Component Governance failed, need to update bl dependency

[jonthysell]

Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2020-8244

yarn why bl:

=> Found "[email protected]"
info Reasons this module exists
   - "_project_#appium-base-driver#appium-support#archiver#tar-stream" depends on it
   - Hoisted from "_project_#appium-base-driver#appium-support#archiver#tar-stream#bl"

=> Found "webdriverio#[email protected]"
info Reasons this module exists
   - "_project_#e2etest#webdriverio#archiver#tar-stream" depends on it
   - Hoisted from "_project_#e2etest#webdriverio#archiver#tar-stream#bl"

[email protected] has the fix.
[email protected] has the fix.

[email protected] has the fix and [email protected] have the fix, but we are using very old versions of both ([email protected] and [email protected]). We will need to upgrade both.

[email protected] has the fix but we're on 5.12.1. We need to upgrade webdriverio (and the wdio/* packages) for all of our packages from v5 to v6, or submit a fix to v5 and upgrade to the latest v5 when they release.

This is blocking codesigning.

[NickGerleman]

@jonthysell we can't upgrade wdio packages right now because we use some forked version of webdriverio that breaks on newer bits.

You'll probably need to add a selective dependency resolution like we did for some other packages. See "resolutions" in the root package.json.

[acoates-ms]

Where are we on getting a fix to the wdio package? We're going to hit an issue here too enough where we need a new version for something.

[NickGerleman]

Good question for @kmelmon since he owns E2ETest.

#3019 has the history of the issue, but this might be worth massaging into a new issue.

We might be able to just install WinAppDriver 1.2rc as part of CI setup to allow us to use the unforked version.

[kmelmon]

It would be best if we can get winappdriver 1.2 out of RC and officially released. I asked the owners about this recently and they said they would be willing to do so. I'll spin up a thread with Dustin about it.