Skip to content

update cypress to above 4.12.1 #5787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

update cypress to above 4.12.1 #5787

wants to merge 1 commit into from

Conversation

zhao-li
Copy link

@zhao-li zhao-li commented Aug 14, 2020

This pull request updates cypress to above 4.12.1 to address security vulnerabilities of lodash < 4.17.19, a sub-dependency of cypress.

Package cypress has a sub-dependency on lodash. lodash has a vulnerability that is fixed in version 4.17.19+. cypress 4.11.0+ uses the lodash 4.17.19+. I figured it's best to just update to the latest cypress, which is 4.12.1.

Hope that helps 😄

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Docs
  • Underlying tools (?dependency?)
  • Other, please describe:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No
  • Unsure: this project isn't containerized and I don't want to install yarn and things on my host

Other information:
I'm hoping your CI will figure out if this is a breaking change or not.

Low             Prototype Pollution                                                                                                   
Package         lodash                                                                                                                
Patched in      >=4.17.19                                                                                                             
Dependency of   @vue/cli-plugin-e2e-cypress [dev]                                                                                     
Path            @vue/cli-plugin-e2e-cypress > cypress > lodash                                                                        
More info       https://npmjs.com/advisories/1523 

+-- @vue/cli-plugin-e2e-cypress@4.5.3
| `-- cypress@3.8.3
|   +-- getos@3.1.1
|   | `-- async@2.6.1
|   |   `-- lodash@4.17.19  deduped
|   `-- lodash@4.17.15

@zhao-li
update cypress to above 4.12.1 to address security vulnerabilities of…
ddcf71a 
… lodash < 4.17.19, a sub-dependency of cypress
@zhao-li zhao-li mentioned this pull request Aug 14, 2020
Closed
@zhao-li
Copy link
Author

zhao-li commented Aug 14, 2020
edited
Loading

This update will also address vulnerabilities in minimist < 1.2.3, which is a sub-dependency of cypress.

+-- @vue/cli-plugin-e2e-cypress@4.5.3
| `-- cypress@3.8.3
|   +-- extract-zip@1.6.7
|   | `-- mkdirp@0.5.1
|   |   `-- minimist@0.0.8 
|   `-- minimist@1.2.0

Package         minimist                                                                                                                                                                                                                                                      
Patched in      >=0.2.1 <1.0.0 || >=1.2.3                                                                                                                                                                                                                                     
Dependency of   @vue/cli-plugin-e2e-cypress [dev]                                                                                                                                                                                                                             
Path            @vue/cli-plugin-e2e-cypress > cypress > extract-zip > mkdirp                                                                                                                                                                                                  
                > minimist                                                                                                                                                                                                                                                    
More info       https://npmjs.com/advisories/1179                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                              
Low             Prototype Pollution                                                                                                                                                                                                                                           
Package         minimist                                                      
Patched in      >=0.2.1 <1.0.0 || >=1.2.3                                     
Dependency of   @vue/cli-plugin-e2e-cypress [dev]                             
Path            @vue/cli-plugin-e2e-cypress > cypress > minimist              
More info       https://npmjs.com/advisories/1179

Related issue: #5413

@haoqunjiang
Copy link
Member

See #5139

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zhao-li @haoqunjiang