Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: FORMS-1683 update cross-spawn for security fix #1557

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

test: FORMS-1683 update cross-spawn for security fix #1557

wants to merge 1 commit into from

Conversation

WalterMoar
Copy link
Collaborator

Description

The GitHub Dependabot process has created an alert for the cross-spawn dependency. To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this vulnerability must be handled by updating the package version (or mitigated in some other way, if updating the package is not possible).
https://github.com/bcgov/common-hosted-form-service/security/dependabot/217

Acceptance Criteria

  • cross-spawn no longer appears in the list of dependabot security vulnerabilities
  • the tests continue to function correctly

Type of Change

test (add missing tests or correct existing tests)

Checklist

  • I have read the CONTRIBUTING doc
  • I have checked that unit tests pass locally with my changes
  • I have run the npm script lint on the frontend and backend
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • I have approval from the product owner for the contribution in this pull request

Further comments

The cypress package includes execa, which includes cross-spawn. Although we're a few minor versions behind the latest Cypress, the latest does not include the fix yet. As a temporary fix just update cross-spawn in the package-lock, but open another task to track Cypress and do the proper fix when it arrives.

@WalterMoar WalterMoar marked this pull request as ready for review December 27, 2024 17:23
@WalterMoar WalterMoar requested a review from nimya-aot December 27, 2024 17:23
@WalterMoar WalterMoar force-pushed the test/1683-cross-spawn-vuln-in-cypress branch from 31cd4c1 to 9af2db0 Compare December 27, 2024 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nimya-aot nimya-aot Awaiting requested review from nimya-aot

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@WalterMoar