Getting 2 moderate severity vulnerabilities

[Vinuthanayak]

Current behavior

When I try to install cypress using npm install cypress --save-dev in the terminal, getting 2 moderate severity vulnerabilities.
I am not able to fix it.

C:\CYPRESS>npm install cypress --save-dev

added 177 packages, and audited 178 packages in 36s

36 packages are looking for funding
run npm fund for details

2 moderate severity vulnerabilities

To address all issues, run:
npm audit fix

Run npm audit for details.

C:\CYPRESS> npm audit fix

up to date, audited 178 packages in 3s

36 packages are looking for funding
run npm fund for details

npm audit report

@cypress/request <=2.88.12
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
fix available via npm audit fix --force
Will install cypress@4.2.0, which is a breaking change
node_modules/@cypress/request
cypress >=4.3.0
Depends on vulnerable versions of @cypress/request
node_modules/cypress

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

C:\CYPRESS>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating cypress to 4.2.0, which is a SemVer major change.
npm WARN skipping integrity check for git dependency ssh://git@github.com/cypress-io/request.git
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

added 72 packages, removed 43 packages, changed 67 packages, and audited 207 packages in 48s

2 packages are looking for funding
run npm fund for details

npm audit report

lodash <=4.17.20
Severity: high
Prototype Pollution in lodash - GHSA-p6mc-m468-83gw
Command Injection in lodash - GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - GHSA-29mw-wpgm-hmr9
fix available via npm audit fix --force
Will install cypress@4.12.1, which is outside the stated dependency range
node_modules/lodash
cypress 0.1.0 - 4.11.0
Depends on vulnerable versions of extract-zip
Depends on vulnerable versions of lodash
Depends on vulnerable versions of minimist
Depends on vulnerable versions of moment
Depends on vulnerable versions of request
node_modules/cypress

minimist <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix --force
Will install cypress@4.12.1, which is outside the stated dependency range
node_modules/minimist
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
extract-zip <=1.6.7
Depends on vulnerable versions of mkdirp
node_modules/extract-zip

moment <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4
Moment.js vulnerable to Inefficient Regular Expression Complexity - GHSA-wc69-rhjr-hc9g
fix available via npm audit fix --force
Will install cypress@4.12.1, which is outside the stated dependency range
node_modules/moment

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install cypress@4.12.1, which is outside the stated dependency range
node_modules/request

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via npm audit fix --force
Will install cypress@4.12.1, which is outside the stated dependency range
node_modules/tough-cookie

8 vulnerabilities (2 moderate, 2 high, 4 critical)

To address all issues, run:
npm audit fix --force

C:\CYPRESS>

Debug logs

No response

Cypress Version

12.17.3

Node version

v18.17.1

Package Manager

npm

Package Manager Version

9.6.7

Operating system

Windows

Operating System Version

OS Name: Microsoft Windows 10 Home, Version 10.0.19045 Build 19045

Other

No response

[MikeMcC399]

@Vinuthanayak

Using npm audit --force to revert to a very old version of Cypress will break your installation. This is normally never the recommended course of action!

I suggest you reinstall Cypress, for instance with

npm install cypress@latest --save-dev

There are some community-contributed workarounds for forcing the installation of a newer version of @cypress/request posted to the issue cypress-io/request#27 using overrides for npm and resolutions for Yarn.

If it is not critical for you to resolve the moderate severity vulnerability immediately, you may like to wait until the official fix is released.

The official tested fix for Cypress, which pulls @cypress/request@3.0.0 into Cypress, is being prepared through PR #27495. Currently this is being targeted for Cypress 13, since it is a breaking change.

[Vinuthanayak]

@MikeMcC399
Thank you!

[jennifer-shehane]

The code for this is done, but this has yet to be released. We'll update this issue and reference the changelog when it's released.

[jennifer-shehane]

Released in Cypress 13.0.0.