Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

breaking: Upgrade @cypress/request to 3.0.0 #27495

Merged
merged 5 commits into from
Aug 23, 2023
Merged

breaking: Upgrade @cypress/request to 3.0.0 #27495

merged 5 commits into from
Aug 23, 2023

Conversation

chrisbreiding
Copy link
Contributor

@chrisbreiding chrisbreiding commented Aug 8, 2023
edited

Additional details

Steps to test

How has the user experience changed?

PR Tasks

@chrisbreiding chrisbreiding changed the title dependency: Upgrade @cypress/request to 3.0.0 and @cypress/request-pr… dependency: Upgrade @cypress/request to 3.0.0 and @cypress/request-promise to 4.2.7 Aug 8, 2023
@chrisbreiding chrisbreiding mentioned this pull request Aug 8, 2023
Merged
3 tasks
@cypress
Copy link

cypress bot commented Aug 8, 2023
edited

9 flaky tests on run #50358 ↗︎

0 5337 78 0 Flakiness 9

Details:

fix test
Project: cypress Commit: 80a4cdccb0
Status: Passed Duration: 18:07 💡
Started: Aug 23, 2023 3:35 PM Ended: Aug 23, 2023 3:53 PM
Flakiness  cypress_api.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin Cypress API > Commands > adds a custom command Test Replay Output
Flakiness  commands/cookies.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin cookies > client side > .getCookie(), .getCookies(), and .setCookie() Test Replay Output
Flakiness  patches.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
src/cross-origin/patches > submit > correctly submits a form when the target is _top for HTMLFormElement Test Replay Output
Flakiness  commands/spies_stubs_clocks.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin spies, stubs, and clock > spy() Test Replay Output
Flakiness  commands/log.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin log > logs in primary and secondary origins Test Replay Output

The first 5 flaky specs are shown, see all 7 specs in Cypress Cloud.

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

This was referenced Aug 8, 2023
Closed
Merged
BarneyPowell
BarneyPowell reviewed Aug 9, 2023
View reviewed changes
cli/CHANGELOG.md Outdated
@@ -7,6 +7,9 @@ _Released 08/15/2023 (PENDING)_

- Fixed an issue where having `cypress.config` in a nested directory would cause problems with locating the `component-index.html` file when using component testing. Fixes [#26400](https://github.com/cypress-io/cypress/issues/26400).

**Dependency Updates:**

- Upgraded [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `^2.8.11` to `^3.0.0` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7`. Addressed in [#27495](https://github.com/cypress-io/cypress/pull/27495).
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies - it's the little person in me who gives me an itch when I spot the tiniest of typos :). Stumbled across this when searching for a better solution to update our cypress 9.5.3 to cover CVE-2023-26136. Dependabot is helpfully offering to patch package-lock.json but that gives me the heebie-jeebies, as until this PR is merged, and we've upgraded to the latest Cypress, any changes will regress the alert.

Suggested change
- Upgraded [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `^2.8.11` to `^3.0.0` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7`. Addressed in [#27495](https://github.com/cypress-io/cypress/pull/27495).
- Upgraded [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `^2.88.11` to `^3.0.0` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7`. Addressed in [#27495](https://github.com/cypress-io/cypress/pull/27495).

@MikeMcC399 MikeMcC399 mentioned this pull request Aug 10, 2023
Closed
@jordanpowell88
Copy link
Collaborator

We can close in favor of #27515 (which addresses the binary failure and updates @cypress/request and @cypress/request-promise)

@jordanpowell88
Copy link
Collaborator

Looks like this is a breaking change and will need to get put in v13. Going to just patch 2.88.12 in my PR and then we can include this in 13 afterwards

@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Aug 11, 2023
edited

Without this PR, and executing npm audit on a clean installation of cypress@12.17.4 reports

# npm audit report

@cypress/request  <=2.88.12
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install cypress@4.2.0, which is a breaking change
node_modules/@cypress/request
  cypress  >=4.3.0
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

I would suggest to add GHSA-p8p7-x288-28g6 to the CHANGELOG, e.g.

... to address security vulnerability [GHSA-p8p7-x288-28g6](https://github.com/advisories/GHSA-p8p7-x288-28g6)

The Common Vulnerabilities and Exposures article ID CVE-2023-28155 does not actually mention @cypress/request or cypress, so it might be confusing to use this ID as a reference in the Cypress CHANGELOG.

@jordanpowell88 jordanpowell88 changed the base branch from develop to release/13.0.0 August 11, 2023 15:25
@MikeMcC399 MikeMcC399 mentioned this pull request Aug 11, 2023
Closed
@MikeMcC399
Copy link
Contributor

@jennifer-shehane jennifer-shehane mentioned this pull request Aug 22, 2023
Merged
3 tasks
@chrisbreiding chrisbreiding changed the title dependency: Upgrade @cypress/request to 3.0.0 and @cypress/request-promise to 4.2.7 dependency: Upgrade @cypress/request to 3.0.0 Aug 23, 2023
@chrisbreiding chrisbreiding changed the title dependency: Upgrade @cypress/request to 3.0.0 breaking: Upgrade @cypress/request to 3.0.0 Aug 23, 2023
@chrisbreiding chrisbreiding merged commit 7f45375 into release/13.0.0 Aug 23, 2023
75 of 80 checks passed
@chrisbreiding chrisbreiding deleted the update-cypress-request-version branch August 23, 2023 19:16
@chrisbreiding chrisbreiding self-assigned this Aug 24, 2023
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Aug 29, 2023

Released in 13.0.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v13.0.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Aug 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@BarneyPowell BarneyPowell BarneyPowell left review comments

@cacieprins cacieprins cacieprins approved these changes

@mjhenkes mjhenkes mjhenkes approved these changes

Assignees

@chrisbreiding chrisbreiding

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@chrisbreiding @jordanpowell88 @MikeMcC399 @cacieprins @mjhenkes @BarneyPowell