Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not pin CLI dependencies #8046

Closed
jennifer-shehane opened this issue Jul 21, 2020 · 2 comments · Fixed by #8060
Closed

Do not pin CLI dependencies #8046

jennifer-shehane opened this issue Jul 21, 2020 · 2 comments · Fixed by #8060
Assignees
@jennifer-shehane
Labels
type: dependencies type: enhancement Requested enhancement of existing feature

Comments

@jennifer-shehane
Copy link
Member

jennifer-shehane commented Jul 21, 2020
edited by sync-by-unito bot
Loading

Current behavior:

Currently, Cypress pins all dependencies. Previously we had preferred locking dependencies since we ran into issues before without locking, but since migrating to yarn for our own dev work, I've been told these concerns are more minimal.

"lodash": "4.17.19"

This introduces some issues:

  1. If there is a security vulnerability from a dep of Cypress found (highlighted through npm audit), our users are unable to run npm audit fix to bump the dependency themselves. This requires the user to use a convoluted workaround or for Cypress to release a new version - pushing a hotfix or waiting potentially 2 weeks for the scheduled release.

    Many of our users have rules around their builds/dev process not allowing them to move forward if npm audit fails, so this presents an issue for them. **See previous issues:**``````* lodash security vulnerability: https://github.com/cypress-io/cypress/issues/7921* minimist security vulnerability: https://github.com/cypress-io/cypress/issues/6793* another lodash security vulnerability: https://github.com/cypress-io/cypress/issues/4743

  2. Our pinning strategy and how we run yarn + npm when building the binary is contributing to an increase in size of the binary. Sometimes there are dupped dependencies included.


**See previous issues:**



* Fix lodash dup dep: https://github.com/cypress-io/cypress/pull/7954
* Built zip size keeps increasing: https://github.com/cypress-io/cypress/issues/5977 

    ### Desired behavior:
    Have looser restrictions on dependencies of Cypress, while using the correct dependencies to also build the binary.
    
    ```json
    "lodash": "^4.17.19"* Renovate should be able to handle the enforcement of our range strategy mostly: https://docs.renovatebot.com/configuration-options/#rangestrategy* Look into how `npm` is run to build the binary.### Versions4.10.0
@jennifer-shehane jennifer-shehane mentioned this issue Jul 21, 2020
Closed
@cypress-bot cypress-bot bot added the stage: ready for work The issue is reproducible and in scope label Jul 21, 2020
SwaroopH added a commit to blockvigil/moneyvigil that referenced this issue Jul 21, 2020
@SwaroopH
fixed more vulnerabilities but waiting on cypress-io/cypress#8046
4e2814a
@sync-by-unito sync-by-unito bot changed the title Do not pin dependencies Do not pin CLI dependencies Jul 21, 2020
@jennifer-shehane jennifer-shehane mentioned this issue Jul 22, 2020
Merged
1 task
@cypress-bot cypress-bot bot added stage: work in progress stage: needs review The PR code is done & tested, needs review and removed stage: ready for work The issue is reproducible and in scope stage: work in progress labels Jul 22, 2020
@cypress-bot cypress-bot bot added stage: pending release and removed stage: needs review The PR code is done & tested, needs review labels Jul 29, 2020
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Jul 29, 2020

The code for this is done in cypress-io/cypress#8060, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

@cypress-bot
Copy link
Contributor

cypress-bot bot commented Aug 3, 2020

Released in 4.12.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v4.12.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Aug 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jennifer-shehane jennifer-shehane

Labels
type: dependencies type: enhancement Requested enhancement of existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Use 'bump' range strategy for deps, use caret/tilde for CLI deps cypress-io/cypress
1 participant
@jennifer-shehane