plist update to version 3.0.6 needed #26089
Labels
E2E
Issue related to end-to-end testing
good first issue
Good for newcomers
Triaged
Issue has been routed to backlog. This is not a commitment to have it prioritized by the team.
type: security 🔐
Security related
Current behavior
plist had a CVE in recent version, but the reporting in the relevant databases seems to be incorrect.
NVD and CVE list only version 3.0.4 and 3.0.5 to be affected, (https://nvd.nist.gov/vuln/detail/CVE-2022-22912#range-8131646) but according to the comments in the owners git repository the fix for CVE-2022-26260 didn't make it into plist:3.0.5, which is currently packaged with cypress.
plist should be updated to v.3.0.6
see TooTallNate/plist.js#128 and TooTallNate/plist.js#114
Desired behavior
No response
Test code to reproduce
Scan the zip package, e.g. using scanner provided at https://github.com/jeremylong/DependencyCheck
Location:
Cypress/resources/app/packages/launcher/package.json?launcher:0.0.0-development/plist:3.0.5
Cypress Version
12.7
Node version
18
Operating System
Linux
Debug Logs
No response
Other
No response
The text was updated successfully, but these errors were encountered: