Query Regarding Vulnerability in @cypress/request - I want to maintain current version - 9.5.4

[Nguyenanh2011]

Dear Cypress Team,

I hope this email finds you well. I am reaching out to your esteemed team regarding a recent issue I've encountered while using the Cypress testing framework. I have thoroughly reviewed the documentation and explored various solutions, but I am seeking your expert advice to ensure the best course of action.

The issue revolves around a vulnerability in the @cypress/request package, specifically associated with Server-Side Request Forgery (SSRF) as indicated in advisory GHSA-p8p7-x288-28g6. The advisory recommends running npm audit fix --force to address the issue; however, this approach would lead to installing [email protected], which introduces breaking changes.
Additionally, this update affects compatibility with other packages, such as @cypress/request-promise, as it requires a newer version of @cypress/request.

Given these considerations, we are seeking guidance on how best to proceed. We have a few questions:

Are there any alternative solutions available that address the vulnerability in @cypress/request without requiring a breaking update to [email protected]?
Could you provide insights into the severity of the vulnerability and whether there are immediate risks that we should address?
Our team's priority is to maintain our current Cypress version, which is 9.5.4, due to compatibility considerations, while minimizing the potential disruption to our existing test suite. Your expertise and guidance in this matter would be invaluable to our team.

Thank you in advance for your assistance. We greatly appreciate your dedication to supporting the Cypress community and look forward to your insights.