[Release-4.18] OCPBUGS-70283: Fix CVE-2025-15284 by upgrading cypress

[MrSanketkumar]

Summary by CodeRabbit

• Chores
  • Updated dependency resolution configurations to ensure consistent package compatibility and stability.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70283, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-70283 to depend on a bug targeting a version in 4.19.0, 4.19.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The package.json file is updated to add a dependency resolution pin for the qs package (^6.14.1) in the resolutions section, ensuring a specific version is used across the dependency tree.

Changes

Dependency Resolution Pin

Layer / File(s)	Summary
Dependency Configuration package.json	Resolution entry for qs is pinned to ^6.14.1 to manage transitive dependency versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references upgrading cypress to fix CVE-2025-15284, but the file changes show only package.json dependency resolution updates for 'qs' with no evidence of cypress upgrade.	Verify if the cypress upgrade is present in other files, or update the title to accurately reflect that this PR adds a 'qs' dependency pin in package.json resolutions.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for Ginkgo test names is not applicable to this JavaScript/TypeScript project with no Go code or Ginkgo tests.
Test Structure And Quality	✅ Passed	This custom check is not applicable to the provided pull request. The check is designed to assess Ginkgo test code quality, which is a testing framework for Go programming language. However, this repository contains no Go files whatsoever—it is a pure JavaScript/TypeScript project that uses Cypress for integration testing. Since the custom check explicitly targets Ginkgo test code that does not exist in this codebase, the check cannot apply and therefore passes by default.
Microshift Test Compatibility	✅ Passed	This check is not applicable to the provided pull request. The custom check specifically addresses MicroShift compatibility for new Ginkgo e2e tests, which are Go-based testing constructs used in OpenShift repositories. This PR modifies a JavaScript/TypeScript repository and only updates npm package.json dependency resolutions without adding any Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only package.json dependency versions and does not add any Ginkgo e2e tests. The repository is a JavaScript/TypeScript project without Go test files.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies package.json for dependency updates. Deployment manifests, operator code, and controllers are not added or modified, so the topology-aware scheduling check does not apply.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is not applicable; this is a Node.js/TypeScript project with zero Go files and no OTE binary implementations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The custom check applies only to new Ginkgo e2e tests, but this PR contains no new test files and only modifies package.json dependencies in a JavaScript/TypeScript project.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MrSanketkumar
Once this PR has been reviewed and has the lgtm label, please assign vojtechszocs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70283, which is invalid:

• expected dependent Jira Issue OCPBUGS-70284 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/hold

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

110-111: Consider using the exact resolved qs version in resolutions for clarity.

At Line 111, resolutions uses ^6.14.1. While the lockfile already pins qs to 6.15.1 (ensuring reproducible installs), using an exact version in resolutions makes the intended CVE remediation more explicit and auditable. For consistency, prefer the actual resolved version:

Suggested change

-    "qs": "^6.14.1"
+    "qs": "6.15.1"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 110 - 111, The package.json currently lists "qs"
in the resolutions (and dependency) with a caret range; update the resolutions
entry for "qs" to the exact resolved version used in the lockfile (e.g., change
"^6.14.1" to "6.15.1") so the CVE remediation is explicit and auditable — locate
the "qs" key under the "resolutions" object and replace the caret range with the
exact version string.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 110-111: The package.json currently lists "qs" in the resolutions
(and dependency) with a caret range; update the resolutions entry for "qs" to
the exact resolved version used in the lockfile (e.g., change "^6.14.1" to
"6.15.1") so the CVE remediation is explicit and auditable — locate the "qs" key
under the "resolutions" object and replace the caret range with the exact
version string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dce95664-bbb7-465e-a703-6aaf976b167b

📥 Commits

Reviewing files that changed from the base of the PR and between 03c2464 and 7e35d0f.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[MrSanketkumar]

/test lint

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-70283, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.z) matches configured target version for branch (4.18.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-70284 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-70284 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
• bug has dependents

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/test lint

[openshift-ci]

@MrSanketkumar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	7e35d0f	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.