running npm audit shows a Prototype Pollution vulnerability, please update the lodash library to verions highter than 4.17.12
https://www.npmjs.com/advisories/1065
Current behavior:
Desired behavior:
Steps to reproduce: (app code and test code)
Versions
cypress 3.4.0
cypress 3.4.0
Mac OSX
Chrome
Lavioli
All 5 comments
fix already merged in develop, but not released yet :( https://github.com/cypress-io/cypress/pull/4684
Evanht
on 16 Jul 2019
Duplicate of #4699
flotwig
on 16 Jul 2019
The code for this is done in https://github.com/cypress-io/cypress/pull/4709, but this has yet to be released. We'll update this issue and reference the changelog when it's released.
You can run npm audit fix to fix the 'vulnerable' dependencies.
But also Cypress is immune to most if not all security vulnerabilities because its locally run software - not a web server hosted in the cloud, so this security issue doesn't even apply and is low priority for us.
jennifer-shehane
on 18 Jul 2019
Thanks for the prompt response :)
Lavioli
on 18 Jul 2019
Released in 3.4.1.
![cypress-bot[bot] picture](https://avatars3.githubusercontent.com/u/8908513?v=4&s=40)
cypress-bot[bot]
on 29 Jul 2019
Related issues
igorpavlov
路
3Comments
szabyg
路
3Comments
EirikBirkeland
路
3Comments
carloscheddar
路
3Comments
rbung
路
3Comments
Most helpful comment
The code for this is done in https://github.com/cypress-io/cypress/pull/4709, but this has yet to be released. We'll update this issue and reference the changelog when it's released.
You can run
npm audit fixto fix the 'vulnerable' dependencies.But also Cypress is immune to most if not all security vulnerabilities because its locally run software - not a web server hosted in the cloud, so this security issue doesn't even apply and is low priority for us.