-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not pin CLI dependencies #8046
Labels
Comments
cypress-bot
bot
added
the
stage: ready for work
The issue is reproducible and in scope
label
Jul 21, 2020
jennifer-shehane
added
type: enhancement
Requested enhancement of existing feature
type: dependencies
internal-priority
labels
Jul 21, 2020
SwaroopH
added a commit
to blockvigil/moneyvigil
that referenced
this issue
Jul 21, 2020
sync-by-unito
bot
changed the title
Do not pin dependencies
Do not pin CLI dependencies
Jul 21, 2020
1 task
cypress-bot
bot
added
stage: work in progress
stage: needs review
The PR code is done & tested, needs review
and removed
stage: ready for work
The issue is reproducible and in scope
stage: work in progress
labels
Jul 22, 2020
cypress-bot
bot
added
stage: pending release
and removed
stage: needs review
The PR code is done & tested, needs review
labels
Jul 29, 2020
The code for this is done in cypress-io/cypress#8060, but has yet to be released. |
Released in This comment thread has been locked. If you are still experiencing this issue after upgrading to |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Current behavior:
Currently, Cypress pins all dependencies. Previously we had preferred locking dependencies since we ran into issues before without locking, but since migrating to
yarn
for our own dev work, I've been told these concerns are more minimal.This introduces some issues:
If there is a security vulnerability from a dep of Cypress found (highlighted through
npm audit
), our users are unable to runnpm audit fix
to bump the dependency themselves. This requires the user to use a convoluted workaround or for Cypress to release a new version - pushing a hotfix or waiting potentially 2 weeks for the scheduled release.Many of our users have rules around their builds/dev process not allowing them to move forward if
npm audit
fails, so this presents an issue for them.**See previous issues:**``````* lodash security vulnerability: https://github.com/cypress-io/cypress/issues/7921* minimist security vulnerability: https://github.com/cypress-io/cypress/issues/6793* another lodash security vulnerability: https://github.com/cypress-io/cypress/issues/4743
Our pinning strategy and how we run yarn + npm when building the binary is contributing to an increase in size of the binary. Sometimes there are dupped dependencies included.
The text was updated successfully, but these errors were encountered: