You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
Currently, Cypress pins all dependencies. Previously we had preferred locking dependencies since we ran into issues before without locking, but since migrating to yarn for our own dev work, I've been told these concerns are more minimal.
This introduces some issues:
If there is a security vulnerability from a dep of Cypress found (highlighted through npm audit), our users are unable to run npm audit fix to bump the dependency themselves. This requires the user to use a convoluted workaround or for Cypress to release a new version - pushing a hotfix or waiting potentially 2 weeks for the scheduled release.
Many of our users have rules around their builds/dev process not allowing them to move forward if npm audit fails, so this presents an issue for them. **See previous issues:**``````* lodash security vulnerability: https://github.com/cypress-io/cypress/issues/7921* minimist security vulnerability: https://github.com/cypress-io/cypress/issues/6793* another lodash security vulnerability: https://github.com/cypress-io/cypress/issues/4743
Our pinning strategy and how we run yarn + npm when building the binary is contributing to an increase in size of the binary. Sometimes there are dupped dependencies included.
**See previous issues:**
* Fix lodash dup dep: https://github.com/cypress-io/cypress/pull/7954
* Built zip size keeps increasing: https://github.com/cypress-io/cypress/issues/5977
### Desired behavior:
Have looser restrictions on dependencies of Cypress, while using the correct dependencies to also build the binary.
"lodash": "^4.17.19"* Renovate should be able to handle the enforcement of our range strategy mostly: https://docs.renovatebot.com/configuration-options/#rangestrategy* Look into how `npm` is run to build the binary.### Versions4.10.0
The text was updated successfully, but these errors were encountered: