search

quasarframework / quasar-testing

Testing Harness App Extensions for the Quasar Framework 2.0+
https://testing.quasar.dev
MIT License
179 stars 65 forks source link

quasar-app-extension-testing-e2e-cypress depends on vulnerable libraries #365

Closed apacha closed 7 months ago

apacha commented 7 months ago

Software version

OS: MacOS Node: 20.10.0 NPM: 10.2.3

What did you get as the error?

When installing quasar ext add @quasar/testing-e2e-cypress in a clean, new Quasar project, and then executing npm audit the requested libraries seem to be outdated and known vulnerabilities are reported.

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @quasar/quasar-app-extension-testing-e2e-cypress@5.1.1, which is a breaking change
node_modules/start-server-and-test/node_modules/axios
  wait-on  5.0.0-rc.0 - 7.1.0
  Depends on vulnerable versions of axios
  node_modules/start-server-and-test/node_modules/wait-on
    start-server-and-test  1.11.1 - 2.0.2
    Depends on vulnerable versions of wait-on
    node_modules/start-server-and-test
      @quasar/quasar-app-extension-testing-e2e-cypress  <=5.1.0 || >=5.2.0-alpha.1
      Depends on vulnerable versions of start-server-and-test
      node_modules/@quasar/quasar-app-extension-testing-e2e-cypress

What were you expecting?

That the latest version of @quasar/quasar-app-extension-testing-e2e-cypress has no security vulnerabilities, especially if the dependencies already list axios with a higher version that doesn't have this vulnerability:

  "dependencies": {
    "@quasar/extras": "^1.16.9",
    "@sentry/vite-plugin": "^2.10.2",
    "@sentry/vue": "^7.88.0",
    "axios": "^1.6.2",
    "axios-case-converter": "^1.1.0",
    "dotenv": "^16.3.1",
    "natsort": "^2.0.3",
    "pinia": "^2.1.7",
    "pinia-plugin-persistedstate": "^3.2.0",
    "quasar": "^2.14.1",
    "typedjson": "^1.8.0",
    "vue": "^3.0.0",
    "vue-router": "^4.0.0"
  },
  "devDependencies": {
    "@quasar/app-vite": "^1.7.1",
    "@quasar/quasar-app-extension-testing-e2e-cypress": "^5.2.1",
    "@quasar/quasar-app-extension-testing-unit-vitest": "^0.4.0",
    "@types/node": "^20.10.4",
    "@typescript-eslint/eslint-plugin": "^6.14.0",
    "@typescript-eslint/parser": "^6.14.0",
    "@vue/test-utils": "^2.4.3",
    "autoprefixer": "^10.4.16",
    "cypress": "^13.6.5",
    "eslint": "^8.55.0",
    "eslint-config-prettier": "^9.1.0",
    "eslint-plugin-cypress": "^2.15.1",
    "eslint-plugin-vue": "^9.19.2",
    "msw": "^2.0.11",
    "prettier": "^3.1.1",
    "typescript": "^5.2.2",
    "vitest": "^0.34.6"
  },
  "engines": {
    "node": "^20 || ^18 || ^16 || ^14.19",
    "npm": ">= 6.13.4",
    "yarn": ">= 1.21.1"
  }

especially given that start-server-and-test was already updated: https://github.com/bahmutov/start-server-and-test/commit/ad35c2e4128615d7bc6e84d09761ae5d1fbc8da2

What steps did you take, to get the error?

Simply install cypress test harness and then run npm audit.

IlCallo commented 7 months ago

Please read the comment here: https://github.com/quasarframework/quasar-testing/blob/c93cc86cb00194be97485f5b705d26f3b33fbf46/packages/e2e-cypress/package.json#L35

We can't bump that dependency without removing support for past versions of Node Since the vulnerablity isn't critical when using it for locally or CI run tests, we don't plan to bump it until next major version of Cypress AE, which will probably be released when Cypress 14 will be out

IlCallo commented 7 months ago

@apacha I just published Cypress AE v6 to bump all deps, remove Node 14+16 support and avoid the vulnerability warning

apacha commented 7 months ago

Amazing, thank you very much!