Closed lmm-git closed 8 months ago
In that exact commit I also added the explanation to why I pinned the version, some lines above: https://github.com/quasarframework/quasar-testing/blob/cc3b4377385433448c03c06217d08c1085f04271/packages/e2e-cypress/package.json#L35
A vulnerability of that kind, in a package that's used in a controlled environment such as the one used for automated testing with Cypress, isn't that much of a concern We'll bump the dep version in next major version of Cypress AE, when we'll drop support for Node 14
start-server-and-test
usesaxios
in a vulnerable version (^0.27.2
) (see https://www.npmjs.com/advisories/1094889)Full dependency tree:
@quasar/quasar-app-extension-testing-e2e-cypress > start-server-and-test > wait-on > axios
In commit 2de1718de8265cf424861155712c820947456938
start-server-and-test
got pinned to2.0.0
, which is using this exact vulnerable version. It got fixed in later versions (e.g.2.0.3
), but in version2.0.1
they removed support for Node 14. Therefore I suspect the change to pin to2.0.0
was done to still support Node 14.I would open a PR with a fix, but I currently do not know how exactly. Do you want to discontinue support for Node 14 or pin the
axios
/wait-on
version?