https://github.com/wikimedia/mediawiki/network/alert/package-lock.json/cryptiles/open

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

The NPM package cryptiles version 4.1.1 and earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

• > cryptiles 3.1.4.
  • > hawk 6.0.2 requires cryptiles 3.x.x
    • > request 2.83.0 requires hawk ~6.0.2 (‽ see below)
      • > mwbot 1.0.10 requires request ^2.75.0
        • > wdio-mediawiki (local) requires mw bot 1.0.10 (direct requirement)
      • > wdio-sauce-service 0.4.15 requires request ^2.88.0 (direct requirement)
      • > webdriverio 4.12.0 requires request ~2.83.0 (direct requirement)

hawk is deprecated, replaced by @hapi/hawk, but anyway we're currently using the almost-latest version of request, which [[https://github.com/request/request/commit/a6741d415aba31cd01e9c4544c96f84ea6ed11e3#diff-aebcbf97ec318328efd650f5aa2f7b11|since 2.87.0 has a local version of hawk]] that it is somehow not using?

Pinging @zeljkofilipin, as this is a browser tests dependency issue.

See https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/519157 for some fiddling.

See https://gerrit.wikimedia.org/r/c/mediawiki/core/+/519158 too.

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/521269 merged.

Change 519157 abandoned by Jforrester:
[DNM] build: Experimentally fiddle with packages to purge cryptiles

https://gerrit.wikimedia.org/r/519157

Change 519158 abandoned by Jforrester:
[DNM] build: Re-build package-lock.json for demo purposes

https://gerrit.wikimedia.org/r/519158