BREAKING: [Snyk] Security upgrade webpack-dev-server from 4.15.1 to 5.0.0

[cadrake]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • npm/webpack-dev-server/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	631/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.2	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[cypress]

24 failed and 4 flaky tests on run #54071 ↗︎

24

7991

399

32

4

Details:

bump to 5.0.1
Project: cypress	Commit: b91c7b5695
Status: Failed	Duration: 13:03 💡
Started: Feb 16, 2024 2:46 PM	Ended: Feb 16, 2024 2:59 PM

  e2e/origin/cookie_login.cy.ts • 0 failed tests • 5x-driver-electron

View Output

Test		Artifacts

  commands/actions/type_special_chars.cy.js • 0 failed tests • 5x-driver-electron

View Output

Test		Artifacts

  commands/querying/querying.cy.js • 0 failed tests • 5x-driver-electron

View Output

Test		Artifacts

  e2e/origin/cookie_behavior.cy.ts • 0 failed tests • 5x-driver-electron

View Output

Test		Artifacts

  commands/actions/check.cy.js • 0 failed tests • 5x-driver-electron

View Output

Test		Artifacts

The first 5 failed specs are shown, see all 1031 specs in Cypress Cloud.

  cypress/e2e/commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-chrome:beta

View Output

Test		Artifacts
network stubbing > waiting and aliasing > yields the expected interception when two requests are raced		Test Replay

  cypress/e2e/commands/net_stubbing.cy.ts • 1 flaky test • 5x-driver-chrome

View Output

Test		Artifacts
network stubbing > waiting and aliasing > yields the expected interception when two requests are raced		Test Replay

  cypress/e2e/commands/net_stubbing.cy.ts • 2 flaky tests • 5x-driver-webkit

View Output

Test		Artifacts
network stubbing > intercepting request > can delay and throttle a StaticResponse		</td> </tr> <tr> <td colspan="2"> <a href="https://cloud.cypress.io/projects/ypt4pf/runs/54071/overview/0df383c4-add5-4cbd-92e5-7e9117279767?reviewViewBy=FLAKY&utm_source=github&utm_medium=failed&utm_campaign=view%20test"> ... > with `times` > only uses each handler N times </a> </td> <td> </td> </tr></table> Review all test suite changes for PR #28926 ↗︎

[AtofStryker]

To support wds@5, we will need to update the code in webpack-dev-server to handle v5 as well as install the correct types and make sure there are no conflicts there and add appropriate unit tests in the package.

we also need to add system-tests like we have here (see readme) for wds v3 and v4.

[robcmills]

Not sure why the PR description mentions this will fix a vulnerability with "Inflight", but this upgrade will enable us to upgrade our direct dependency on webpack-dev-server v4 -> 5 which we are trying to do in order to address this high severity vulnerability in wds itself:

https://security.snyk.io/vuln/SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555

[robcmills]

I think we are somewhat blocked from upgrading our webpack-dev-server by this. When we upgrade wds to v5 and try to run component tests, we get the following error:

Your configFile threw an error from: cypress.config.js

We stopped running your tests because your config file crashed.

Error: Unexpected major version of webpack-dev-server. Cypress webpack-dev-server works with webpack-dev-server versions 3, 4 - saw 5.0.4
    at getMajorVersion (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/helpers/sourceRelativeWebpackModules.js:202:15)
    at sourceWebpackDevServer (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/helpers/sourceRelativeWebpackModules.js:140:37)
    at sourceDefaultWebpackDependencies (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/helpers/sourceRelativeWebpackModules.js:189:30)
    at defaultWebpackModules (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:79:140)
    at getPreset (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:99:20)
    at Function.devServer.create (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:111:67)
    at /Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:26:40
    at new Promise (<anonymous>)
    at devServer (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/webpack-dev-server/dist/devServer.js:24:12)
    at Object.handler (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_require_async_child.js:166:24)
    at RunPlugins.invoke (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_plugins.js:185:18)
    at /Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/util.js:59:14
    at tryCatcher (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/node_modules/bluebird/js/release/util.js:16:23)
    at Function.Promise.attempt.Promise.try (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/node_modules/bluebird/js/release/method.js:39:29)
    at Object.wrapChildPromise (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/util.js:58:23)
    at Object.wrap (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/dev-server.js:18:8)
    at RunPlugins.execute (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_plugins.js:155:26)
    at EventEmitter.<anonymous> (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/child/run_plugins.js:56:12)
    at EventEmitter.emit (node:events:514:28)
    at EventEmitter.emit (node:domain:488:12)
    at process.<anonymous> (/Users/robcmills/Library/Caches/Cypress/13.6.6/Cypress.app/Contents/Resources/app/packages/server/lib/plugins/util.js:33:22)
    at process.emit (node:events:514:28)

Unless there is a way around this I am unaware of. Some way to force cypress to "fallback to the version bundled with this package"?

https://github.com/cypress-io/cypress/blob/develop/npm/webpack-dev-server/src/helpers/sourceRelativeWebpackModules.ts#L182

[robcmills]

@jennifer-shehane @mschile

Any update on whether/when this will be addressed?

[AtofStryker]

@jennifer-shehane @mschile

Any update on whether/when this will be addressed?

@robcmills I will be looking at this issue over the next few days. Your wds upgrade is indeed blocked by this issue

[AtofStryker]

I created a separate issue to support wds 5 #29305 as bumping the dependency on wds from 4 to 5 in the @cypress/webpack-dev-server package is a breaking change to not only @cypress/webpack-dev-server, but shipped component testing with Cypress as users who are on webpack 4 and using wds 4 would be broken. This change would need to be implemented in Cypress 14.

However, we can still support wds v5 it just won't be the shipped default. So if a user has wds 5 installed, @cypress/webpack-dev-server should work for them, which is the scope of #29305