Critical vulnerability in latest image

[jose-alvarez-r]

Hello team,

It seems that image

cypress/browsers:node-20.11.0-chrome-121.0.6167.85-1-ff-120.0-edge-121.0.2277.83-1

has some critical vulnerability according to checkov code scanning

https://security-tracker.debian.org/tracker/CVE-2023-6879

The base image has been fixed, but no updates in cypress image.

Could you please have a look? Any plan image updating?

Thank you

[jennifer-shehane]

We have a Cypress Docker Factory which allows you to customize your own docker image for use. You can also update your dockerfile to modify the image to meet whatever requirements you want. These images are provided to help in development and are not production ready.

That being said there are a couple of disclaimers:

1. Cypress docker containers are provided to end users for ease of use and should not be used in a production environment.
2. We have seen Snyk report vulnerabilities in dependencies before that are not actually exploitable in any intended uses of our app. As such the risk of these exploits is extremely low or almost zero.

If you have found an exploitable vulnerability please do contact us at [email protected] with details about reproducing that exploit and we will investigate.