CVE-2023-28155 wedriver-manager depends on vulnerable version of protractor

[tambor81]

Currently the following CVE is affecting our daily build because of this CVE-2023-28155:

$ npm audit
# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install protractor@3.3.0, which is a breaking change
node_modules/request
  webdriver-manager  *
  Depends on vulnerable versions of request
  node_modules/webdriver-manager
    protractor  >=4.0.0
    Depends on vulnerable versions of webdriver-manager
    node_modules/protractor
      @angular-devkit/build-angular  >=0.1100.0-next.0
      Depends on vulnerable versions of protractor
      node_modules/@angular-devkit/build-angular

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Can someone update this and remove this vulnerable dependency?

[DavidViillanueva]

I'm with the same problem

[tambor81]

I made a PR for fixing the xml2js patched on version 0.5.0
how do I get it approved?

[CQL111]

Is there a solution to this?

[bmo-at]

Seems like this has been abandoned. Protractor is end-of-life as of August 2023, so this seems unlikely to be fixed.