cypress
cypress copied to clipboard
cypress-io
[Snyk] Security upgrade webpack-dev-server from 4.15.1 to 5.0.0
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- npm/webpack-dev-server/package.json
Note for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.
⚠️ Warning
Failed to update the yarn.lock, please update manually before merging.
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2 |
Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116 |
Yes | Proof of Concept |
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
24 failed and 4 flaky tests on run #54071 ↗︎
 24 |
 7991 |
 399 |
 32 |
 4 |
Details:
| bump to 5.0.1 | |||
| Project: cypress | Commit: b91c7b5695 |
||
| Status: Failed | Duration: 13:03 💡 | ||
| Started: Feb 16, 2024 2:46 PM | Ended: Feb 16, 2024 2:59 PM | ||
commands/actions/type_special_chars.cy.js • 0 failed tests • 5x-driver-electron
| Test | Artifacts | |
|---|---|---|
The first 5 failed specs are shown, see all 1031 specs in Cypress Cloud.
cypress/e2e/commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-chrome:beta
| Test | Artifacts | |
|---|---|---|
| network stubbing > waiting and aliasing > yields the expected interception when two requests are raced |
Test Replay
|
|
cypress/e2e/commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-chrome
| Test | Artifacts | |
|---|---|---|
| network stubbing > waiting and aliasing > yields the expected interception when two requests are raced |
Test Replay
|
|
cypress/e2e/commands/net_stubbing.cy.ts • 2 flaky tests • 5x-driver-webkit
| Test | Artifacts | |
|---|---|---|
| network stubbing > intercepting request > can delay and throttle a StaticResponse |
Review all test suite changes for PR #28926 ↗︎ | |
![cypress[bot] avatar](https://avatars.githubusercontent.com/in/9078?v=4 "Published by a pub.dev verified publisher"){kind=small}
Not sure why the PR description mentions this will fix a vulnerability with "Inflight", but this upgrade will enable us to upgrade our direct dependency on webpack-dev-server v4 -> 5 which we are trying to do in order to address this high severity vulnerability in wds itself:
https://security.snyk.io/vuln/SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
I think we are somewhat blocked from upgrading our webpack-dev-server by this. When we upgrade wds to v5 and try to run component tests, we get the following error:
Your configFile threw an error from: cypress.config.js
We stopped running your tests because your config file crashed.
Error: Unexpected major version of webpack-dev-server. Cypress webpack-dev-server works with webpack-dev-server versions 3, 4 - saw 5.0.4
at getMajorVersion (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/helpers/sourceRelativeWebpackModules.js:202:15)
at sourceWebpackDevServer (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/helpers/sourceRelativeWebpackModules.js:140:37)
at sourceDefaultWebpackDependencies (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/helpers/sourceRelativeWebpackModules.js:189:30)
at defaultWebpackModules (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:79:140)
at getPreset (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:99:20)
at Function.devServer.create (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:111:67)
at /Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:26:40
at new Promise (<anonymous>)
at devServer (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:24:12)
at Object.handler (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_require_async_child.js:166:24)
at RunPlugins.invoke (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_plugins.js:185:18)
at /Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/util.js:59:14
at tryCatcher (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/node_modules/bluebird/js/release/util.js:16:23)
at Function.Promise.attempt.Promise.try (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/node_modules/bluebird/js/release/method.js:39:29)
at Object.wrapChildPromise (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/util.js:58:23)
at Object.wrap (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/dev-server.js:18:8)
at RunPlugins.execute (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_plugins.js:155:26)
at EventEmitter.<anonymous> (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_plugins.js:56:12)
at EventEmitter.emit (node:events:514:28)
at EventEmitter.emit (node:domain:488:12)
at process.<anonymous> (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/util.js:33:22)
at process.emit (node:events:514:28)
Unless there is a way around this I am unaware of. Some way to force cypress to "fallback to the version bundled with this package"?
https://github.com/cypress-io/cypress/blob/develop/npm/webpack-dev-server/src/helpers/sourceRelativeWebpackModules.ts#L182
@jennifer-shehane @mschile
Any update on whether/when this will be addressed?
@jennifer-shehane @mschile
Any update on whether/when this will be addressed?
@robcmills I will be looking at this issue over the next few days. Your wds upgrade is indeed blocked by this issue
I created a separate issue to support wds 5 #29305 as bumping the dependency on wds from 4 to 5 in the @cypress/webpack-dev-server package is a breaking change to not only @cypress/webpack-dev-server, but shipped component testing with Cypress as users who are on webpack 4 and using wds 4 would be broken. This change would need to be implemented in Cypress 14.
However, we can still support wds v5 it just won't be the shipped default. So if a user has wds 5 installed, @cypress/webpack-dev-server should work for them, which is the scope of #29305