Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

breaking: Upgrade @cypress/request to 3.0.0 #27495

Merged
merged 5 commits into from
Aug 23, 2023

Conversation

chrisbreiding
Copy link
Contributor

@chrisbreiding chrisbreiding commented Aug 8, 2023

Additional details

Steps to test

How has the user experience changed?

PR Tasks

@chrisbreiding chrisbreiding changed the title dependency: Upgrade @cypress/request to 3.0.0 and @cypress/request-pr… dependency: Upgrade @cypress/request to 3.0.0 and @cypress/request-promise to 4.2.7 Aug 8, 2023
@cypress
Copy link

cypress bot commented Aug 8, 2023

9 flaky tests on run #50358 ↗︎

0 5337 78 0 Flakiness 9

Details:

fix test
Project: cypress Commit: 80a4cdccb0
Status: Passed Duration: 18:07 💡
Started: Aug 23, 2023 3:35 PM Ended: Aug 23, 2023 3:53 PM
Flakiness  cypress_api.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin Cypress API > Commands > adds a custom command Test Replay Output
Flakiness  commands/cookies.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin cookies > client side > .getCookie(), .getCookies(), and .setCookie() Test Replay Output
Flakiness  patches.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
src/cross-origin/patches > submit > correctly submits a form when the target is _top for HTMLFormElement Test Replay Output
Flakiness  commands/spies_stubs_clocks.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin spies, stubs, and clock > spy() Test Replay Output
Flakiness  commands/log.cy.ts • 1 flaky test • 5x-driver-electron

View Output Video

Test Artifacts
cy.origin log > logs in primary and secondary origins Test Replay Output

The first 5 flaky specs are shown, see all 7 specs in Cypress Cloud.

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

cli/CHANGELOG.md Outdated
@@ -7,6 +7,9 @@ _Released 08/15/2023 (PENDING)_

- Fixed an issue where having `cypress.config` in a nested directory would cause problems with locating the `component-index.html` file when using component testing. Fixes [#26400](https://github.com/cypress-io/cypress/issues/26400).

**Dependency Updates:**

- Upgraded [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `^2.8.11` to `^3.0.0` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7`. Addressed in [#27495](https://github.com/cypress-io/cypress/pull/27495).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies - it's the little person in me who gives me an itch when I spot the tiniest of typos :). Stumbled across this when searching for a better solution to update our cypress 9.5.3 to cover CVE-2023-26136. Dependabot is helpfully offering to patch package-lock.json but that gives me the heebie-jeebies, as until this PR is merged, and we've upgraded to the latest Cypress, any changes will regress the alert.

Suggested change
- Upgraded [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `^2.8.11` to `^3.0.0` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7`. Addressed in [#27495](https://github.com/cypress-io/cypress/pull/27495).
- Upgraded [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `^2.88.11` to `^3.0.0` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7`. Addressed in [#27495](https://github.com/cypress-io/cypress/pull/27495).

@jordanpowell88
Copy link
Contributor

We can close in favor of #27515 (which addresses the binary failure and updates @cypress/request and @cypress/request-promise)

@jordanpowell88
Copy link
Contributor

Looks like this is a breaking change and will need to get put in v13. Going to just patch 2.88.12 in my PR and then we can include this in 13 afterwards

@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Aug 11, 2023

Without this PR, and executing npm audit on a clean installation of cypress@12.17.4 reports

# npm audit report

@cypress/request  <=2.88.12
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install cypress@4.2.0, which is a breaking change
node_modules/@cypress/request
  cypress  >=4.3.0
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

I would suggest to add GHSA-p8p7-x288-28g6 to the CHANGELOG, e.g.

... to address security vulnerability [GHSA-p8p7-x288-28g6](https://github.com/advisories/GHSA-p8p7-x288-28g6)

The Common Vulnerabilities and Exposures article ID CVE-2023-28155 does not actually mention @cypress/request or cypress, so it might be confusing to use this ID as a reference in the Cypress CHANGELOG.

@jordanpowell88 jordanpowell88 changed the base branch from develop to release/13.0.0 August 11, 2023 15:25
@MikeMcC399
Copy link
Contributor

@jennifer-shehane jennifer-shehane mentioned this pull request Aug 22, 2023
3 tasks
@chrisbreiding chrisbreiding changed the title dependency: Upgrade @cypress/request to 3.0.0 and @cypress/request-promise to 4.2.7 dependency: Upgrade @cypress/request to 3.0.0 Aug 23, 2023
@chrisbreiding chrisbreiding changed the title dependency: Upgrade @cypress/request to 3.0.0 breaking: Upgrade @cypress/request to 3.0.0 Aug 23, 2023
@chrisbreiding chrisbreiding merged commit 7f45375 into release/13.0.0 Aug 23, 2023
@chrisbreiding chrisbreiding deleted the update-cypress-request-version branch August 23, 2023 19:16
@chrisbreiding chrisbreiding self-assigned this Aug 24, 2023
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Aug 29, 2023

Released in 13.0.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v13.0.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Aug 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants