Chrome Launcher, a Node.js module designed to programmatically launch Google Chrome with the DevTools protocol port open, saw a minor version update from 0.2.0 to 0.2.1. Both versions maintain the core functionality of streamlining Chrome launching for automated testing and development workflows, crucial for projects like Lighthouse and other tools leveraging Chrome's remote debugging capabilities.
The key difference lies in the augmented dependency list of version 0.2.1. It introduces two new runtime dependencies: mkdirp and rimraf. mkdirp likely addresses the need for creating directories recursively, ensuring the existence of necessary file paths during Chrome's launch or profile management. rimraf is probably used to forcefully remove files or directories, potentially for cleaning up temporary Chrome instances or cached data, guaranteeing a clean environment for each testing run. These dependencies can be useful for developers that use the library as they make sure the library has no issues related to operating system file system specific calls and behaves smoothly.
Developers upgrading to 0.2.1 can expect enhanced robustness in handling file system operations during Chrome launching, potentially reducing errors related to directory creation or cleanup. While the core API remains consistent, this update offers improved stability and reliability, especially in diverse environments.
All the vulnerabilities related to the version 0.2.1 of the package
chrome-launcher subject to OS Command Injection
chrome-launcher prior to 0.13.2 is subject to OS Command Injection via the $HOME environment variable in Linux operating systems. This issue is patched in version 0.13.2.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
