diff --git a/cli/CHANGELOG.md b/cli/CHANGELOG.md index 4f5c34a99fdf..af34c2f38cf8 100644 --- a/cli/CHANGELOG.md +++ b/cli/CHANGELOG.md @@ -8,6 +8,15 @@ _Released 01/31/2023 (PENDING)_ - Fixed an issue where alternative Microsoft Edge Beta and Canary binary names were not being discovered by Cypress. Fixes [#25455](https://github.com/cypress-io/cypress/issues/25455). +**Dependency Updates:** + +- Upgraded [`ua-parser-js`](https://github.com/faisalman/ua-parser-js) from `0.7.24` + to `0.7.33` to address this + [security vulnerability](https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3) + where crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to + get stuck processing for a very long time which results in a denial of service (DoS) condition. + Addressed in [#25561](https://github.com/cypress-io/cypress/pull/25561). + ## 12.4.0 _Released 1/24/2023_ diff --git a/package.json b/package.json index 11a9f8b514b4..048f385700a6 100644 --- a/package.json +++ b/package.json @@ -271,7 +271,7 @@ "**/pretty-format": "26.4.0", "**/sharp": "0.29.3", "**/socket.io-parser": "4.0.5", - "**/ua-parser-js": "0.7.24", + "**/ua-parser-js": "0.7.33", "@typescript-eslint/eslint-plugin": "4.18.0", "sharp": "0.29.3", "vue-template-compiler": "2.6.12" diff --git a/yarn.lock b/yarn.lock index 162eca05ce2b..04bfd843b537 100644 --- a/yarn.lock +++ b/yarn.lock @@ -29055,10 +29055,10 @@ typescript@^4.7.4: resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.7.4.tgz#1a88596d1cf47d59507a1bcdfb5b9dfe4d488235" integrity sha512-C0WQT0gezHuw6AdY1M2jxUO83Rjf0HP7Sk1DtXj6j1EwkQNZrHAg2XPWlq62oqEhYvONq5pkC2Y9oPljWToLmQ== -ua-parser-js@0.7.24, ua-parser-js@^0.7.18: - version "0.7.24" - resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.24.tgz#8d3ecea46ed4f1f1d63ec25f17d8568105dc027c" - integrity sha512-yo+miGzQx5gakzVK3QFfN0/L9uVhosXBBO7qmnk7c2iw1IhL212wfA3zbnI54B0obGwC/5NWub/iT9sReMx+Fw== +ua-parser-js@0.7.33, ua-parser-js@^0.7.18: + version "0.7.33" + resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.33.tgz#1d04acb4ccef9293df6f70f2c3d22f3030d8b532" + integrity sha512-s8ax/CeZdK9R/56Sui0WM6y9OFREJarMRHqLB2EwkovemBxNQ+Bqu8GAsUnVcXKgphb++ghr/B2BZx4mahujPw== uc.micro@^1.0.1, uc.micro@^1.0.5: version "1.0.6"