Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] issues with linting yarn-lock after updating cypress to 4.2.0 with lockfile-lint #6785

Closed
JustFly1984 opened this issue Mar 19, 2020 · 6 comments
Closed

[Security] issues with linting yarn-lock after updating cypress to 4.2.0 with lockfile-lint #6785

JustFly1984 opened this issue Mar 19, 2020 · 6 comments
Labels
type: duplicate This issue or pull request already exists

Comments

@JustFly1984
Copy link

Our build pipeline lint yarn.lock file for security issues.

We have allowed only yarn as dependency source, and getting next error at build time:

yarn run v1.22.4
$ lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https
detected invalid host(s) for package: request@cypress-io/request#b5af0d1fa47eec97ba980cde90a13e69a2afcd16
    expected: registry.yarnpkg.com
    actual: codeload.github.com

error: command failed with exit code 1 

error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
##[error]Process completed with exit code 1.

can you please confirm that it is a safe and intended change in source?

meanwhile downgrading cypress to 4.1.0
@JustFly1984
Copy link
Author

lirantal/lockfile-lint#79

@lencioni
Copy link

I think this was fixed in #6777 but that change has not been published yet.

@jennifer-shehane
Copy link
Member

Duplicate of #6752

@jennifer-shehane jennifer-shehane marked this as a duplicate of #6752 Mar 24, 2020
@jennifer-shehane jennifer-shehane added the type: duplicate This issue or pull request already exists label Mar 24, 2020
@XhmikosR XhmikosR mentioned this issue Mar 26, 2020
Closed
@lirantal
Copy link

@jennifer-shehane perhaps consider adding lockfile-lint to this repo as well to set a security policy for cypress's nested dependencies and avoid it in the future? why it's important

/plug :-)

@lirantal lirantal mentioned this issue Mar 30, 2020
Open
@jennifer-shehane
Copy link
Member

@lirantal Yeah this is pretty interesting. Will take a look.

@lirantal
Copy link

lirantal commented May 5, 2020

@jennifer-shehane cool. I'm happy to assist if there's anything to help with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lencioni @lirantal @jennifer-shehane @JustFly1984