Lodash vulnerability from npm audit security report

[rj-david]

Current behavior:

An npm audit report pointing to lodash version being used by cypress

                   === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cypress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ cypress > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘

Desired behavior:

no audit report

Versions

Cypress 3.4.0

[jennifer-shehane]

The code for this is done in #4709, but this has yet to be released. We'll update this issue and reference the changelog when it's released.

[josephpage]

Why not reference lodash with "~4.17.13", to allow to update it in these emergency cases without compromising on stability ?

[jennifer-shehane]

You can run npm audit fix to fix the 'vulnerable' dependencies. We prefer locking dependencies so we know exactly what versions our users are using and ensure it works on these exact versions before publishing.

But also Cypress is immune to most if not all security vulnerabilities because its locally run software - not a web server hosted in the cloud, so this security issue doesn't even apply and is low priority for us.

[jimmyandrade]

@jennifer-shehane Hi, npm audit fix doesn't actually fix this:

fixed 0 of 1 vulnerability in 905229 scanned packages
  1 vulnerability required manual review and could not be updated

Waiting for the next release

[jennifer-shehane]

We're working on a patch release, instead of waiting for next feature release.

[cypress-bot]

Released in 3.4.1.

[tobiasfeil]

The problem persists for me under cypress 4.10.0, it depends on lodash 4.17.15 which introduces a vulnerability as is reported here