Closed mrbusche closed 1 year ago
We get shell-quote@1.7.2 from a dependency on react-dev-utils@11.x, which is a transitive dependency coming from a few others. react-dev-utils@12 has bumped the version to ^1.7.3, so we need to trace back up to us and see what can be bumped.
=> Found "react-dev-utils@11.0.4"
info Has been hoisted to "react-dev-utils"
info Reasons this module exists
- "workspace-aggregator-fea014e7-9a83-4e2a-a6f8-eef14214b3d2" depends on it
- Hoisted from "_project_#@cypress#design-system#@storybook#react#react-dev-utils"
- Hoisted from "_project_#@cypress#design-system#@storybook#addon-essentials#@storybook#addon-docs#@storybook#builder-webpack4#react-dev-utils"
=> Found "@cypress/react#react-dev-utils@10.2.1"
info Reasons this module exists
- "_project_#@cypress#react#react-scripts" depends on it
- Hoisted from "_project_#@cypress#react#react-scripts#react-dev-utils"
=> Found "react-scripts#react-dev-utils@9.1.0"
@mrbusche We would welcome a PR that would bump the relevant development dependencies in our @cypress/react and @cypress/design-system packages. The cypress package itself does not bundle a shell-quote@1.7.2 dependency and should not be impacted.
Here are all the instances, via npm ls shell-quote
, most package upgrades require breaking changes, especially react-scripts
cypress@9.3.1 C:\code\cypress
├─┬ @cypress/angular@0.0.0-development -> .\npm\angular
│ └─┬ @cypress/code-coverage@3.9.12
│ └─┬ @cypress/browserify-preprocessor@3.0.2
│ ├─┬ browserify@16.5.2
│ │ └── shell-quote@1.7.2 deduped
│ └─┬ watchify@4.0.0
│ ├─┬ browserify@17.0.0
│ │ └── shell-quote@1.7.2 deduped
│ └─┬ outpipe@1.1.1
│ └── shell-quote@1.7.2 deduped
├─┬ @cypress/react@0.0.0-development -> .\npm\react
│ ├─┬ @cypress/code-coverage@3.9.4
│ │ └─┬ @cypress/browserify-preprocessor@3.0.1
│ │ └─┬ browserify@16.2.3
│ │ └── shell-quote@1.7.2 deduped
│ ├─┬ next@10.2.3
│ │ └─┬ @next/react-dev-overlay@10.2.3
│ │ └── shell-quote@1.7.2 deduped
│ └─┬ react-scripts@3.4.1
│ └─┬ react-dev-utils@10.2.1
│ └── shell-quote@1.7.2 deduped
├─┬ @cypress/webpack-preprocessor@0.0.0-development -> .\npm\webpack-preprocessor
│ └─┬ react-scripts@3.2.0
│ └─┬ react-dev-utils@9.1.0
│ └── shell-quote@1.7.2 deduped
├─┬ @packages/example@0.0.0-development -> .\packages\example
│ └─┬ cypress-example-kitchensink@1.15.2
│ └─┬ npm-run-all@4.1.5
│ └── shell-quote@1.7.2 deduped
└─┬ @packages/server@0.0.0-development -> .\packages\server
└─┬ launch-editor@2.3.0
└── shell-quote@1.7.2
I was able to overwrite the resolutions by adding
"resolutions": {
"shell-quote": "1.7.3"
}
and removing shell-quote
from yarn.lock
and doing a yarn install
. react-dev-utils
is pinned to 1.7.2
but since it's a dev dependency that shouldn't make it's way into the final image.
My PR was rejected because I didn't make changes to upgrade to the latest major version, which would require a lot more time than I have to contribute. I commented on an issue for react-scripts to see if they'd accept a patch to version 3, but I don't feel confident - https://github.com/facebook/create-react-app/issues/11608
Another solution may be to move react-scripts to devDependencies everywhere. It's currently listed as a dependency under find-webpack and craco. Then when buidling cypress build as a production build vs a dev/test bundle that includes devDependencies.
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.
This issue has been closed due to inactivity.
Current behavior
CVE-2021-42740 is a critical CVE in shell-quote version 1.7.2 that is resolved in 1.7.3
Desired behavior
cypress uses shell-quote 1.7.3
Test code to reproduce
It's a publicly visible CVE
Cypress Version
9.3.1
Other
No response