation for this one. https://github.com/webdriverio/webdriverio/releases/tag/v9.0.0 does mention better type definitions for capabilities as a breaking change.

Yep, and all the examples I've seen for this use a plain object for config, but still with a capabilities key that is an array of objects...

torokati44 avatar Aug 16 '24 16:08 torokati44

Errors seem to be:

Can't transform classic selector tag name to Bidi selector

danielhjacobs avatar Aug 16 '24 18:08 danielhjacobs

Technically, ruffle-player is a valid CSS selector, not <ruffle-player>, so maybe that's the issue. Totally untested though.

danielhjacobs avatar Aug 16 '24 18:08 danielhjacobs

Let's try that!

torokati44 avatar Aug 16 '24 18:08 torokati44

Note: If that's the issue, the same will be true of <ruffle-object /> and <ruffle-embed /> and <ruffle-object>

danielhjacobs avatar Aug 16 '24 18:08 danielhjacobs

Nah, the error seems unrelated to that: https://github.com/ruffle-rs/ruffle/actions/runs/10424284257/job/28872786614?pr=17539#step:11:16287:

message: 'no such element: Unable to locate element: {"method":"tag name","selector":"ruffle-object"}

I also tried these commands locally:

cd web/packages/selfhosted/test/

grep -rl '<ruffle-object />' | xargs sed -i 's/<ruffle-object \/>/ruffle-object/g'

grep -rl '<ruffle-embed />' | xargs sed -i 's/<ruffle-embed \/>/ruffle-embed/g'

grep -rl '<ruffle-object>' | xargs sed -i 's/<ruffle-object>/ruffle-object/g'

After that, I tested this locally with this command:

npm run wdio --headless --chrome

I still got errors.

danielhjacobs avatar Aug 16 '24 18:08 danielhjacobs

Actually, my errors are as follows:

[chrome-headless-shell 127.0.6533.119 linux #0-40] AssertionError: expected { error: { …(5) } } to deeply equal [ 'test' ]
[chrome-headless-shell 127.0.6533.119 linux #0-40]     at Context.<anonymous> (/home/dj/work/rust/ruffle_source/ruffle/web/packages/selfhosted/test/integration_tests/external_interface/test.ts:251:32)
[chrome-headless-shell 127.0.6533.119 linux #0-40]
[chrome-headless-shell 127.0.6533.119 linux #0-40] 4) ExternalInterface supports calling a method that doesn't exist
[chrome-headless-shell 127.0.6533.119 linux #0-40] expected 'callMethodWithDelay called with 2 arg…' to deeply equal 'callMethodWithDelay called with 1 arg…'

Which is different to the current errors.

danielhjacobs avatar Aug 16 '24 18:08 danielhjacobs

Required commands:

cd web/packages/selfhosted/test/

grep -rl '<ruffle-object />' | xargs sed -i 's/<ruffle-object \/>/ruffle-object/g'

grep -rl '<ruffle-embed />' | xargs sed -i 's/<ruffle-embed \/>/ruffle-embed/g'

grep -rl '<ruffle-object>' | xargs sed -i 's/<ruffle-object>/ruffle-object/g'

grep -rl '<div />' | xargs sed -i 's/<div \/>/div/g'

grep -rl 'includeSelectorTag: false' | xargs sed -i 's/includeSelectorTag: false/includeSelectorTag: false, pierceShadowRoot: false/g'

npm run format

Even then, some things still need updates.

danielhjacobs avatar Aug 16 '24 19:08 danielhjacobs

These are the failing files after those changes.

danielhjacobs avatar Aug 16 '24 20:08 danielhjacobs

Currently blocked on https://github.com/webdriverio/webdriverio/issues/13218, I believe.

torokati44 avatar Aug 20 '24 19:08 torokati44

That's the blocker for 4 of the 5 tests I believe, yes. I tried working around it in a few ways but the workarounds seem to have their own bugs.

The blocker for the ExternalInterface test may just be that I don't know how to properly make the changes to that test.

danielhjacobs avatar Aug 21 '24 18:08 danielhjacobs

https://github.com/ruffle-rs/ruffle/pull/17539/commits/656a068392e651d6f6adca21fd7d2097b04aaac0 works around the webdriverio frame switching issue but it makes the code much more complicated.

test/integration_tests/external_interface/test.ts is still failing.

danielhjacobs avatar Aug 22 '24 20:08 danielhjacobs

Opened https://github.com/webdriverio/webdriverio/issues/13444 for the remaining issue

Dinnerbone avatar Aug 23 '24 18:08 Dinnerbone

Pushed fix for EI test just as proof of concept. Converted to draft. Ideally, https://github.com/webdriverio/webdriverio/issues/13218 and https://github.com/webdriverio/webdriverio/issues/13444 will be fixed, we'll drop the latest two commits, bump to the version of webdriverio and related dependencies with the fixes, and then mark this as ready for review.

danielhjacobs avatar Aug 23 '24 19:08 danielhjacobs

At least we now know that the workarounds indeed work(around)!

torokati44 avatar Aug 23 '24 21:08 torokati44

Since https://github.com/webdriverio/webdriverio/issues/13444 got fixed, I dropped the commit that worked around it.

torokati44 avatar Sep 05 '24 16:09 torokati44

I wonder whether updating to 9.1.1 woud make fewer workarounds and hacks necessary... 🤔

torokati44 avatar Sep 26 '24 22:09 torokati44

I actually tried that locally earlier today. At the very least doing so and then checking out https://github.com/ruffle-rs/ruffle/pull/17539/commits/de5be7c42228844aa0aae4b20a926ff82dda019b didn't let the frame/iframe tests pass.

danielhjacobs avatar Sep 26 '24 22:09 danielhjacobs

We're down to one unresolved upstream issue, with a workaround for it in a single commit that should be easily revertable later, affecting just ~~4~~ 2 tests.

torokati44 avatar Oct 11 '24 10:10 torokati44

Note: This is now waiting on a fix for https://github.com/webdriverio/webdriverio/issues/13763

danielhjacobs avatar Oct 16 '24 13:10 danielhjacobs

The workaround is no longer needed with wdio 9.2.2, it seems! :tada: @danielhjacobs

torokati44 avatar Oct 28 '24 11:10 torokati44

We should probably re-generate it soon anyway though, I'm sure it's getting out of date.

I did exactly that:

cd ruffle/web
rm -rf node_modules/
rm -rf package-lock.json
npm install --save --save-dev --save-peer --keep --keep-dev --keep-peer

torokati44 avatar Oct 28 '24 15:10 torokati44