-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependency: bump cypress-request packages, loosen semver rules to ^ #27005
Conversation
version "6.10.1" | ||
resolved "https://registry.yarnpkg.com/qs/-/qs-6.10.1.tgz#4931482fa8d647a5aab799c5271d2133b981fb6a" | ||
integrity sha512-M528Hph6wsSVOBiYUnGf+K/7w0hNshs/duGsNXPUCLH5XAqjEtiPGwNONLV0tBH8NoGb0mvD5JubnUTrujKDTg== | ||
qs@^6.4.0, qs@^6.5.1, qs@^6.9.4, qs@~6.10.3: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still have a few bad versions of qs being pulled in somewhere 😢
The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Co-authored-by: Matt Schile <mschile@cypress.io>
Released in This comment thread has been locked. If you are still experiencing this issue after upgrading to |
Additional details
Bumping @cypress/request packages to address CVE-2022-24999 within qs sub-dependency. This qs dependency was updated months ago in the @cypress/request package in this PR: cypress-io/request#23, which was subsequently released in @cypress/request 2.88.11. This update also includes some other changes, see commits.
This PR additionally loosens the semver rules for this npm package. We have control over this package completely, so if we release fixes or features, those should be used as latest.
Steps to test
Tests should pass!
How has the user experience changed?
No changes for users
PR Tasks
cypress-documentation
?type definitions
?