cypress/included vulnerability patching

[al-sms-eys]

During our work towards gaining UK Cyber Essentials certification, we've run Grype security scans over the latest version of the cypress/included container to identify high and critical vulnerabilities that might affect our certification.

Our scans returned a number of high and critical vulnerabilities, many of which are either unpatched or tagged as "won't fix", but the following vulnerabilities were identified that do have fixes available:

GHSA-2j2x-2gpw-g8fm - flat npm package v4.1.1, patched in v5.0.1
GHSA-q8j6-pwqx-pm96 - squirrelly npm package v7.9.2, patched in v9.0.0
GHSA-4wf5-vphf-c2xc - terser npm package v4.8.0, patched in v4.8.1
GHSA-273r-mgr4-v34f - engine.io npm package v5.0.0, patched in v5.2.1
GHSA-qwcr-r2fm-qrc7 - body-parser npm package v1.20.0, patched in v1.20.3
GHSA-grv7-fg5c-xmjg - braces npm package v2.3.2, patched in v3.0.3
GHSA-pq67-2wwv-3xjx - tar-fs npm package v2.1.1, patched in v2.1.2
GHSA-pq67-2wwv-3xjx - tar-fs npm package v3.0.6, patched in v3.0.7
GHSA-wpg7-2c88-r8xv - simple-get npm package v3.1.0, patched in v3.1.1
GHSA-f8q6-p94x-37v3 - minimatch npm package v3.0.4, patched in v3.0.5
GHSA-3h5v-q93c-6h6q - ws npm package v7.4.5, patched in v7.5.10
GHSA-3h5v-q93c-6h6q - ws npm package v8.11.0, patched in v8.17.1
GHSA-93q8-gq69-wqmw - ansi-regex npm package v3.0.0, patched in v3.0.1
GHSA-c7qv-q95q-8v27 - http-proxy-middleware npm package v2.0.6, patched in v2.0.7
GHSA-3xgq-45jj-v275 - cross-spawn npm package v6.0.5, patched in v6.0.6
GHSA-rc47-6667-2j5j - http-cache-semantics npm package v3.8.1, patched in v4.1.1
GHSA-rp65-9cf3-cjxr - nth-check npm package v1.0.2, patched in v2.0.1
GHSA-8cj5-5rvv-wf4v - tar-fs npm package v2.1.1, patched in v2.1.3
GHSA-8cj5-5rvv-wf4v - tar-fs npm package v3.0.6, patched in v3.0.9
GHSA-rhx6-c78j-4q9w - path-to-regexp npm package v0.1.10, patched in v0.1.12
GHSA-m5qc-5hw7-8vg7 - image-size npm package v1.1.1, patched in v1.2.1

It's safe to say that vulnerabilities are always something of a moving target, but we were wondering if there were any timescales in place for when the above were likely to be patched?

[MikeMcC399]

@al-sms-eys

Please refer to the information and policy in the SECURITY document regarding vulnerabilities in components packaged in Cypress Docker images.

These are not issues that can be fixed in this repo.

The current latest included image is cypress/included:cypress-14.4.1-node-22.16.0-chrome-137.0.7151.68-1-ff-139.0.1-edge-137.0.3296.62-1

• The CRITICAL vulnerability CVE-2020-36632 reported in Trivy scan for flat dependency cypress#27763 is already logged to the Cypress repo

[MikeMcC399]

This issue is now being closed, as we can't fix the issues here, nor can we make any statement here about timescales.

See the SECURITY document.