Cypress: Lodash vulnerability from npm audit security report
Current behavior:
An npm audit report pointing to lodash version being used by cypress
=== npm audit security report ===
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Manual Review โ
โ Some vulnerabilities require your attention to resolve โ
โ โ
โ Visit https://go.npm.me/audit-guide for additional guidance โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ High โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=4.17.12 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ cypress [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ cypress > lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1065 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Desired behavior:
no audit report
Versions
Cypress 3.4.0
rj-david
All 9 comments
The code for this is done in https://github.com/cypress-io/cypress/pull/4709, but this has yet to be released. We'll update this issue and reference the changelog when it's released.
jennifer-shehane
on 17 Jul 2019
Why not reference lodash with "~4.17.13", to allow to update it in these emergency cases without compromising on stability ?
josephpage
on 17 Jul 2019
You can run npm audit fix to fix the 'vulnerable' dependencies. We prefer locking dependencies so we know exactly what versions our users are using and ensure it works on these exact versions before publishing.
But also Cypress is immune to most if not all security vulnerabilities because its locally run software - not a web server hosted in the cloud, so this security issue doesn't even apply and is low priority for us.
jennifer-shehane
on 17 Jul 2019
@jennifer-shehane Hi, npm audit fix doesn't actually fix this:
fixed 0 of 1 vulnerability in 905229 scanned packages
1 vulnerability required manual review and could not be updated
Waiting for the next release
jimmyandrade
on 23 Jul 2019
We're working on a patch release, instead of waiting for next feature release.
jennifer-shehane
on 24 Jul 2019
Released in 3.4.1.
![cypress-bot[bot] picture](https://avatars3.githubusercontent.com/u/8908513?v=4&s=40)
cypress-bot[bot]
on 29 Jul 2019
The problem persists for me under cypress 4.10.0, it depends on lodash 4.17.15 which introduces a vulnerability as is reported here
tobiasfeil
on 16 Jul 2020
@tobiasfeil Thats a different issue, see #7954
sweiler
on 16 Jul 2020
Oh thanks!
tobiasfeil
on 16 Jul 2020
Related issues
EirikBirkeland
ยท
3Comments
Francismb
ยท
3Comments
egucciar
ยท
3Comments
zbigniewkalinowski
ยท
3Comments
igorpavlov
ยท
3Comments
Most helpful comment
We're working on a patch release, instead of waiting for next feature release.