Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cypress 9.0.0 unusable, npm audit: 5 moderate severity vulnerabilities #19014

Closed
jeff00seattle opened this issue Nov 19, 2021 · 2 comments · Fixed by #19099
Closed

Cypress 9.0.0 unusable, npm audit: 5 moderate severity vulnerabilities #19014

jeff00seattle opened this issue Nov 19, 2021 · 2 comments · Fixed by #19099

Comments

@jeff00seattle
Copy link

Current behavior

Post npm install of latest cypress 9.0.0, npm audit reports 5 moderate severity vulnerabilities.

$ node --version                                                              
v16.5.0
$ npm --version                                                                         
7.19.1
$ npm audit
# npm audit report

json-schema  <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix --force`
Will install cypress@4.2.0, which is a breaking change
node_modules/json-schema
  jsprim  0.3.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim
    http-signature  1.0.0 - 1.3.5
    Depends on vulnerable versions of jsprim
    node_modules/http-signature
      @cypress/request  *
      Depends on vulnerable versions of http-signature
      node_modules/@cypress/request
        cypress  >=4.3.0
        Depends on vulnerable versions of @cypress/request
        node_modules/cypress

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Desired behavior

npm audit showing No vulnerabilities from cypress 9.0.0.

Test code to reproduce

$ node --version                                                              
v16.5.0
$ npm --version                                                                         
7.19.1
$ npm audit

Cypress Version

9.0.0

Other

No response
@chrisbreiding chrisbreiding mentioned this issue Nov 29, 2021
Merged
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Nov 29, 2021

The code for this is done in cypress-io/cypress#19099, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

@cypress-bot
Copy link
Contributor

cypress-bot bot commented Dec 4, 2021

Released in 9.1.1.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v9.1.1, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Dec 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): update dependency @cypress/request to v2.88.10 🌟 cypress-io/cypress
1 participant
@jeff00seattle