-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cypress 4.2.0 10 low vulnerabilities concerning upgrade to minimist 1.2.3 #6793
Comments
Sent PR for |
Ignore that, didn't realize majority of NPM package.json don't follow semver ranges, so that's gonna take a while -- |
http-server seems to be another major one. Its on |
|
Another dependency - |
Opened #6845 to address the |
Just wanted to note that unless you’re hosting Cypress on a server and accepting unsanitized input from outside users - this vulnerability will not affect you. We think this is an extremely unlikely use case. |
It still turns our CI audit job red, though - and you don't want to keep it red for long time, otherwise people start ignoring it. |
This was released in This comment thread has been locked. If you are still experiencing this issue after upgrading to |
Current behavior:
Upgrading to cypress 4.2.1 by using
npm install --save-dev cypress@4.2.0
installs correctly but shows the following error:Running
npm audit fix
takes no action even when using the force flag. Looking at npm audit I see that there are sub dependencies for other libraries and a link to this issue: https://www.npmjs.com/advisories/1179Desired behavior:
The desired behavior is that npm updates to cypress@4.2.0 will not have the current vulnerabilities.
Versions
Mac OS 10.15.3 / npm v 6.13.4 / v10.19.0
The text was updated successfully, but these errors were encountered: