cypress CVE-2021-44906 found on trivy scan cypress version is 13.3.3

Current behavior

Installed version is 0.0.8

Desired behavior

Upgrade fix version is 1.2.6

Test code to reproduce

Cypress Version

13.3.3

Node version

16.20.2

Operating System

Debug Logs

"VulnerabilityID": "CVE-2021-44906",
          "InstalledVersion": "0.0.8",
          "LastModifiedDate": "2022-04-12T16:52:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V2Score": 7.5,
              "V3Score": 9.8,
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "[email protected]",
          "Title": "prototype pollution",
          "CweIDs": [
            "CWE-1321"
          ],
          "Status": "fixed",
          "PkgName": "minimist",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/mocha-7.0.1/node_modules/minimist/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906",
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:0321",
            "https://access.redhat.com/security/cve/CVE-2021-44906",
            "https://bugzilla.redhat.com/2066009",
            "https://bugzilla.redhat.com/2130518",
            "https://bugzilla.redhat.com/2134609",
            "https://bugzilla.redhat.com/2140911",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2066009",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2130518",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2134609",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2140911",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2142808",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548",
            "https://errata.almalinux.org/9/ALSA-2023-0321.html",
            "https://errata.rockylinux.org/RLSA-2023:0321",
            "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip",
            "https://github.com/advisories/GHSA-xvch-5gv4-984h",
            "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703",
            "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb",
            "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d",
            "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11",
            "https://github.com/minimistjs/minimist/commits/v0.2.4",
            "https://github.com/minimistjs/minimist/issues/11",
            "https://github.com/minimistjs/minimist/pull/24",
            "https://github.com/substack/minimist",
            "https://github.com/substack/minimist/blob/master/index.js#L69",
            "https://github.com/substack/minimist/issues/164",
            "https://linux.oracle.com/cve/CVE-2021-44906.html",
            "https://linux.oracle.com/errata/ELSA-2023-0321.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
            "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764",
            "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068",
            "https://www.cve.org/CVERecord?id=CVE-2021-44906"
          ],
          "Description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).",
          "FixedVersion": "1.2.6, 0.2.4",
          "PublishedDate": "2022-03-17T16:15:00Z",

Other

No response

Nov 01 '23 15:11 eagle-txec

Hey @eagle-txec, We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an minimatch 3.0.4-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

Nov 26 '23 15:11 levpachmanov

May 16 '24 10:05 shank1290

This CRITICAL security vulnerability continues with cypress/included:13.11.0

To reproduce report, use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0

Jun 14 '24 16:06 MikeMcC399

From yarn why

 yarn why minimist
yarn why v1.22.19
[1/4] 🤔  Why do we have the module "minimist"...?
[2/4] 🚚  Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "[email protected]"
warning Resolution field "[email protected]" is incompatible with requested version "pretty-format@^27.0.2"
warning Resolution field "[email protected]" is incompatible with requested version "vue-template-compiler@^2.7.14"
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "minimist"
info Reasons this module exists
   - "workspace-aggregator-199e8a63-af5b-4011-b122-b173c4ba507f" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#minimist"
   - Hoisted from "_project_#@packages#electron#minimist"
   - Hoisted from "_project_#@packages#server#minimist"
   - Hoisted from "_project_#check-dependencies#minimist"
   - Hoisted from "_project_#patch-package#minimist"
   - Hoisted from "_project_#prebuild-install#minimist"
   - Hoisted from "_project_#mkdirp#minimist"
   - Hoisted from "_project_#@electron#fuses#minimist"
   - Hoisted from "_project_#autobarrel#minimist"
   - Hoisted from "_project_#http-server#minimist"
   - Hoisted from "_project_#tsconfig-paths#minimist"
   - Hoisted from "_project_#cypress#minimist"
   - Hoisted from "_project_#http-server#ecstatic#minimist"
   - Hoisted from "_project_#@tooling#v8-snapshot#cpr#minimist"
   - Hoisted from "_project_#@cypress#webpack-preprocessor#dependency-check#minimist"
   - Hoisted from "_project_#cypress#dependency-check#minimist"
   - Hoisted from "_project_#loader-utils#json5#minimist"
   - Hoisted from "_project_#tsconfig-paths#json5#minimist"
   - Hoisted from "_project_#@packages#frontend-shared#patch-package#minimist"
   - Hoisted from "_project_#prebuild-install#rc#minimist"
   - Hoisted from "_project_#lerna#strong-log-transformer#minimist"
   - Hoisted from "_project_#@packages#server#tsconfig-paths#minimist"
   - Hoisted from "_project_#@packages#server#firefox-profile#minimist"
   - Hoisted from "_project_#cypress#dependency-check#detective#minimist"
   - Hoisted from "_project_#electron-builder#app-builder-lib#electron-osx-sign#minimist"
   - Hoisted from "_project_#@packages#server#better-sqlite3#prebuild-install#minimist"
   - Hoisted from "_project_#@packages#electron#electron-packager#@electron#osx-sign#minimist"
   - Hoisted from "_project_#lerna#nx#tsconfig-paths#minimist"
   - Hoisted from "_project_#semantic-release#@semantic-release#release-notes-generator#conventional-changelog-writer#handlebars#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "stop-only#[email protected]"
info This module exists because "_project_#stop-only" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "snap-shot-core#[email protected]"
info Reasons this module exists
   - "_project_#snap-shot-core#mkdirp" depends on it
   - Hoisted from "_project_#snap-shot-core#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha#[email protected]"
info Reasons this module exists
   - "_project_#mocha#mkdirp" depends on it
   - Hoisted from "_project_#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "deps-ok#[email protected]"
info This module exists because "_project_#@cypress#webpack-preprocessor#deps-ok" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "bower-config#[email protected]"
info This module exists because "_project_#check-dependencies#bower-config" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha-7.0.1#[email protected]"
info Reasons this module exists
   - "_project_#@packages#server#mocha-7.0.1#mkdirp" depends on it
   - Hoisted from "_project_#@packages#server#mocha-7.0.1#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/example#[email protected]"
info Reasons this module exists
   - "_project_#@packages#example#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#example#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "cypress#mkdirp#[email protected]"
info This module exists because "_project_#cypress#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/network#[email protected]"
info Reasons this module exists
   - "_project_#@packages#network#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#network#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/config#[email protected]"
info Reasons this module exists
   - "_project_#@packages#config#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/data-context#[email protected]"
info Reasons this module exists
   - "_project_#@packages#data-context#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#data-context#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#[email protected]"
info Reasons this module exists
   - "_project_#@packages#driver#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#driver#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/errors#[email protected]"
info Reasons this module exists
   - "_project_#@packages#errors#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#errors#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/packherd-require#[email protected]"
info Reasons this module exists
   - "_project_#@packages#packherd-require#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#packherd-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/scaffold-config#[email protected]"
info Reasons this module exists
   - "_project_#@packages#scaffold-config#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#scaffold-config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/telemetry#[email protected]"
info Reasons this module exists
   - "_project_#@packages#telemetry#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#telemetry#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/v8-snapshot-require#[email protected]"
info Reasons this module exists
   - "_project_#@packages#v8-snapshot-require#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#v8-snapshot-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/electron-mksnapshot#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#electron-mksnapshot#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#electron-mksnapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/packherd#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#packherd#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#packherd#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/v8-snapshot#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#v8-snapshot#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#v8-snapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/server#mkdirp#[email protected]"
info This module exists because "_project_#@packages#server#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/system-tests#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#system-tests#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#system-tests#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#multer#[email protected]"
info Reasons this module exists
   - "_project_#@packages#driver#multer#mkdirp" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#@packages#driver#multer#mkdirp#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "optimist#[email protected]"
info This module exists because "_project_#@fellow#eslint-plugin-coffee#@fellow#coffeelint2#optimist" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "resize-img#[email protected]"
info Reasons this module exists
   - "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp" depends on it
   - Hoisted from "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
✨  Done in 2.13s.

Jun 18 '24 20:06 jennifer-shehane

Hi, installed the latest cypress/included:13.13.0 and still critical security vulnerability Command: RUN |6 NODE_VERSION=20.14.0 YARN_VERSION=1.22.22 CHROME_VERSION=126.0.6478.114-1 EDGE_VERSION=126.0.2592.61-1 FIREFOX_VERSION=127.0.1 CYPRESS_VERSION=13.13.0 /bin/sh -c node /opt/installScripts/cypress/install-cypress-version.js ${CYPRESS_VERSION} # buildkit

Jul 03 '24 09:07 hjqgloria

We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.

Jul 03 '24 17:07 jennifer-shehane

We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.

Ok, how about the other 3 critical? Will they be fixed or the same case as minimist? Or we need to open new issues?

Jul 03 '24 18:07 hjqgloria

@hjqgloria

The other issues have already been reported.

https://github.com/cypress-io/cypress/issues/27763
https://github.com/cypress-io/cypress/issues/28208
https://github.com/cypress-io/cypress/issues/28207

Jul 03 '24 18:07 MikeMcC399

@hjqgloria

Two of the vulnerabilities you listed have now been fixed.

Current status for cypress/included:13.15.1

$ trivy image --ignore-unfixed --pkg-types library --scanners vuln --severity CRITICAL cypress/included

Node.js (node-pkg)

Total: 2 (CRITICAL: 2)

┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ flat (package.json)     │ CVE-2020-36632 │ CRITICAL │ fixed  │ 4.1.1             │ 5.0.1         │ flat vulnerable to Prototype Pollution     │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-36632 │
├─────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────┤
│ minimist (package.json) │ CVE-2021-44906 │          │        │ 0.0.8             │ 1.2.6, 0.2.4  │ minimist: prototype pollution              │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-44906 │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Nov 01 '24 08:11 MikeMcC399

@MikeMcC399 I don't see this version of flat existing in the 13.5.2 prerelease of Cypress, maybe I'm missing it somewhere...

Nov 04 '24 19:11 jennifer-shehane

@jennifer-shehane

I don't see this version of flat existing in the 13.5.2 prerelease of Cypress, maybe I'm missing it somewhere...

-Since this issue is about minimist I answered instead in https://github.com/cypress-io/cypress/issues/27763#issuecomment-2455607094 in detail. [email protected] is included in the Cypress binary 13.15.2 pre-release.

Nov 05 '24 07:11 MikeMcC399

https://github.com/cypress-io/cypress/pull/30546 will remove some old minimist versions, but not all

Nov 05 '24 20:11 jennifer-shehane

Hello, we also got a bunch of critical and high vulnerability issues related to [email protected] which is probably identical to what is part of the docker image cypress/included.

Summary

Origins I tried to track down the origin at least of the critical ones as far as possible.

CVE-2021-44906 - minimist

https://nvd.nist.gov/vuln/detail/CVE-2021-44906
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22402 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22557 dependency of [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22617 dependency of [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22687 but also [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22705 and [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22734 and [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22764 and [email protected]
  - it looks like with mocha@^8.1.3 which is already used, the dependency of mkdirp is gone
  - as a side note, with 7 different mocha versions being used, I think something isn't right
  - and a few others like cacache@^12.0.2, copy-concurrently@^1.0.0,move-concurrently@^1.0.1, [email protected], @cypress/[email protected], cpr@^3.0.1, jimp@^0.2.21,[email protected] and a couple more

CVE-2020-36632 - flat

https://nvd.nist.gov/vuln/detail/CVE-2020-36632
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L16963 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L32856 dependency of [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22705 dependency of [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22734 but also [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22764 and [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L22794 and [email protected]
  - with [email protected] which is also used, [email protected] is in use which is fine

CVE-2023-42282 - ip

https://nvd.nist.gov/vuln/detail/CVE-2023-42282
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L19325 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L24772 dependency of pac-resolver@^7.0.0
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L24758 dependency of pac-proxy-agent@^7.0.1
    - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L26005 dependency of [email protected]
      - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L6282 dependency of @puppeteer/[email protected]
        
        https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L26131 dependency of puppeteer-core@^21.2.1
    - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L26019 but also [email protected]
      - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L6295 dependency of @puppeteer/[email protected]
        
        https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L9208 dependency of wdio/[email protected]

GMS-2020-2 - execa, execa and 1 more

https://scout.docker.com/vulnerabilities/id/GMS-2020-2
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L16029 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L16016 dependency of [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L27487 but also run-applescript@^3.2.0
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L30466 dependency of [email protected]
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L16042 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L29143 dependency of [email protected]
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L16113 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L6704 dependency of @sindresorhus/[email protected]
https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L16055 [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L2678 dependency of @cypress/[email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L24500 but also [email protected]
  - https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L32964 dependency of [email protected]
- https://github.com/cypress-io/cypress/blob/develop/yarn.lock#L28082 and [email protected]

While I am not familiar with the codebase, it appears multiple versions of a the same dependency, especially mocha, should be streamlined to a single (latest) version if possible. If this isn't possible or related to outdated upstream dependencies, using resolutions would the only way to override these and see if everything still works as expected.

I hope this is somewhat helpful.

Jan 13 '25 11:01 denyo

@denyo

This issue is only for CVE-2021-44906 minimist
You can find also https://github.com/cypress-io/cypress/issues/27763 for one of the other vulnerabilities you mention

Jan 13 '25 12:01 MikeMcC399

@MikeMcC399, any plan to fix those two remaining vulnerabilities? flat and minimist

Mar 11 '25 08:03 hjqgloria

@hjqgloria

@MikeMcC399, any plan to fix those two remaining vulnerabilities? flat and minimist

I have to defer answering your question to the Cypress.io team. I'm an external contributor to Cypress and I don't personally have the capability to resolve these issues or to determine if / when they might be resolved.

Mar 11 '25 08:03 MikeMcC399

cypress cypress copied to clipboard

CVE-2021-44906 found on trivy scan cypress version is 13.3.3

Current behavior

Desired behavior

Test code to reproduce

Cypress Version

Node version

Operating System

Debug Logs

Other

cypress
cypress copied to clipboard