Cypress 13.6.0 [flat][loader-utils][mocha-7.0.1] Critical vulnerabilites

[ElyessTekaya]

Hello

I use cypress/browsers:latest to create my base image

My Dockerfile

FROM cypress/browsers:latest

RUN mkdir /e2e
COPY cypress.config.js /e2e
COPY package.json /e2e
WORKDIR /e2e
RUN npm install --only=prod
RUN npm cache clean --force
ENTRYPOINT ["npm","test","run"]

I install cypress manually, this is the content of my package.json

{
    "scripts": {
     "clean:reports": "rm -rf  cypress/reports/mocha/* && rm -rf  cypress/reports/mochareports/*",
      "pretest": "npm run clean:reports",
      
      "scripts": "cypress run  --headed --browser $BROWSER --spec $ENVTEST ",
      "combine-reports": "mochawesome-merge ./cypress/reports/mocha/*.json > cypress/reports/mochareports/report.json",
      "generate-report": "marge cypress/reports/mochareports/report.json -f report -o cypress/reports/mochareports",
      "posttest": "npm run combine-reports && npm run generate-report",
      "test": "npm run scripts || npm run posttest "
  
    },
  
    "dependencies": {
      "cypress": "^13.6.0",
      "cypress-multi-reporters": "^1.4.0",
      "mocha": "^10.0.0",
      "mochawesome": "^6.2.1",
      "mochawesome-merge": "^4.2.0",
      "mochawesome-report-generator": "^5.1.0",
      "cypress-xpath": "^1.6.2"
    }
  }
 

Content of cypress.config.js

const { defineConfig } = require('cypress')

module.exports = defineConfig({
  failOnNetworkErrors: false,
  returnError: true,
  chromeWebSecurity: false,
  videoCompression: false,
  pageLoadTimeout: 660000,
  reporter: 'cypress-multi-reporters',
  reporterOptions: {
    reporterEnabled: 'mochawesome',
    mochawesomeReporterOptions: {
      reportDir: 'cypress/reports/mocha',
      quite: true,
      overwrite: false,
      html: true,
      json: true,
      video:true
    },
  },
  e2e: {
       specPattern: 'cypress/e2e/**/*.spec.js',
  },
})

I use AWS Inspector to scan vulnerabilities and I get 3 critcal ones :

root/.cache/Cypress/13.6.0/Cypress/resources/app/node_modules/flat/package.json (current 4.1.1)
Update flat to 5.0.2

root/.cache/Cypress/13.6.0/Cypress/resources/app/node_modules/mocha-7.0.1/node_modules/minimist/package.json (current 0.0.8)
Update minimist to 1.2.6

root/.cache/Cypress/13.6.0/Cypress/resources/app/node_modules/loader-utils/package.json (current 1.4.0)
Update loader-utils to 2.0.3

Any idea how can I fix it ?

PS : I know "cypress-xpath" is deprecated and no longer supported

[MikeMcC399]

@ElyessTekaya

The modules you list with security vulnerabilities are provided as part of the Cypress binary. They cannot be updated by Cypress Docker images and any update needs to come from the core https://github.com/cypress-io/cypress software.

Please read also the README > Usage documentation section and refer to the Cypress Security Policy.

[MikeMcC399]

Closing, since the Cypress Docker image cypress/browsers:latest does not contain any Cypress software and therefore the vulnerability report does not concern this repository. Even if cypress/included images were used, any issues need to be addressed directly through the process described on https://github.com/cypress-io/cypress .