Cypress installs critical security vulnerabilities, preventing it from running in CI pipeline #8314
Labels
good first issue
Good for newcomers
topic: installation
Issue during installation or downloading Cypress
type: security 🔐
Security related
Hey folks,
I've been trying hard to integrate Cypress into our our CI pipeline. We deploy our services in docker containers and then analyze the resulting image against a list of know vulnerabilities. Critical vulnerabilities fail the build, well before we ever get to run the end-to-end tests. I suspect this applies to a lot of folks out there who would want to use Cypress in their CI pipeline Unfortunately, Cypress is installing a module with a critical vulnerability (in the
server
package) that has been known since 2015: thetar@0.1.20
module. See https://www.npmjs.com/advisories/57. As a result, we can't currently use Cypress in our CI pipelineI dug a little into this and realized that the dependency is brought in by
node-webkit-updater
, a defunct project that you have forked. Here's the offending line:cypress/packages/server/package.json
Line 92 in 9a32d22
I should note that Cypress is also bringing in a number of other vulnerabilities. Currently, those aren't an issue for us because we are only failing on critical vulnerabilities, but they may be for other people with stricter security requirements. Here's the list:
High
qs@5.1.0
: also introduced bynode-webkit-updater
(advisory)minimatch@2.0.10
: introduced bybabel-core
(advisory)http-proxy@1.18.0
: (advisory)Moderate:
tunnel-agent@0.4.3
: also introduced bynode-webkit-updater
(advisory)hoek@2.16.3
: also introduced bynode-webkit-updater
(advisory)Current behavior:
Installing Cypress installs a version of
tar
below2.0.0
Desired behavior:
Installing Cypress should not install a version of
tar
below2.0.0
Test code to reproduce
Pull this repo, install dependencies with
yarn
, and then runyarn why tar
. Result should indicate thattar@0.1.20
was installed:Versions
At least
14.7.1
The text was updated successfully, but these errors were encountered: