Merge branch 'develop' into feat/cy-prompt

Author: ryanthemanuel

.circleci/workflows.yml

@@ -1,7 +1,7 @@
 version: 2.1
 
-chrome-stable-version: &chrome-stable-version "137.0.7151.103"
-chrome-beta-version: &chrome-beta-version "138.0.7204.23"
+chrome-stable-version: &chrome-stable-version "138.0.7204.49"
+chrome-beta-version: &chrome-beta-version "139.0.7258.5"
 firefox-stable-version: &firefox-stable-version "137.0"
 
 orbs:

cli/CHANGELOG.md

@@ -1,4 +1,12 @@
 <!-- See the ../guides/writing-the-cypress-changelog.md for details on writing the changelog. -->
+## 14.5.1
+
+_Released 7/01/2025 (PENDING)_
+
+**Dependency Updates:**
+
+- Updated `pbkdf2` from `3.1.2` to `3.1.3`. This removes the [SNYK-JS-PBKDF2-10495498](https://security.snyk.io/vuln/SNYK-JS-PBKDF2-10495498) vulnerability being reported in security scans. Addressed in [#31941](https://github.com/cypress-io/cypress/pull/31941).
+
 ## 14.5.0
 
 _Released 6/17/2025_
@@ -10,6 +18,7 @@ _Released 6/17/2025_
 **Bugfixes:**
 
 - Fixed an issue when using `Cypress.stop()` where a run may be aborted prior to receiving the required runner events causing Test Replay to not be available. Addresses [#31781](https://github.com/cypress-io/cypress/issues/31781).
+- Fixed an issue where prerequests with Firefox BiDi were prematurely being removed or matched incorrectly. Addresses [#31482](https://github.com/cypress-io/cypress/issues/31482).
 
 ## 14.4.1
 

npm/webpack-batteries-included-preprocessor/package.json

@@ -23,7 +23,7 @@
     "coffee-loader": "^4.0.0",
     "coffeescript": "2.6.0",
     "constants-browserify": "^1.0.0",
-    "crypto-browserify": "^3.12.0",
+    "crypto-browserify": "^3.12.1",
     "debug": "^4.3.4",
     "domain-browser": "^4.22.0",
     "events": "^3.3.0",

packages/driver/cypress/e2e/cy/snapshot.cy.js

@@ -5,14 +5,6 @@ describe('driver/src/cy/snapshots', () => {
     beforeEach(() => {
       cy.visit('/fixtures/invalid_html.html')
     })
-
-    it('can snapshot html with invalid attributes', () => {
-      const { htmlAttrs } = cy.createSnapshot()
-
-      expect(htmlAttrs).to.eql({
-        foo: 'bar',
-      })
-    })
   })
 
   context('snapshot no html/doc', () => {

packages/network/lib/agent.ts

@@ -126,7 +126,7 @@ export const createProxySock = (opts: CreateProxySockOpts, cb: CreateProxySockCb
 
 export const isRequestHttps = (options: http.RequestOptions) => {
   // WSS connections will not have an href, but you can tell protocol from the defaultAgent
-  return _.get(options, '_defaultAgent.protocol') === 'https:' || (options.href || '').slice(0, 6) === 'https'
+  return _.get(options, '_defaultAgent.protocol') === 'https:' || (options.href || '').slice(0, 6) === 'https:'
 }
 
 export const isResponseStatusCode200 = (head: string) => {
@@ -210,6 +210,20 @@ export class CombinedAgent {
       }
     }
 
+    // If the path property is a fully qualified URL, which is what as Axios appears to set,
+    // parse the URL and set the href, path, and port based on this path
+    if (typeof options.path === 'string' && /^http(s)?:\/\//.test(options.path)) {
+      const pathUrl = new URL(options.path)
+      const portToSet = pathUrl.port ?? options.port
+
+      options.href = options.path
+      options.path = pathUrl.pathname
+
+      if (portToSet) {
+        options.port = Number(portToSet)
+      }
+    }
+
     const isHttps = isRequestHttps(options)
 
     if (!options.href) {
@@ -443,7 +457,3 @@ class HttpsAgent extends https.Agent {
 const agent = new CombinedAgent()
 
 export default agent
-
-export const httpsAgent = new HttpsAgent()
-
-export const httpAgent = new HttpAgent()

packages/proxy/lib/http/util/prerequests.ts

@@ -141,7 +141,7 @@ export class PreRequests {
       const now = Date.now()
 
       this.pendingPreRequests.removeMatching(({ cdpRequestWillBeSentReceivedTimestamp, browserPreRequest }) => {
-        if (cdpRequestWillBeSentReceivedTimestamp + this.sweepInterval < now) {
+        if (cdpRequestWillBeSentReceivedTimestamp !== 0 && (cdpRequestWillBeSentReceivedTimestamp + this.sweepInterval < now)) {
           debugVerbose('timed out unmatched pre-request: %o', browserPreRequest)
           metrics.unmatchedPreRequests++
 

packages/proxy/test/unit/http/util/prerequests.spec.ts

@@ -309,4 +309,20 @@ describe('http/util/prerequests', () => {
     expect(preRequests.pendingPreRequests.length).to.eq(1)
     expect(preRequests.pendingPreRequests.shift('GET-foo|bar')).not.to.be.undefined
   })
+
+  it('does not remove pre-requests when sweeping if cdpRequestWillBeSentReceivedTimestamp is 0', async () => {
+    // set the current time to 1000 ms
+    sinon.stub(Date, 'now').returns(1000)
+
+    // set a sweeper timer of 10 ms
+    preRequests = new PreRequests(10, 10)
+    preRequests.setProtocolManager(protocolManager)
+
+    preRequests.addPending({ requestId: '1234', url: 'foo', method: 'GET', cdpRequestWillBeSentReceivedTimestamp: 0 } as BrowserPreRequest)
+
+    // give the sweeper plenty of time to run. Iur request should still not be removed
+    await new Promise((resolve) => setTimeout(resolve, 1000))
+
+    expect(preRequests.pendingPreRequests.length).to.eq(1)
+  })
 })

packages/server/lib/browsers/bidi_automation.ts

@@ -172,10 +172,13 @@ export class BidiAutomation {
 
     const resourceType = normalizeResourceType(params.request.initiatorType)
 
+    const urlWithoutHash = url.includes('#') ? url.substring(0, url.indexOf('#')) : url
+
     const browserPreRequest: BrowserPreRequest = {
       requestId: params.request.request,
       method: params.request.method,
-      url,
+      // urls coming into the http middleware contain query params, but lack the hash. To get an accurate key to match on the prerequest, we need to remove the hash.
+      url: urlWithoutHash,
       headers: parsedHeaders,
       resourceType,
       originalResourceType: params.request.initiatorType || params.request.destination,

packages/server/lib/cloud/api/cloud_request.ts

@@ -3,28 +3,44 @@
  */
 import os from 'os'
 
+import followRedirects from 'follow-redirects'
 import axios, { AxiosInstance } from 'axios'
-
 import pkg from '@packages/root'
-import { httpAgent, httpsAgent } from '@packages/network/lib/agent'
+import agent from '@packages/network/lib/agent'
 
 import app_config from '../../../config/app.json'
 import { installErrorTransform } from './axios_middleware/transform_error'
 import { installLogging } from './axios_middleware/logging'
 
 // initialized with an export for testing purposes
-export const _create = (): AxiosInstance => {
+export const _create = (options: { baseURL?: string } = {}): AxiosInstance => {
   const cfgKey = process.env.CYPRESS_CONFIG_ENV || process.env.CYPRESS_INTERNAL_ENV || 'development'
 
   const instance = axios.create({
-    baseURL: app_config[cfgKey].api_url,
-    httpAgent,
-    httpsAgent,
+    baseURL: options.baseURL ?? app_config[cfgKey].api_url,
+    httpAgent: agent,
+    httpsAgent: agent,
     headers: {
       'x-os-name': os.platform(),
       'x-cypress-version': pkg.version,
       'User-Agent': `cypress/${pkg.version}`,
     },
+    transport: {
+      // https://github.com/axios/axios/issues/6313#issue-2198831362
+      // Tapping into the transport seems the only way to handle this at the moment:
+      // https://github.com/axios/axios/blob/a406a93e2d99c3317596f02f3537f5457a2a80fd/lib/adapters/http.js#L438-L450
+      request (options, cb) {
+        if ((process.env.HTTP_PROXY || process.env.HTTPS_PROXY) && options.headers['Proxy-Authorization']) {
+          delete options.headers['Proxy-Authorization']
+        }
+
+        if (/https:?/.test(options.protocol)) {
+          return followRedirects.https.request(options, cb)
+        }
+
+        return followRedirects.http.request(options, cb)
+      },
+    },
   })
 
   installLogging(instance)

packages/server/lib/cloud/api/index.ts

@@ -15,7 +15,7 @@ const errors = require('../../errors')
 import Bluebird from 'bluebird'
 
 import type { AfterSpecDurations } from '@packages/types'
-import { agent } from '@packages/network'
+import agent from '@packages/network/lib/agent'
 import type { CombinedAgent } from '@packages/network/lib/agent'
 
 import { apiUrl, apiRoutes, makeRoutes } from '../routes'
@@ -479,7 +479,7 @@ export default {
     .catch(tagError)
   },
 
-  createInstance (runId: string, body: CreateInstanceRequestBody, timeout: number = 0): Bluebird<CreateInstanceResponse> {
+  createInstance (runId: string, body: CreateInstanceRequestBody, timeout?: number): Bluebird<CreateInstanceResponse> {
     return retryWithBackoff((attemptIndex) => {
       return rp.post({
         body,