Skip to content

OCPBUGS-70285: Upgrade cypress to v15 to fix CVEs#345

Open
upalatucci wants to merge 1 commit intoopenshift:mainfrom
upalatucci:fix/cve-upgrade-cypress-15
Open

OCPBUGS-70285: Upgrade cypress to v15 to fix CVEs#345
upalatucci wants to merge 1 commit intoopenshift:mainfrom
upalatucci:fix/cve-upgrade-cypress-15

Conversation

@upalatucci
Copy link
Contributor

@upalatucci upalatucci commented Feb 13, 2026
edited
Loading

Summary

Upgrade dependencies to resolve open CVEs.

Dependency Updates

  • cypress: ^12.17.4^15.0.0
  • @cypress/webpack-preprocessor: ^5.15.5^7.0.0
  • cypress-multi-reporters: ^1.6.2^2.0.0

Jira Issues

@upalatucci @cursoragent
OCPBUGS-70282,OCPBUGS-70283,OCPBUGS-70284,OCPBUGS-70285: Upgrade cypr…
a356ff3 
…ess to v15 to fix CVE-2025-15284

Upgrade cypress from v12 to v15, along with @cypress/webpack-preprocessor
(v5 -> v7) and cypress-multi-reporters (v1 -> v2), to resolve the qs
DoS vulnerability (CVE-2025-15284) in the transitive dependency
@cypress/request.

This also resolves the related @cypress/request SSRF (GHSA-p8p7-x288-28g6)
and form-data (GHSA-fjxv-7rqg-78g4) vulnerabilities that were present
in cypress v12.

CVE fixes addressed:
- CVE-2025-13465 (lodash): already at 4.17.23
- CVE-2026-22029 (react-router): not affected (v5, not v7)
- CVE-2025-15284 (qs): fixed by cypress upgrade
- CVE-2025-12816 (node-forge): not in dependency tree
- CVE-2025-66031 (node-forge): not in dependency tree

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70282, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.17.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-70283, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.18.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-70284, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.19.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Upgrade cypress from v12 to v15 to resolve CVE-2025-15284 (qs DoS vulnerability) in the transitive dependency @cypress/request.

Changes

  • cypress: ^12.17.4^15.0.0
  • @cypress/webpack-preprocessor: ^5.15.5^7.0.0
  • cypress-multi-reporters: ^1.6.2^2.0.0

CVE Status

All 5 CVEs tracked for openshift4/ose-networking-console-plugin-rhel9 are addressed:

CVE Package Resolution
CVE-2025-15284 qs < 6.14.1 Fixed — cypress v15 uses @cypress/request@3.0.10 with qs@6.14.2
CVE-2025-13465 lodash < 4.17.23 Already at 4.17.23
CVE-2026-22029 react-router 7.0-7.11 Not affected — project uses v5.3.4
CVE-2025-12816 node-forge <= 1.3.1 Not in dependency tree
CVE-2025-66031 node-forge <= 1.3.1 Not in dependency tree

Jira Issues

OCPBUGS-70282, OCPBUGS-70283, OCPBUGS-70284, OCPBUGS-70285,
OCPBUGS-74456, OCPBUGS-74462, OCPBUGS-74468, OCPBUGS-74473,
OCPBUGS-73640, OCPBUGS-73647, OCPBUGS-73654, OCPBUGS-73660,
OCPBUGS-67249, OCPBUGS-67250, OCPBUGS-67251, OCPBUGS-67252,
OCPBUGS-66271, OCPBUGS-66275, OCPBUGS-66279, OCPBUGS-66283

Notes

  • No cypress configuration file changes were needed
  • The only test file is describe.skip'd
  • Cypress 15 requires Node.js 20+ (drops Node 18)
  • Build and lint pass successfully

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link

coderabbitai bot commented Feb 13, 2026
edited
Loading

Walkthrough

Updated three development dependencies in package.json: Cyrus Cypress preprocessor to v7.0.0, Cypress to v15.0.0, and Cypress multi-reporter to v2.0.0. No scripts or other dependencies were modified.

Changes

Cohort / File(s) Summary
Development Dependencies
package.json		 Updated Cypress ecosystem devDependencies: Cyrus Cypress preprocessor (^5.15.5 → ^7.0.0), Cypress (^12.17.4 → ^15.0.0), and Cypress multi-reporter (^1.6.2 → ^2.0.0).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70282, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.17.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-70283, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.18.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-70284, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.19.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary

Upgrade cypress from v12 to v15 to resolve CVE-2025-15284 (qs DoS vulnerability).

Jira Issues

  • OCPBUGS-70282, OCPBUGS-70283, OCPBUGS-70284, OCPBUGS-70285 (CVE-2025-15284)
  • OCPBUGS-74456, OCPBUGS-74462, OCPBUGS-74468, OCPBUGS-74473 (CVE-2025-13465)
  • OCPBUGS-73640, OCPBUGS-73647, OCPBUGS-73654, OCPBUGS-73660 (CVE-2026-22029)
  • OCPBUGS-67249, OCPBUGS-67250, OCPBUGS-67251, OCPBUGS-67252 (CVE-2025-12816)
  • OCPBUGS-66271, OCPBUGS-66275, OCPBUGS-66279, OCPBUGS-66283 (CVE-2025-66031)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from avivtur and tnisan February 13, 2026 09:22
coderabbitai[bot]
coderabbitai bot reviewed Feb 13, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
package.json (1)

35-59: ⚠️ Potential issue | 🟡 Minor

Update @types/node to ^20 for consistency with Cypress 15's Node.js requirement.

Cypress 15 requires Node.js 20.x, 22.x, or 24.x and dropped support for Node 18. While the OCP 4.22 builder image (rhel-9-base-nodejs-openshift-4.22) likely already provides Node 20+, the devDependency @types/node at line 48 is still set to ^18.0.0. Update it to ^20.0.0 to align the type definitions with your actual runtime and testing environment.

No engines field exists in package.json, so explicitly set "engines": { "node": ">=20" } to prevent developers from using Node 18.

@openshift-ci
Copy link

openshift-ci bot commented Feb 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upalatucci

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 13, 2026
@upalatucci upalatucci changed the title OCPBUGS-70282,OCPBUGS-70283,OCPBUGS-70284,OCPBUGS-70285: Upgrade cypress to v15 to fix CVE-2025-15284 OCPBUGS-70285,OCPBUGS-74473,OCPBUGS-73660,OCPBUGS-67252,OCPBUGS-66283: Upgrade cypress to v15 to fix CVEs Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-74473, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-73660, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-67252, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-66283, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Upgrade cypress from v12 to v15 to resolve open CVEs.

Jira Issues

  • OCPBUGS-70285 (CVE-2025-15284)
  • OCPBUGS-74473 (CVE-2025-13465)
  • OCPBUGS-73660 (CVE-2026-22029)
  • OCPBUGS-67252 (CVE-2025-12816)
  • OCPBUGS-66283 (CVE-2025-66031)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-74473, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-73660, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-67252, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-66283, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary

Upgrade dependencies to resolve open CVEs.

Dependency Updates

  • cypress: ^12.17.4^15.0.0
  • @cypress/webpack-preprocessor: ^5.15.5^7.0.0
  • cypress-multi-reporters: ^1.6.2^2.0.0

Jira Issues

  • OCPBUGS-70285 (CVE-2025-15284 — qs DoS)
  • OCPBUGS-74473 (CVE-2025-13465 — lodash prototype pollution)
  • OCPBUGS-73660 (CVE-2026-22029 — React Router XSS)
  • OCPBUGS-67252 (CVE-2025-12816 — node-forge interpretation conflict)
  • OCPBUGS-66283 (CVE-2025-66031 — node-forge ASN.1 recursion)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@upalatucci upalatucci changed the title OCPBUGS-70285,OCPBUGS-74473,OCPBUGS-73660,OCPBUGS-67252,OCPBUGS-66283: Upgrade cypress to v15 to fix CVEs OCPBUGS-70285: Upgrade cypress to v15 to fix CVEs Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Upgrade dependencies to resolve open CVEs.

Dependency Updates

  • cypress: ^12.17.4^15.0.0
  • @cypress/webpack-preprocessor: ^5.15.5^7.0.0
  • cypress-multi-reporters: ^1.6.2^2.0.0

Jira Issues

  • OCPBUGS-70285 (CVE-2025-15284 — qs DoS)
  • OCPBUGS-74473 (CVE-2025-13465 — lodash prototype pollution)
  • OCPBUGS-73660 (CVE-2026-22029 — React Router XSS)
  • OCPBUGS-67252 (CVE-2025-12816 — node-forge interpretation conflict)
  • OCPBUGS-66283 (CVE-2025-66031 — node-forge ASN.1 recursion)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@upalatucci
Copy link
Contributor Author

upalatucci commented Feb 13, 2026

/cherry-pick release-4.21

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Feb 13, 2026

@upalatucci: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@upalatucci
Copy link
Contributor Author

upalatucci commented Feb 13, 2026

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@upalatucci upalatucci removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70285, which is invalid:

  • expected the vulnerability to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary

Upgrade dependencies to resolve open CVEs.

Dependency Updates

  • cypress: ^12.17.4^15.0.0
  • @cypress/webpack-preprocessor: ^5.15.5^7.0.0
  • cypress-multi-reporters: ^1.6.2^2.0.0

Jira Issues

  • OCPBUGS-70285 (CVE-2025-15284 — qs DoS)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Feb 13, 2026
@upalatucci
Copy link
Contributor Author

upalatucci commented Feb 13, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 13, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 13, 2026

@upalatucci: This pull request references Jira Issue OCPBUGS-70285, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiaojiey

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from xiaojiey February 13, 2026 09:58
@openshift-ci
Copy link

openshift-ci bot commented Feb 13, 2026

@upalatucci: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@avivtur avivtur Awaiting requested review from avivtur

@tnisan tnisan Awaiting requested review from tnisan

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@upalatucci @openshift-ci-robot @openshift-cherrypick-robot