Cypress installs critical security vulnerabilities, preventing it from running in CI pipeline

[filipemir]

Hey folks,

I've been trying hard to integrate Cypress into our our CI pipeline. We deploy our services in docker containers and then analyze the resulting image against a list of know vulnerabilities. Critical vulnerabilities fail the build, well before we ever get to run the end-to-end tests. I suspect this applies to a lot of folks out there who would want to use Cypress in their CI pipeline Unfortunately, Cypress is installing a module with a critical vulnerability (in the server package) that has been known since 2015: the tar@0.1.20 module. See https://www.npmjs.com/advisories/57. As a result, we can't currently use Cypress in our CI pipeline

I dug a little into this and realized that the dependency is brought in by node-webkit-updater, a defunct project that you have forked. Here's the offending line:

cypress/packages/server/package.json

Line 92 in 9a32d22

"node-webkit-updater": "cypress-io/node-webkit-updater#e74623726f381487f543e373e71515177a32daeb",

I should note that Cypress is also bringing in a number of other vulnerabilities. Currently, those aren't an issue for us because we are only failing on critical vulnerabilities, but they may be for other people with stricter security requirements. Here's the list:
High

• qs@5.1.0: also introduced by node-webkit-updater (advisory)
• minimatch@2.0.10: introduced by babel-core (advisory)
• http-proxy@1.18.0: (advisory)

Moderate:

• tunnel-agent@0.4.3: also introduced by node-webkit-updater (advisory)
• hoek@2.16.3: also introduced by node-webkit-updater (advisory)

Current behavior:

Installing Cypress installs a version of tar below 2.0.0

Desired behavior:

Installing Cypress should not install a version of tar below 2.0.0

Test code to reproduce

Pull this repo, install dependencies with yarn, and then run yarn why tar. Result should indicate that tar@0.1.20 was installed:

...
=> Found "tar.gz#tar@0.1.20"
info This module exists because "_project_#@packages#server#node-webkit-updater#tar.gz" depends on it.
info Disk size without dependencies: "220KB"
info Disk size with unique dependencies: "468KB"
info Disk size with transitive dependencies: "956KB"
info Number of shared dependencies: 17
...

Versions

At least 14.7.1

[jennifer-shehane]

There's not any great reason that we've kept node-webkit-updater. This can be replaced. We're open to PRs to replace this dep.

[pverdile]

I'd like to start working on this.

[fedebertolini]

hi everyone, I saw no movement on this topic so I went ahead and created a PR addressing the main issue with the node-webkit-updater dependency: #8807

[cypress-bot]

Released in 5.6.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v5.6.0, please open a new issue.