Installation reports vulnerabilities

[MikeMcC399]

Versions

• What is this plugin's version: 2.2.1
• What is the Node version: v20.12.1 v20.17.0 & v22.12.0
• What is the NPM version: 10.5.0 10.8.2 & 10.9.0

Describe the bug

Installing netlify-plugin-cypress@latest (v2.2.1) reports several vulnerabilities:

8 vulnerabilities (1 low, 1 moderate, 6 high)

These are not fixable by running npm audit fix.

Steps to reproduce

Execute:

mkdir netlify-plugin-test
cd netlify-plugin-test
npm init -y
npm install netlify-plugin-cypress@latest

note vulnerability report:

8 vulnerabilities (1 low, 1 moderate, 6 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Now execute

npm audit

which results in the following log:

$ npm audit
# npm audit report

@koa/cors  <5.0.0
Severity: high
Overly permissive origin policy - https://github.com/advisories/GHSA-qxrj-hx23-xp82
No fix available
node_modules/@koa/cors
  lws-cors  1.0.0 - 4.2.0
  Depends on vulnerable versions of @koa/cors
  node_modules/lws-cors
    local-web-server  2.3.0 - 5.1.1
    Depends on vulnerable versions of lws-cors
    node_modules/local-web-server
      netlify-plugin-cypress  *
      Depends on vulnerable versions of debug
      Depends on vulnerable versions of got
      Depends on vulnerable versions of local-web-server
      Depends on vulnerable versions of puppeteer
      node_modules/netlify-plugin-cypress

debug  4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/debug

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
No fix available
node_modules/ws
  puppeteer  11.0.0 - 18.1.0
  Depends on vulnerable versions of ws
  node_modules/puppeteer

8 vulnerabilities (1 low, 1 moderate, 6 high)

Some issues need review, and may require choosing
a different dependency.

Expected

When

npm install netlify-plugin-cypress@latest

is executed, no vulnerabilities should be displayed.

Related issues

• npm WARN deprecated puppeteer@18.1.0 is no longer supported #336

Edit: Updated vulnerabilities Sep 27, 2024.

[MikeMcC399]

• Due to Not possible for external fork contributors to pass CI tests #345 this would need to be handled by the Cypress.io team.

[MikeMcC399]

This issue still occurs, however there has been no new release of the plugin during the past 2 years, so closing issue as stale.