Giters

cypress-io / cypress-docker-images

Docker images with Cypress dependencies and browsers

Home Page:https://on.cypress.io/continuous-integration

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Critical vulnerability in latest image

jose-alvarez-r opened this issue · comments

commented

Hello team,

It seems that image

cypress/browsers:node-20.11.0-chrome-121.0.6167.85-1-ff-120.0-edge-121.0.2277.83-1

has some critical vulnerability according to checkov code scanning

https://security-tracker.debian.org/tracker/CVE-2023-6879

The base image has been fixed, but no updates in cypress image.

Could you please have a look? Any plan image updating?

Thank you

commented

We have a Cypress Docker Factory which allows you to customize your own docker image for use. You can also update your dockerfile to modify the image to meet whatever requirements you want. These images are provided to help in development and are not production ready.

That being said there are a couple of disclaimers:

  1. Cypress docker containers are provided to end users for ease of use and should not be used in a production environment.
  2. We have seen Snyk report vulnerabilities in dependencies before that are not actually exploitable in any intended uses of our app. As such the risk of these exploits is extremely low or almost zero.

If you have found an exploitable vulnerability please do contact us at security@cypress.io with details about reproducing that exploit and we will investigate.