Skip to content

fix: force request to use @cypress/[email protected] to address GHSA-p8p7-x288-28g6 #7088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
therealdwright merged 1 commit into from
Sep 26, 2025
Merged

fix: force request to use @cypress/[email protected] to address GHSA-p8p7-x288-28g6 #7088

therealdwright merged 1 commit into from
Sep 26, 2025

Conversation

@yanxue-22
Copy link
Contributor

@yanxue-22 yanxue-22 commented Sep 24, 2025

TICKET: 1558

This PR addresses vulnerability GHSA-p8p7-x288-28g6, which involves Server-Side Request Forgery in the request package. Since request is a deprecated, we use a patched, forked version of the package.

This PR addresses and forces @celo/connect to stray away from transitively depend on the vulnerable request package, and instead force it to use the patched version "npm:@cypress/[email protected]"

Validation results
- Celo module tests: All passing
- No runtime errors detected
- @cypress/[email protected] is a maintained fork designed as a drop-in replacement for the deprecated request package. While servify expects ^2.79.0, the updated package version is still compatible.
- Yarn Audit shows that the GHSA-p8p7-x288-28g6 is no longer a vulnerability.

@yanxue-22 yanxue-22 force-pushed the DX-1558-Bump-Request-addressing-GHSA-p8p7-x288-28g6 branch 2 times, most recently from 0305e87 to 7886929 Compare September 25, 2025 15:52
@yanxue-22 yanxue-22 marked this pull request as ready for review September 25, 2025 16:24
@yanxue-22 yanxue-22 requested a review from a team as a code owner September 25, 2025 16:24
@therealdwright
fix: force request to use @cypress/[email protected] to address security …
bbb6e7b 
…vulnerability

Updates package.json resolutions to use @cypress/[email protected] instead of
the deprecated request package. This addresses the security vulnerability
GHSA-p8p7-x288-28g6

TICKET: DX-1558
@therealdwright therealdwright force-pushed the DX-1558-Bump-Request-addressing-GHSA-p8p7-x288-28g6 branch from 0e98ae6 to bbb6e7b Compare September 25, 2025 23:36
therealdwright
therealdwright approved these changes Sep 25, 2025
View reviewed changes
Copy link
Contributor

@therealdwright therealdwright left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cleaned up the merge commit from the PR.

@therealdwright therealdwright merged commit 03fe19c into master Sep 26, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@therealdwright therealdwright therealdwright approved these changes

@zahin-mohammad zahin-mohammad zahin-mohammad approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yanxue-22 @therealdwright @zahin-mohammad