Prototype Pollution vulnerability through outdated yargs package

[JanErikGunnar]

Hi there!

Bug report

• Node Version: 12.14.1
• Protractor Version: 5.4.4
• Angular Version: 1.7.9
• Browser(s): N/A
• Operating System and Version macOS 10.15.4

Protractor 5.4.4 has a dependency of "yargs", ^12.0.5.
The newest "yargs" that satisfies this dependency is 12.0.5. (The latest being 15.3.1)
"yargs" in turn has a dependency of "yargs-parser", ^11.1.1.
The newest "yargs-parser" that satisfies this dependency is 11.1.1 (the latest being 18.1.3).
This version of yargs parser has a low severity security issue, "Prototype pollution", referring to https://npmjs.com/advisories/1500 .

[alan-agius4]

Closed via #5432

We’ll cut a release next week.

[pittgoose]

@alan-agius4 is this going to be released as 5.4.5, or do I have to upgrade to 7.0.0?

[alan-agius4]

@pittgoose, the fix is available in version 7.0.0.

Essentially the differences between v5 and v7 are;

• dropping support for Node.Js version 6 and 8.
• remove element explorer, which is incompatible with Node.JS 8+

[vsravuri]

@alan-agius4 @kyliau Any plan to release Selenium4 compatible version of Protractor in near future? I saw a comment on #5436 which says
Protractor 6 has been deprecated.