[APS-19415][APS-19417] fix: bump browserstack-local + override critical transitive CVEs

[Rohannagariya1]

Security Fix: APS-19415 + APS-19417 (combined)

This single PR addresses two linked findings on this repo. Full protractor -> Playwright/WebdriverIO migration is out of scope (tracked in APPSEC-409); this PR is the interim CVE-clearing fix.

APS-19415 — browserstack-local command injection (GHSA-g4w6-c99w-4wh7, Medium)

• package.json declared browserstack-local: ^1.0.0, resolving to <=1.5.8 (vulnerable; command injection via unsanitized logfile option).
• Fix: narrowed to ^1.5.11. Lock now resolves 1.5.13 (latest 1.x). Clears the CVE and removes the dangerously broad 1.x range.

APS-19417 — EOL protractor pulls critical transitive CVEs (High) — INTERIM

• Protractor ^5.4.4 is EOL (Aug 2023) and drags in json-schema <0.4.0 (GHSA-896r-f27r-55mw, critical) and minimist 1.0.0–1.2.5 (GHSA-xvch-5gv4-984h, critical).
• Fix (interim): added npm overrides forcing json-schema >=0.4.0 and minimist >=1.2.6. Lock now resolves json-schema 0.4.0 and minimist 1.2.8.
• Protractor itself is not removed/replaced here (migration is a separate sprint — APPSEC-409).

   "dependencies": {
-    "browserstack-local": "^1.0.0",
+    "browserstack-local": "^1.5.11",
     "protractor": "^5.4.4"
   },
+  "overrides": {
+    "json-schema": ">=0.4.0",
+    "minimist": ">=1.2.6"
+  },

Validation — npm audit before vs after (lock refreshed via npm install --package-lock-only)

	Before	After
Total	27	23
Critical	5	2
High	8	8
browserstack-local	moderate (<=1.5.8)	CLEARED (1.5.13)
json-schema	critical (<0.4.0)	CLEARED (0.4.0)
jsprim (depends on json-schema)	critical	CLEARED
minimist	critical (1.0.0–1.2.5)	CLEARED (1.2.8)

Critical set went from [form-data, json-schema, jsprim, minimist, request] -> [form-data, request]. The 3 targeted findings (browserstack-local, json-schema, minimist) plus jsprim are fully cleared.

Remaining form-data + request criticals are protractor's own deep transitive chain (protractor -> webdriver-manager -> request -> form-data) and cannot be cleared without removing protractor — that requires the APPSEC-409 migration and is out of scope for this interim fix.

Testing

• npm install --package-lock-only refresh: PASS (exit 0); lock verified to resolve the bumped/overridden versions.
• npm audit before/after: captured above; targeted CVEs cleared.
• BLOCKED(protractor-EOL): a live sample-test run against BrowserStack was not executed — protractor 5.x's EOL toolchain (webdriver-manager + standalone selenium/chromedriver downloads) is not reliably runnable in this environment. The audit-clearing + lock verification is the security evidence per the remediation guidance.

Jira Tickets

• https://browserstack.atlassian.net/browse/APS-19415
• https://browserstack.atlassian.net/browse/APS-19417
• Migration umbrella: https://browserstack.atlassian.net/browse/APPSEC-409

Checklist

• browserstack-local CVE cleared (1.5.13)
• json-schema + minimist critical transitives cleared via overrides
• Lock refreshed and verified
• npm audit before/after captured
• Live BrowserStack session (BLOCKED — protractor EOL toolchain)
• protractor -> Playwright migration (follow-up, APPSEC-409)