Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Lodash to v4.17.17+ to fix NPM advisory #7921

Closed
khitrenovich opened this issue Jul 8, 2020 · 4 comments · Fixed by #7954
Closed

Bump Lodash to v4.17.17+ to fix NPM advisory #7921

khitrenovich opened this issue Jul 8, 2020 · 4 comments · Fixed by #7954
Assignees
@brian-mann
Labels
existing workaround type: dependencies

Comments

@khitrenovich
Copy link

khitrenovich commented Jul 8, 2020
edited by sync-by-unito bot

Current behavior:

Lodash v4.17.17 was released, fixing https://npmjs.com/advisories/1523.

Cypress is using "fixed" version (v4.17.15) as dependency, causing npm audit to fail:

                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.17                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cypress [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cypress > lodash                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1523                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 1476 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Desired behavior:

Make sure npm audit fix is able to bump Lodash to the updated version.

Versions

Cypress 4.10 and lower.
@khitrenovich khitrenovich changed the title Bump Lodash to v4.17.17 to fix NPM advisory Bump Lodash to v4.17.17+ to fix NPM advisory Jul 8, 2020
@millette
Copy link

millette commented Jul 9, 2020

All dependencies are fixed, not using semver at all (~ or ^). Kinda strange if you ask me :-)

@renovate renovate bot mentioned this issue Jul 9, 2020
Closed
1 task
@jennifer-shehane
Copy link
Member

jennifer-shehane commented Jul 9, 2020
edited

We prefer locking dependencies so we know exactly what versions our users are using and ensure it works on these exact versions before publishing. We've run into issues in the past without locking. I can bring this up with the team to see if we should revisit this strategy.

Unless you’re hosting Cypress on a server and accepting unsanitized input from outside users - most security vulnerabilities will not affect you. We think this is an extremely unlikely use case.

We understand that a lot of people have policies about needing to pass npm audit for their build regardless. I've opened a PR here to address this #7926

You could use https://github.com/rogeriochaves/npm-force-resolutions to work around this in the meantime.

@jennifer-shehane jennifer-shehane self-assigned this Jul 10, 2020
@brian-mann brian-mann mentioned this issue Jul 11, 2020
Merged
@cypress-bot cypress-bot bot added stage: needs review The PR code is done & tested, needs review and removed stage: work in progress labels Jul 11, 2020
@cypress-bot cypress-bot bot added stage: pending release and removed stage: needs review The PR code is done & tested, needs review labels Jul 11, 2020
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Jul 11, 2020

The code for this is done in cypress-io/cypress#7954, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

@bahmutov bahmutov reopened this Jul 13, 2020
@cypress-bot cypress-bot bot added stage: ready for work The issue is reproducible and in scope and removed stage: pending release labels Jul 13, 2020
@jennifer-shehane jennifer-shehane mentioned this issue Jul 13, 2020
Closed
@jennifer-shehane jennifer-shehane added stage: pending release and removed stage: ready for work The issue is reproducible and in scope labels Jul 14, 2020
adatzer referenced this issue in snowplow-incubator/snowplow-micro-examples Jul 20, 2020
@adatzer
temp workaround lodash security vulnerability
2349cda
This was referenced Jul 20, 2020
Closed
Closed
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Jul 21, 2020

Released in 4.11.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v4.11.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Jul 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@brian-mann brian-mann

Labels
existing workaround type: dependencies
Projects
None yet
Milestone
No milestone
5 participants
@millette @brian-mann @jennifer-shehane @bahmutov @khitrenovich