Investigate dependabot security alert #8 - tough cookie #187

edhamiltonHO · 2023-07-14T12:48:53Z

No description provided.

keithkennedyHO · 2023-07-25T11:20:19Z

@edhamiltonHO it appears this is being looked at upstream, there is an open issue for this. My suggestion would to wait until resolved.

edhamiltonHO · 2023-07-25T11:31:39Z

OK, do we have a view on the risk this presents to us?

I'd presume fairly low as related to cookies, which we aren't using, but would be good to be clear

robertdeniszczyc2 · 2023-08-07T13:13:29Z

This looks to have been resolved in a release of cypress/request last week: https://github.com/cypress-io/request/releases/tag/v2.88.12

keithkennedyHO · 2023-08-07T14:19:26Z

@robertdeniszczyc2 Unfortunately, this is for the cypress/request package and not the main cypress (https://github.com/cypress-io/cypress/releases), which has not yet been updated with the fix.

keithkennedyHO · 2023-08-07T14:20:32Z

@robertdeniszczyc2 I misread that, apologies. Yes, hopefully the fix above suggests a fix for the cypress package will come soon to resolve this.

robertdeniszczyc2 · 2023-08-09T07:58:31Z

Looks like there are two open PRs on Cypress for this:

robertdeniszczyc2 · 2023-08-15T10:21:23Z

A fix has been merged under cypress-io/cypress#27515, hopefully will be included in the next release

robertdeniszczyc2 · 2023-09-04T12:53:46Z

According to the thread the change was merged to Cypress in 12.17.4, from https://github.com/HO-CTO/engineering-guidance-and-standards/pull/248 we are now on 13.x so I think this can be closed

edhamiltonHO added the dependencies Pull requests that update a dependency file label Jul 14, 2023

keithkennedyHO self-assigned this Jul 21, 2023

keithkennedyHO closed this as completed Sep 5, 2023

Provide feedback