Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency: bump cypress-request packages, loosen semver rules to ^ #27005

Merged
merged 6 commits into from
Jul 7, 2023
Merged

dependency: bump cypress-request packages, loosen semver rules to ^ #27005

merged 6 commits into from
Jul 7, 2023

Conversation

jennifer-shehane
Copy link
Member

@jennifer-shehane jennifer-shehane commented Jun 12, 2023
edited

Additional details

Bumping @cypress/request packages to address CVE-2022-24999 within qs sub-dependency. This qs dependency was updated months ago in the @cypress/request package in this PR: cypress-io/request#23, which was subsequently released in @cypress/request 2.88.11. This update also includes some other changes, see commits.

This PR additionally loosens the semver rules for this npm package. We have control over this package completely, so if we release fixes or features, those should be used as latest.

Steps to test

Tests should pass!

How has the user experience changed?

No changes for users

PR Tasks

@cypress
Copy link

cypress bot commented Jun 12, 2023
edited

1 failed and 30 flaky tests on run #47671 ↗︎

1 27314 1308 0 Flakiness 30

Details:

Merge branch 'develop' into bump-cy-request-package
Project: cypress Commit: 21aff77886
Status: Failed Duration: 20:37 💡
Started: Jun 14, 2023 7:40 PM Ended: Jun 14, 2023 8:00 PM
Failed  cypress/e2e/scaffold-project.cy.ts • 1 failed test • launchpad-e2e

View Output Video

Test Artifacts
scaffolding new projects > generates valid config file for pristine project without cypress installed Output Screenshots Video
Flakiness  create-from-component.cy.ts • 1 flaky test • app-e2e

View Output Video

Test Artifacts
... > runs generated spec Output Screenshots Video
Flakiness  specs_list_latest_runs.cy.ts • 2 flaky tests • app-e2e

View Output Video

Test Artifacts
App/Cloud Integration - Latest runs and Average duration > when no runs are recorded > shows placeholders for all visible specs Output Screenshots Video
App/Cloud Integration - Latest runs and Average duration > when runs are recorded > lazily loads data for off-screen specs Output Screenshots Video
Flakiness  cypress-origin-communicator.cy.ts • 1 flaky test • app-e2e

View Output Video

Test Artifacts
Cypress In Cypress Origin Communicator > cy.origin passivity with app interactions > passes upon test reload mid test execution Output Screenshots Video
Flakiness  commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
network stubbing > intercepting request > can delay and throttle a StaticResponse Output Video
Flakiness  cypress/cypress.cy.js • 3 flaky tests • 5x-driver-electron

View Output Video

Test Artifacts
... > correctly returns currentRetry Output Video
... > correctly returns currentRetry Output Video
... > correctly returns currentRetry Output Video

The first 5 flaky specs are shown, see all 17 specs in Cypress Cloud.

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

emilyrohrbough
emilyrohrbough reviewed Jun 12, 2023
View reviewed changes
yarn.lock
version "6.10.1"
resolved "https://registry.yarnpkg.com/qs/-/qs-6.10.1.tgz#4931482fa8d647a5aab799c5271d2133b981fb6a"
integrity sha512-M528Hph6wsSVOBiYUnGf+K/7w0hNshs/duGsNXPUCLH5XAqjEtiPGwNONLV0tBH8NoGb0mvD5JubnUTrujKDTg==
qs@^6.4.0, qs@^6.5.1, qs@^6.9.4, qs@~6.10.3:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still have a few bad versions of qs being pulled in somewhere 😢

The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

@emilyrohrbough emilyrohrbough changed the title fix: bump cypress-request packages, loosen semver rules to ^ dependency: bump cypress-request packages, loosen semver rules to ^ Jun 12, 2023
mschile
mschile reviewed Jun 12, 2023
View reviewed changes
cli/CHANGELOG.md Outdated Show resolved Hide resolved
@jennifer-shehane @mschile
Update cli/CHANGELOG.md
a493218 
Co-authored-by: Matt Schile <mschile@cypress.io>
@jennifer-shehane jennifer-shehane merged commit 9ce54e3 into develop Jul 7, 2023
3 of 5 checks passed
@jennifer-shehane jennifer-shehane deleted the bump-cy-request-package branch July 7, 2023 15:28
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Jul 10, 2023

Released in 12.17.1.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v12.17.1, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Jul 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@chrisbreiding chrisbreiding chrisbreiding approved these changes

@mschile mschile mschile approved these changes

@emilyrohrbough emilyrohrbough emilyrohrbough approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jennifer-shehane @chrisbreiding @mschile @emilyrohrbough