Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[svengbr] cypress-plugin-snapshots causes GitHub Dependabot message

See original GitHub issue

Where to find the issue

https://github.com/corona-warn-app/cwa-website/blob/master/package.json

Line 54

"devDependencies": {
   ...
    "cypress-plugin-snapshots": "^1.4.4",
   ...  
}

Describe the issue

This is a follow-on to Differences in package-lock.json from nodejs concerning the web test environment.

cypress-plugin-snapshots defined in the devDependencies object of package.json causes the github Dependabot to warn that jpeg-js needs to be updated to >=0.4.0, however that is not possible because of dependencies defined in the package cypress-plugin-snapshots@1.4.3.

Dependabot advises: cypress-plugin-snapshots@1.4.4 requires jpeg-js@^0.3.4 via a transitive dependency on @jimp/jpeg@0.10.3

There is further information in https://github.com/advisories/GHSA-w7q9-p3jq-fmhm.

Edit: Originally “cypress-plugin-snapshots”: “^1.4.3”, now “cypress-plugin-snapshots”: “^1.4.4”, and the issue is the same.

Issue Analytics

State:
Created 3 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

DawChihLioucommented, Feb 16, 2021

Awesome! Thanks for keeping an eye on it!

1reaction

MikeMcC399commented, Feb 16, 2021

@DawChihLiou I was notified that your PR https://github.com/meinaart/cypress-plugin-snapshots/pull/159 was merged! 🎉

I guess the maintainer needs to release a new version (currently at https://github.com/meinaart/cypress-plugin-snapshots/releases/tag/v1.4.4) before this makes any difference externally. It looks like they are bundling together quite a few different changes, so let’s wait and see!