Cypress: [Security] issues with linting yarn-lock after updating cypress to 4.2.0 with lockfile-lint
Our build pipeline lint yarn.lock file for security issues.
We have allowed only yarn as dependency source, and getting next error at build time:
yarn run v1.22.4
$ lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https
detected invalid host(s) for package: request@cypress-io/request#b5af0d1fa47eec97ba980cde90a13e69a2afcd16
expected: registry.yarnpkg.com
actual: codeload.github.com
error: command failed with exit code 1
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
##[error]Process completed with exit code 1.
can you please confirm that it is a safe and intended change in source?
meanwhile downgrading cypress to 4.1.0
duplicate
JustFly1984
All 6 comments
JustFly1984
on 19 Mar 2020
I think this was fixed in https://github.com/cypress-io/cypress/pull/6777 but that change has not been published yet.
lencioni
on 20 Mar 2020
Duplicate of #6752
jennifer-shehane
on 24 Mar 2020
@jennifer-shehane perhaps consider adding lockfile-lint to this repo as well to set a security policy for cypress's nested dependencies and avoid it in the future? why it's important
/plug :-)
lirantal
on 26 Mar 2020
@lirantal Yeah this is pretty interesting. Will take a look.
jennifer-shehane
on 5 May 2020
👍2
@jennifer-shehane cool. I'm happy to assist if there's anything to help with.
lirantal
on 5 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
Francismb
路
3Comments
szabyg
路
3Comments
stormherz
路
3Comments
egucciar
路
3Comments
verheyenkoen
路
3Comments
Most helpful comment
@lirantal Yeah this is pretty interesting. Will take a look.