Skip to content

Installation reports vulnerabilities #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MikeMcC399 opened this issue Mar 27, 2024 · 2 comments
Closed

Installation reports vulnerabilities #426

MikeMcC399 opened this issue Mar 27, 2024 · 2 comments

Comments

@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Mar 27, 2024
edited
Loading

Versions

  • What is this plugin's version: 2.2.1
  • What is the Node version: v20.12.1 v20.17.0 & v22.12.0
  • What is the NPM version: 10.5.0 10.8.2 & 10.9.0

Describe the bug

Installing netlify-plugin-cypress@latest (v2.2.1) reports several vulnerabilities:

8 vulnerabilities (1 low, 1 moderate, 6 high)

These are not fixable by running npm audit fix.

Steps to reproduce

Execute:

mkdir netlify-plugin-test
cd netlify-plugin-test
npm init -y
npm install netlify-plugin-cypress@latest

note vulnerability report:

8 vulnerabilities (1 low, 1 moderate, 6 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Now execute

npm audit

which results in the following log:

$ npm audit
# npm audit report

@koa/cors  <5.0.0
Severity: high
Overly permissive origin policy - https://github.com/advisories/GHSA-qxrj-hx23-xp82
No fix available
node_modules/@koa/cors
  lws-cors  1.0.0 - 4.2.0
  Depends on vulnerable versions of @koa/cors
  node_modules/lws-cors
    local-web-server  2.3.0 - 5.1.1
    Depends on vulnerable versions of lws-cors
    node_modules/local-web-server
      netlify-plugin-cypress  *
      Depends on vulnerable versions of debug
      Depends on vulnerable versions of got
      Depends on vulnerable versions of local-web-server
      Depends on vulnerable versions of puppeteer
      node_modules/netlify-plugin-cypress

debug  4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/debug

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
No fix available
node_modules/ws
  puppeteer  11.0.0 - 18.1.0
  Depends on vulnerable versions of ws
  node_modules/puppeteer

8 vulnerabilities (1 low, 1 moderate, 6 high)

Some issues need review, and may require choosing
a different dependency.

Expected

When

npm install netlify-plugin-cypress@latest

is executed, no vulnerabilities should be displayed.

Related issues

Edit: Updated vulnerabilities Sep 27, 2024.
@MikeMcC399 MikeMcC399 mentioned this issue Mar 27, 2024
Closed
@MikeMcC399
Copy link
Contributor Author

@MikeMcC399
Copy link
Contributor Author

This issue still occurs, however there has been no new release of the plugin during the past 2 years, so closing issue as stale.

@MikeMcC399 MikeMcC399 closed this as not planned Won't fix, can't repro, duplicate, stale Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MikeMcC399