Giters

cypress-io / netlify-plugin-cypress

Runs Cypress end-to-end tests after Netlify builds the site but before it is deployed

Home Page:https://www.cypress.io/blog/2020/03/30/run-cypress-tests-on-netlify-using-a-single-line/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Dependency on vulnerable version of got

kdmcguire opened this issue · comments

commented

Versions

  • What is this plugin's version?

2.2.0

  • What is Cypress version?

6.9.1

  • What Netlify build image are you using? This setting is available under "Deploy settings / Build image selection". Probably either "Ubuntu Trusty 14.04" or "Ubuntu Xenial 16.04"

Ubuntu Focal 20.04 (default)

  • What is the Node version if you know it?

16.19.0

  • What is the NPM version if you know it?

8.19.3

Describe the bug
A clear and concise description of what the bug is.

GitHub's Dependabot reports that netlify-plugin-cypress@2.2.0 depends on a vulnerable version of got, 10.7.0. The patched version is got@11.8.5.

"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket."

GHSA-pfrx-2q88-qq97

Logs and screenshots
If possible, add the log from the terminal. You can turn on debugging logging, see Debugging section of the README file.

image

Link to the repo
Bugs with a reproducible example, like an open source repo showing the bug, are the most likely to be resolved.

netlify-plugin-cypress/package.json

Line 27 in 6ab1237

"got": "10.7.0",