Cypress: Bump Lodash to v4.17.17+ to fix NPM advisory
Current behavior:
Lodash v4.17.17 was released, fixing https://npmjs.com/advisories/1523.
Cypress is using "fixed" version (v4.17.15) as dependency, causing npm audit to fail:
=== npm audit security report ===
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Low β Prototype Pollution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β lodash β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=4.17.17 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β cypress [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β cypress > lodash β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/1523 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 1 low severity vulnerability in 1476 scanned packages
1 vulnerability requires manual review. See the full report for details.
Desired behavior:
Make sure npm audit fix is able to bump Lodash to the updated version.
Versions
Cypress 4.10 and lower.
khitrenovich
All 4 comments
All dependencies are fixed, not using semver at all (~ or ^). Kinda strange if you ask me :-)
millette
on 9 Jul 2020
We prefer locking dependencies so we know exactly what versions our users are using and ensure it works on these exact versions before publishing. We've run into issues in the past without locking. I can bring this up with the team to see if we should revisit this strategy.
Unless youβre hosting Cypress on a server and accepting unsanitized input from outside users - most security vulnerabilities will not affect you. We think this is an extremely unlikely use case.
We understand that a lot of people have policies about needing to pass npm audit for their build regardless. I've opened a PR here to address this https://github.com/cypress-io/cypress/pull/7926
You could use https://github.com/rogeriochaves/npm-force-resolutions to work around this in the meantime.
jennifer-shehane
on 9 Jul 2020
The code for this is done in cypress-io/cypress#7954, but has yet to be released.
We'll update this issue and reference the changelog when it's released.
![cypress-bot[bot] picture](https://avatars3.githubusercontent.com/u/8908513?v=4&s=40)
cypress-bot[bot]
on 11 Jul 2020
Released in 4.11.0.
This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v4.11.0, please open a new issue.
cypress-bot[bot]
on 21 Jul 2020
Related issues
egucciar
Β·
3Comments
brian-mann
Β·
3Comments
szabyg
Β·
3Comments
EirikBirkeland
Β·
3Comments
Francismb
Β·
3Comments
Most helpful comment
We prefer locking dependencies so we know exactly what versions our users are using and ensure it works on these exact versions before publishing. We've run into issues in the past without locking. I can bring this up with the team to see if we should revisit this strategy.
Unless youβre hosting Cypress on a server and accepting unsanitized input from outside users - most security vulnerabilities will not affect you. We think this is an extremely unlikely use case.
We understand that a lot of people have policies about needing to pass
npm auditfor their build regardless. I've opened a PR here to address this https://github.com/cypress-io/cypress/pull/7926You could use https://github.com/rogeriochaves/npm-force-resolutions to work around this in the meantime.