High severity vulnerabilities in dependencies

[m-hauck]

Hi there,

I get the following four high severity vulnerabilities after installing the latest version 1.14.1.

Is there any plan to fix the issues with updated dependencies?

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install browserstack-cypress-cli@1.1.2, which is a breaking change
node_modules/winston/node_modules/async
  winston  0.4.0 - 2.4.5 || 3.0.0-rc0 - 3.0.0-rc6
  Depends on vulnerable versions of async
  node_modules/winston
    browserstack-cypress-cli  >=1.1.4
    Depends on vulnerable versions of requestretry
    Depends on vulnerable versions of winston
    node_modules/browserstack-cypress-cli

requestretry  <7.0.0
Severity: high
Cookie exposure in requestretry - https://github.com/advisories/GHSA-hjp8-2cm3-cc45
fix available via `npm audit fix --force`
Will install browserstack-cypress-cli@1.1.2, which is a breaking change
node_modules/requestretry

4 high severity vulnerabilities

[pranavj1001]

Hey @m-hauck, can you please try upgrading to v1.16.0. We have bumped up the version and on running npm audit, we can see no high or critical vulnerabilities now.

[m-hauck]

Hi @pranavj1001, thanks for the update. This fixes the four high severity vulnerabilities for me. Now I only got five moderate severity vulnerabilities left.

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install browserstack-cypress-cli@1.10.1, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        browserstack-cypress-cli  >=1.11.0
        Depends on vulnerable versions of update-notifier
        node_modules/browserstack-cypress-cli

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Is there any plan on fixing those as well?

[pranavj1001]

Hey @m-hauck, we don't have plans for fixing this in the near future. Updating update-notifier library is introducing some breaking changes for browserstack-cypress-cli. We'll revisit this. Till then, I'm keeping this issue open.