[Release-4.19] OCPBUGS-70284: Fix CVE-2025-15284 by upgrading cypress

[MrSanketkumar]

Summary by CodeRabbit

• Chores
  • Upgraded development and testing tooling: updated Cypress and related test tooling to more recent versions to improve test execution, reporting, and local dev experience.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70284, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-70284 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 96fec18e-aff9-4bcd-88f3-e6bd29b44b48

📥 Commits

Reviewing files that changed from the base of the PR and between 3736d3f and af3a461.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Walkthrough

Bumped three devDependencies in package.json: @cypress/webpack-preprocessor to ^7.0.0, cypress to ^15.0.0, and cypress-multi-reporters to ^2.0.0. No source code or exported API changes.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Package Manifest package.json	Updated devDependencies: @cypress/webpack-preprocessor from ^5.15.5 → ^7.0.0; cypress from ^12.17.4 → ^15.0.0; cypress-multi-reporters from ^1.6.2 → ^2.0.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references CVE-2025-15284 and describes the main change (upgrading Cypress), which matches the package.json dependency updates in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names in example-page.cy.ts are static and descriptive with no dynamic values.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test code quality is not applicable. PR only updates package.json with Cypress dependency versions. No test code (Ginkgo or otherwise) is present or modified in this PR.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The PR updates Cypress dependencies and adds Cypress-based tests (JavaScript framework), not Ginkgo tests (Go framework). The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR updates Cypress (JavaScript E2E) dependencies only. SNO check applies to Ginkgo tests (Go-based OpenShift tests), which don't exist in this repo. No new tests added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates dev dependencies (Cypress) in package.json. No deployment manifests, operator code, or controllers were modified. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check applies to Go test code. This PR only modifies package.json for Cypress dependencies in a JavaScript/TypeScript repository with no Go test files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check applies only to new Ginkgo e2e tests. This PR updates Cypress dependencies only; no Ginkgo tests are added. Check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MrSanketkumar
Once this PR has been reviewed and has the lgtm label, please assign vojtechszocs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70284, which is invalid:

• expected Jira Issue OCPBUGS-70284 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70284, which is invalid:

• expected dependent Jira Issue OCPBUGS-70285 to target a version in 4.20.0, 4.20.z, but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 61: Update the Cypress dependency to 15.8.2 in package.json and update
the devcontainer to use Node.js 20+ so Cypress can run: change the "cypress"
entry to "^15.8.2" and modify the devcontainer base (referenced in
.devcontainer/Dockerfile.plugin where it currently uses typescript-node:16) to a
Node 20+ image (e.g., typescript-node:20 or another official Node 20 image),
rebuild the devcontainer and verify the workspace uses Node 20.x, run the test
suite locally to confirm compatibility, and ensure CI Linux runners have glibc
>=2.31 (update CI images or document requirement) before merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bf33ff34-3f09-46e9-8144-082dbb92ed7e

📥 Commits

Reviewing files that changed from the base of the PR and between 9893901 and 3736d3f.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's check the actual package.json file
cat -n package.json | sed -n '55,70p'

Repository: openshift/networking-console-plugin

Length of output: 798

---

🏁 Script executed:

# Search for any CI/dev configuration files to understand the environment
find . -type f \( -name ".github" -o -name "docker*" -o -name ".circleci" -o -name ".gitlab-ci*" \) 2>/dev/null | head -20

Repository: openshift/networking-console-plugin

Length of output: 114

---

🌐 Web query:

CVE-2025-15284 Cypress vulnerability

💡 Result:

CVE-2025-15284 is an Improper Input Validation vulnerability in the qs npm package (versions < 6.14.1), enabling potential HTTP Denial of Service (DoS) via memory exhaustion. The arrayLimit option fails to enforce limits on bracket notation arrays (e.g., a[]=1&a[]=2), unlike indexed notation, creating a consistency bug. However, the default parameterLimit=1000 mitigates practical DoS risk in most cases, as it caps parsed parameters. Severity reduced accordingly: CVSS v3.1 3.7 (Low), CVSS v4 6.3 (Medium). It affects Cypress (cypress-io/cypress) as a transitive dependency via @cypress/request, flagged by npm audit in versions up to 15.8.1. Fixed in Cypress 15.8.2 by updating dependencies. Workarounds: npm audit fix, overrides to qs@~6.14.1, or reinstall. No evidence of a vulnerability directly in Cypress Semiconductor/Infineon products; searches of official sites yielded no matches. The association is with the Cypress testing framework.

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2025-15284
• 2: https://it.tenable.com/cve/CVE-2025-15284
• 3: GHSA-6rw7-vpxm-498p
• 4: High severity vulnerability CVE-2025-15284 in qs <6.14.1 cypress-io/cypress#33180
• 5: https://www.tenable.com/cve/CVE-2025-15284

---

🌐 Web query:

Cypress 15.8.2 changelog CVE fix release notes

💡 Result:

Cypress 15.8.2 was released on January 6, 2026. It is a patch release primarily addressing bug fixes and a security vulnerability. Bug fixes: - Fixed ffprobe path configuration for video operations; upgraded @ffprobe-installer/ffprobe from 1.1.0 to 2.1.2 for darwin-arm64 support (#33136). - Fixed test:after:run and test:after:run:async events not firing after both before all and after all hooks failed (#33172). Dependency updates: - Upgraded @cypress/request to 3.0.10, which removes the CVE-2025-15284 vulnerability reported in security scans (#33188). This release specifically fixes the CVE-2025-15284 vulnerability via the @cypress/request dependency upgrade, making it a CVE fix release.

Citations:

• 1: cypress-io/cypress@v15.8.1...v15.8.2
• 2: https://docs.cypress.io/llm/markdown/app/references/changelog.md
• 3: https://docs.cypress.io/app/references/changelog
• 4: https://github.com/cypress-io/cypress/blob/develop/cli/CHANGELOG.md

---

🌐 Web query:

Cypress 15 Node.js version requirement glibc

💡 Result:

Cypress 15 requires Node.js 20.x, 22.x, or >=24.x for installation. On Linux systems, it requires glibc >=2.31, due to dependencies like Electron 36 and better-sqlite3 built on Debian Bullseye. Supported Linux distributions include Ubuntu 20.04+, Debian 11+, Fedora 41+. Use ldd --version to check glibc version. This aligns with Node.js 20+ Linux support and Cypress binary/Electron requirements.

Citations:

• 1: https://docs.cypress.io/app/references/migration-guide
• 2: https://www.cypress.io/blog/cypress-15-made-simple-upgrade-paths-from-13-and-14
• 3: cypress-io/cypress@v15.0.0...v15.1.0
• 4: https://docs.cypress.io/app/references/changelog
• 5: https://docs.cypress.io/llm/markdown/app/get-started/install-cypress.md

---

🏁 Script executed:

# Check the devcontainer for Node.js version and base image
cat -n .devcontainer/docker-compose.yml

Repository: openshift/networking-console-plugin

Length of output: 1138

---

🏁 Script executed:

# Also check if there are any other CI configs
find . -type f -name "Dockerfile*" -o -name "*action*.yml" -o -name "*action*.yaml" 2>/dev/null | head -20

Repository: openshift/networking-console-plugin

Length of output: 178

---

🏁 Script executed:

# Check the plugin Dockerfile for Node version
cat -n .devcontainer/Dockerfile.plugin

Repository: openshift/networking-console-plugin

Length of output: 235

---

🏁 Script executed:

# Check console Dockerfile too
cat -n .devcontainer/Dockerfile.console

Repository: openshift/networking-console-plugin

Length of output: 1087

---

🏁 Script executed:

# Check main Dockerfile as well
cat -n Dockerfile

Repository: openshift/networking-console-plugin

Length of output: 1369

---

Bump Cypress to 15.8.2 and update devcontainer Node.js version.

CVE-2025-15284 (in qs package, transitive dependency) is fixed in Cypress 15.8.2. However, the devcontainer's .devcontainer/Dockerfile.plugin uses typescript-node:16 (Node.js 16), which is incompatible with Cypress 15's requirement for Node.js 20.x, 22.x, or >=24.x. The devcontainer must be updated to use Node.js 20+ before this change merges. Additionally, confirm that CI environments have glibc >=2.31 for Linux systems.

Suggested change

-    "cypress": "^15.0.0",
+    "cypress": "^15.8.2",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"cypress": "^15.0.0",
	"cypress": "^15.8.2",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 61, Update the Cypress dependency to 15.8.2 in
package.json and update the devcontainer to use Node.js 20+ so Cypress can run:
change the "cypress" entry to "^15.8.2" and modify the devcontainer base
(referenced in .devcontainer/Dockerfile.plugin where it currently uses
typescript-node:16) to a Node 20+ image (e.g., typescript-node:20 or another
official Node 20 image), rebuild the devcontainer and verify the workspace uses
Node 20.x, run the test suite locally to confirm compatibility, and ensure CI
Linux runners have glibc >=2.31 (update CI images or document requirement)
before merging.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70284, which is invalid:

• expected Jira Issue OCPBUGS-70284 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Upgraded development and testing tooling: updated Cypress and related test tooling to more recent versions to improve test execution, reporting, and local dev experience.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/hold Waiting for the NPM migration to complete.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[MrSanketkumar]

Release-4.19 is NOT VULNERABLE to CVE-2025-15284 after the NPM migration (PR #398). The vulnerability has been naturally resolved without requiring additional fixes.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70284. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Upgraded development and testing tooling: updated Cypress and related test tooling to more recent versions to improve test execution, reporting, and local dev experience.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.