Chrome Launcher version 0.10.4 represents a refined iteration of the popular utility designed to effortlessly launch Chrome with its DevTools Protocol port exposed. This version builds upon the foundation laid by the previous stable release, 0.10.2, offering subtle but impactful enhancements for developers leveraging Chrome's debugging capabilities.
At its core, Chrome Launcher simplifies the process of programmatically spinning up Chrome instances, eliminating the need for manual configuration and ensuring a consistent and reliable environment for testing and automation. Both versions share a common set of dependencies, including is-wsl, mkdirp, rimraf, @types/node, @types/mkdirp, @types/rimraf, @types/core-js, and lighthouse-logger, guaranteeing a stable and compatible ecosystem.
The key difference between the two versions lies in their development dependencies. While both utilize tools like nyc, mocha, sinon, @types/mocha, @types/sinon, and clang-format, version 0.10.4 upgrades ts-node to version 4.1.0 and typescript to version 2.7.1. In comparison with version 0.10.2 that uses ts-node in version 3.0.4 and typescript in version 2.2.1. These updates likely incorporate bug fixes, performance improvements, and new features within the TypeScript development workflow, ultimately resulting in a more robust and efficient development experience. Furthermore, the release date marks a significant gap, with version 0.10.4 arriving in September 2018, several months after version 0.10.2 in January 2018, suggesting a period of continued development and refinement. Developers will appreciate the stability and ease of use brought by Chrome Launcher, regardless of the chosen version.
All the vulnerabilities related to the version 0.10.4 of the package
chrome-launcher subject to OS Command Injection
chrome-launcher prior to 0.13.2 is subject to OS Command Injection via the $HOME environment variable in Linux operating systems. This issue is patched in version 0.13.2.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
