Cypress: Upgrade lodash dependency to fix prototype pollution exploit

Created on 12 Jul 2019  路  8Comments  路  Source: cypress-io/cypress

EDIT: Apparently this made it into develop in between when I checked this and went to make the issue

duplicate
Source
picture julian-sf

Most helpful comment

@jennifer-shehane it blocking our code from build and deploy since we have role to prevent and deployment with Vulnerability, please merge

picture Jaafar-abusair on 20 Jul 2019
👍5

All 8 comments

馃槄 Yes, PR is here https://github.com/cypress-io/cypress/pull/4684

jennifer-shehane picture jennifer-shehane on 12 Jul 2019
👍1

When will this fix be released? @jennifer-shehane

Evanht picture Evanht on 16 Jul 2019
👍5

We are still waiting for this to be release right?
Because I still get the previous version of lodash with [email protected].
I don't quite understand when the dist-tag latest is 3.4.0, the git tag 3.4.0 on this repo has a new version of lodash, but I still get a wrong version of lodash. Does this module need to re-published under the same version? Which sounds wrong.

npm show cypress

[email protected] | MIT | deps: 31 | versions: 72
Cypress.io end to end testing tool
https://github.com/cypress-io/cypress

keywords: browser, cypress, cypress.io, automation, end-to-end, e2e, integration, mocks, test, testing, runner, spies, stubs

bin: cypress

dist
.tarball: http://itvrepos.jfrog.io/itvrepos/api/npm/npm-itv/cypress/-/cypress-3.4.0.tgz
.shasum: 8053ee107eb6309f26abd57e882d05578bdc3391

dependencies:
@cypress/listr-verbose-renderer: 0.4.1 extract-zip: 1.6.7                     
@cypress/xvfb: 1.2.4                   fs-extra: 5.0.0                        
arch: 2.1.1                            getos: 3.1.1                           
bluebird: 3.5.0                        glob: 7.1.3                            
cachedir: 1.3.0                        is-ci: 1.2.1                           
chalk: 2.4.2                           is-installed-globally: 0.1.0           
check-more-types: 2.24.0               lazy-ass: 1.6.0                        
commander: 2.15.1                      listr: 0.12.0                          
common-tags: 1.8.0                     lodash: 4.17.11                        
debug: 3.2.6                           log-symbols: 2.2.0                     
execa: 0.10.0                          minimist: 1.2.0                        
executable: 4.1.1                      moment: 2.24.0                         
(...and 7 more.)

maintainers:
- bahmutov <[email protected]>
- brian-mann <[email protected]>
- flotwig <[email protected]>

dist-tags:
dev: 3.4.0     latest: 3.4.0  

published a week ago by flotwig <[email protected]>
soundstep picture soundstep on 17 Jul 2019

The code for this is done in https://github.com/cypress-io/cypress/pull/4709, but this has yet to be released. We'll update this issue and reference the changelog when it's released.

You can run npm audit fix to fix the 'vulnerable' dependencies.

But also Cypress is immune to most if not all security vulnerabilities because its locally run software - not a web server hosted in the cloud, so this security issue doesn't even apply and is low priority for us.

jennifer-shehane picture jennifer-shehane on 18 Jul 2019
👍1

@jennifer-shehane it blocking our code from build and deploy since we have role to prevent and deployment with Vulnerability, please merge

Jaafar-abusair picture Jaafar-abusair on 20 Jul 2019
👍5

We are working on a patch release now, instead of waiting for feature release.

jennifer-shehane picture jennifer-shehane on 24 Jul 2019
👍3

Released in 3.4.1.

cypress-bot[bot] picture cypress-bot[bot] on 29 Jul 2019
👍1

Thanks for the patch release :)

konekoya picture konekoya on 30 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dkreft picture dkreft  路  3Comments
SecondFlight picture SecondFlight  路  3Comments
brian-mann picture brian-mann  路  3Comments
stormherz picture stormherz  路  3Comments
szabyg picture szabyg  路  3Comments