Installation reports vulnerabilities
MikeMcC399 opened this issue · comments
Mike McCready commented
Versions
- What is this plugin's version: 2.2.1
- What is the Node version: v20.12.1
- What is the NPM version: 10.5.0
Describe the bug
Installing netlify-plugin-cypress@latest (v2.2.1) reports several vulnerabilities:
6 vulnerabilities (1 low, 1 moderate, 4 high)
These are not fixable by running npm audit fix
.
Steps to reproduce
Execute:
mkdir netlify-plugin-test
cd netlify-plugin-test
npm init -y
npm install netlify-plugin-cypress@latest
note vulnerability report:
6 vulnerabilities (1 low, 1 moderate, 4 high)
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
Now execute
npm audit fix
which results in the following log:
$ npm audit
# npm audit report
@koa/cors <5.0.0
Severity: high
Overly permissive origin policy - https://github.com/advisories/GHSA-qxrj-hx23-xp82
No fix available
node_modules/@koa/cors
lws-cors 1.0.0 - 4.2.0
Depends on vulnerable versions of @koa/cors
node_modules/lws-cors
local-web-server 2.3.0 - 5.1.1
Depends on vulnerable versions of lws-cors
node_modules/local-web-server
netlify-plugin-cypress *
Depends on vulnerable versions of debug
Depends on vulnerable versions of got
Depends on vulnerable versions of local-web-server
node_modules/netlify-plugin-cypress
debug 4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/debug
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
6 vulnerabilities (1 low, 1 moderate, 4 high)
Some issues need review, and may require choosing
a different dependency.
Expected
When
npm install netlify-plugin-cypress@latest
is executed, no vulnerabilities should be displayed.
Related issues
Mike McCready commented
- Due to #345 this would need to be handled by the Cypress.io team.