Skip to content

[Snyk] Security upgrade cypress from 4.12.0 to 5.0.0 #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade cypress from 4.12.0 to 5.0.0 #145

wants to merge 1 commit into from

Conversation

@Omrisnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • large-file/package.json
    • large-file/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity Reachability
medium severity 141/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Local, EPSS: 0.01055, Social Trends: No, Days since published: 89, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.35, Score Version: V5		 Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 Yes Proof of Concept No Path Found

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: cypress
  • 5.0.0 - 2020-08-19

    Released 8/19/2020

    Summary:

    Cypress now includes support for test retries! Similar to how Cypress will retry assertions when they fail, test retries will allow you to automatically retry a failed test prior to marking it as failed. Read our new guide on Test Retries for more details.

    Breaking Changes:

    Please read our Migration Guide which explains the changes in more detail and how to change your code to migrate to Cypress 5.0.

    • The cypress-plugin-retries plugin has been deprecated in favor of test retries built into Cypress. Addresses #1313.
    • The Cypress.Cookies.defaults() whitelist option has been renamed to preserve to more closely reflect its behavior. Addressed in #7782.
    • The blacklistHosts configuration has been renamed to blockHosts to more closely reflect its behavior. Addressed in #7622.
    • The cy.server() whitelist option has been renamed to ignore to more closely reflect its behavior. Addresses #6642.
    • libgbm-dev is now a requirement to run Cypress on Linux. Addressed in #7791.
    • Values yielded by cy.setCookie(), cy.getCookie(), and cy.getCookies() will now contain the sameSite property if specified. Addresses #6892.
    • The experimentalGetCookiesSameSite configuration flag has been removed, since this behavior is now the default. Addresses #6892.
    • The return type of the Cypress.Blob methods arrayBufferToBlob, base64StringToBlob, binaryStringToBlob, and dataURLToBlob have changed from Promise<Blob> to Blob. Addresses #6001.
    • Cypress no longer supports file paths with a question mark ? in them. We now use the webpack preprocessor by default and it does not support files with question marks. Addressed in #7982.
    • For TypeScript compilation of spec, support, and plugins files, the esModuleInterop option is no longer coerced to true. If you need to utilize esModuleInterop, set it in your tsconfig.json. Addresses #7575.
    • Cypress now requires TypeScript 3.4+. Addressed in #7856.
    • Installing Cypress on your system now requires Node.js 10+. Addresses #6574.
    • In spec files, the values for the globals __dirname and __filename no longer include leading slashes. Addressed in #7982.

    Features:

    • There's a new retries configuration option to configure the number of times to retry a failing test. Addresses #1313.
    • .click(), .dblclick(), and .rightclick() now accept options altKey, ctrlKey, metaKey, and shiftKey to hold down key combinations while clicking. Addresses #486.
    • You can now chain .snapshot() off of cy.stub() and cy.spy() to disabled snapshots during those commands. For example: cy.stub().snapshot(false). Addresses #3849.

    Bugfixes:

    • The error Cannot set property 'err' of undefined will no longer incorrectly throw when rerunning tests in the Test Runner. Fixes #7874 and #8193.
    • Cypress will no longer throw a Cannot read property 'isAttached' of undefined error during cypress run on Firefox versions >= 75. Fixes #6813.
    • The error Maximum call stack size exceeded will no longer throw when calling scrollIntoView on an element in the shadow dom. Fixes #7986.
    • Cypress environment variables that accept arrays as their value will now properly evaluate as arrays. Fixes #6810.
    • Elements having display: inline will no longer be considered hidden if it has child elements within it that are visible. Fixes #6183.
    • When experimentalShadowDomSupport is enabled, .parent() and .parentsUntil() commands now work correctly in shadow dom as well as passing a selector to .parents() when the subject is in the shadow dom. Fixed in #8202.
    • Screenshots will now be correctly taken when a test fails in an afterEach or beforeEach hook after the hook has already passed. Fixes #3744.
    • Cypress will no longer report screenshots overwritten in a cy.screenshot() onAfterScreenshot option as a unique screenshot. Fixes #8079.
    • Taking screenshots will no longer fail when the screenshot names are too long for the filesystem to accept. Fixes #2403.
    • The "last used browser" will now be correctly remembered during cypress open if a non-default-channel browser was selected. Fixes #8281.
    • For TypeScript projects, tsconfig.json will now be loaded and used to configure TypeScript compilation of spec and support files. Fixes #7006 and #7503.
    • reporterStats now correctly show the number of passed and failed tests when a test passes but the afterEach fails. Fixes #7730.
    • The Developer Tools menu will now always display in Electron when switching focus from Specs to the Test Runner. Fixes #3559.

    Documentation Changes:

    • We have a new guide on Test Retries.
    • Our Migration Guide has a new section for 5.0 migration.

    Misc:

    • Cypress now uses the webpack preprocessor by default to preprocess spec files.
    • The Runs tab within the Test Runner has a new improved design when the project has not been set up or login is required. Addressed in #8141.
    • The type for the Window object returned from cy.window() is now correct. Addresses #7856.
    • The type definition for Cypress's ApplicationWindow can now be extended. Addresses #7856.
    • The type definition for reporterOptions has been added. Addresses #7877.

    Dependency Updates

    • Upgraded Chrome browser version used during cypress run and when selecting Electron browser in cypress open from 80 to 83. Addressed in #7791.
    • Upgraded bundled Node.js version from 12.8.1 to 12.14.1. Addressed in #7791.
    • Upgraded chalk from 2.4.2 to 4.1.0. Addressed in #7650.
    • Upgraded cli-table3 from 0.5.1 to 0.6.0. Addressed in #7650.
    • Upgraded electron from 8.3.1 to 9.2.0. Addressed in #7791 and #8235.
    • Upgraded execa from 1.0.0 to 4.0.2. Addressed in #7650.
    • Upgraded express from 4.16.4 to 4.17.1. Addressed in #8179.
    • Upgraded fs-extra from 8.1.0 to 9.0.1. Addressed in #7650.
    • Upgraded log-symbols from 3.0.0 to 4.0.0. Addressed in #7650.
    • Upgraded tmp from 0.1.0 to 0.2.1. Addressed in #7650.
  • 4.12.1 - 2020-08-05

    Released 8/5/2020

    Bugfixes:

    • The error Cannot set property 'err' of undefined will no longer incorrectly throw when rerunning tests in the Test Runner. Fixes #7874.
    • Skipping the last test before a nested suite with a before hook will now correctly run the tests in the suite following the skipped test. Fixes #8086.

    Dependency Updates:

    • Upgraded md5 from 2.2.1 to 2.3.0. Addressed in #8161.
    • Upgraded electron-context-menu from 0.15.1 to 2.2.0. Addressed in #8180.
  • 4.12.0 - 2020-08-03

    Released 8/3/2020

    Features:

    • Now you can control whether screenshots are automatically taken on test failure during cypress run by setting screenshotOnRunFailure in your configuration. Addresses #5029.
    • The pluginsFile now has access to a readonly version property within the config object that returns the current Cypress version being run. This will allow plugins to better target specific Cypress versions. Addresses #6352.
    • During cypress open, you can now run a subset of all specs by entering a text search filter and clicking 'Run n tests'. Addresses #6581.

    Bugfixes:

    • position: fixed elements that have a parent with pointer-events: none will now correctly evaluate as visible. Fixes #6675.
    • Applications using custom elements will no longer trigger infinite XHR request loops. Fixes #1068.
    • When snapshotting the DOM, Cypress no longer causes attributeChangedCallback to be triggered on custom elements. Fixes #7187.
    • Spec files containing + characters now properly run in Cypress. Fixes #5909.
    • When using the fx shortcut in cy.route(), an error is now thrown when the fixture file cannot be found. Fixes #7818.
    • Cypress no longer thrown Cannot read property '__error' of null error when passing a file containing null content to cy.fixture(). Fixes #8010.
    • Values containing exponential operators passed to --env via the command line are now properly read. Fixes #6891.
    • The "Open in IDE" button no longer disappears from hooks when the tests are manually rerun. Fixes #8094.
    • When experimentalSourceRewriting is enabled, AST rewriting will no longer return an output before the body is done being written. This would happen when the response body was too large and the response would be sent while the body was still being modified. Fixes #8043.
    • When using .type(), Cypress now properly types into an input within an iframe that auto focuses the input. Fixes #8111.

    Misc:

    • Dependencies for our cypress npm package are no longer pinned to a specific version. This allows the use of npm audit fix to fix security vulnerabilities without needing a patch release from Cypress. Addresses #8046.
    • We now collect environment variables for AWS CodeBuild when recording to the Dashboard. Addressed #8101.
    • Types inside Module API are now accessible via the CypressCommandLine namespace. Addresses #7309.
    • We added more type definitions for the .should() command. Addresses #5573.
    • Cookie command's expiry property type is now a Number instead of a String. Addresses #8144.
    • There are some minor visual improvements to the Test Runner's Command Log when hovering, focusing and clicking on hook titles and pending tests. Addressed in #8153.

    Dependency Updates:

    • Upgraded jimp from 0.13.0 to 0.14.0. Addressed in #8102.
    • Upgraded moment from 2.26.0 to 2.27.0. Addressed in #8122.
from cypress GitHub release notes

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@snyk-bot
fix: large-file/package.json & large-file/package-lock.json to reduce…
0e4382e 
… vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
@Omrisnyk Omrisnyk mentioned this pull request Apr 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

file name contains character ”+“ not run runnable:run:async only fires once for each hook Cypress devtool sometimes loses "developer tools" menu bar item Screenshot file name too long warning when Bytes exceeded Cypress getting into an infinite XHR request loop
Inline, zero-dimension element: erroneous visibility determination position: fixed elements having parent with pointer-events: none mistakenly display as not visible / covered by another el Array in environment variables CYPRESS_BLACKLIST_HOSTS, CYPRESS_testFiles not handled correctly Cannot read property isAttached of undefined Can't pass hash values containing exponential operators to --env command line option.

2 participants

@Omrisnyk @snyk-bot