New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump Lodash to v4.17.17+ to fix NPM advisory #7921
Comments
All dependencies are fixed, not using semver at all (~ or ^). Kinda strange if you ask me :-) |
We prefer locking dependencies so we know exactly what versions our users are using and ensure it works on these exact versions before publishing. We've run into issues in the past without locking. I can bring this up with the team to see if we should revisit this strategy. Unless you’re hosting Cypress on a server and accepting unsanitized input from outside users - most security vulnerabilities will not affect you. We think this is an extremely unlikely use case. We understand that a lot of people have policies about needing to pass You could use https://github.com/rogeriochaves/npm-force-resolutions to work around this in the meantime. |
The code for this is done in cypress-io/cypress#7954, but has yet to be released. |
Released in This comment thread has been locked. If you are still experiencing this issue after upgrading to |
Current behavior:
Lodash v4.17.17 was released, fixing https://npmjs.com/advisories/1523.
Cypress is using "fixed" version (v4.17.15) as dependency, causing
npm audit
to fail:Desired behavior:
Make sure
npm audit fix
is able to bump Lodash to the updated version.Versions
Cypress 4.10 and lower.
The text was updated successfully, but these errors were encountered: