cypress-io / request Goto Github PK

Being a fork of the original request package, @cypress/request is vulnerable to CVE-2023-28155 (SSRF via insecure redirects). There is an issue and an open PR in the request repo, but the fix is unlikely to be merged since request is long abandoned. This fork is the second most popular fork, it would be great to have it patched.

The CircleCI workflow .circleci/config.yml produces a warning on the CircleCI pipeline when run.

The warning is

"You’re using a deprecated Docker convenience image. Upgrade to a next-gen Docker convenience image."

The posting (deprecated Docker convenience image) from August 2021 says:

"Moving from a legacy to next-gen image requires a change to the namespace. All legacy images have a Docker namespace of circleci, while next-gen images have a Docker namespace of cimg."

The outdated workflow lines of code are:

Apart from circleci/node:14 being a deprecated CircleCI Docker image, it is also using Node.js 14 which entered end-of-life on April 30, 2023.

Suggestion

Update the CircleCI workflow .circleci/config.yml to use a supported CircleCI Docker image which uses a supported version of Node.js.

Summary

When @cypress/[email protected] is installed with Yarn Classic, then the following deprecation notice is output:

warning @cypress/request > [email protected]: when using stringify with arrayFormat comma, [] is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.

The deprecation notice is not displayed if npm or pnpm is used to install @cypress/[email protected]. This is because these other package managers prefer non-deprecated versions to deprecated versions and therefore they select the alternative, non-deprecated, [email protected] version instead of selecting the deprecated [email protected] version.

Simplest Example to Reproduce

yarn add @cypress/request

Expected behavior

When @cypress/request is installed using Yarn, then no deprecation notice should be displayed.

Possible solution

The warning suggests:

Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.

see qs CHANGELOG

Context

• This issue has been reported in cypress-io/cypress#27644 as a concern.

Your Environment

Logs

$ yarn add @cypress/request
yarn add v1.22.19
info No lockfile found.
[1/4] Resolving packages...
warning @cypress/request > [email protected]: when using stringify with arrayFormat comma, `[]` is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 47 new dependencies.
info Direct dependencies
└─ @cypress/[email protected]
info All dependencies
├─ @cypress/[email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
├─ [email protected]
└─ [email protected]
Done in 1.60s.

Notes

cypress-io/request is configured with
"qs": "~6.10.3"

npm view [email protected] shows the deprecation notice

$ npm view [email protected]

[email protected] | BSD-3-Clause | deps: 1 | versions: 108
A querystring parser that supports nesting and arrays, with a depth limit
https://github.com/ljharb/qs

DEPRECATED ⚠️  - when using stringify with arrayFormat comma, `[]` is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.

This is a deprecation notice, not a vulnerability warning. There are currently no vulnerabilities detected in @cypress/request:

$ yarn audit
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 52
Done in 0.36s.

Summary

The version of the qs package in use is 6.5.2, which is not the latest and is vulnerable to CVE-2021-44907

This should be updated to 6.10.3 (at time of writing latest version). The main cypress release should then also be updated to include this new release of request.

https://nvd.nist.gov/vuln/detail/CVE-2021-44907
https://github.com/ljharb/qs/releases/tag/v6.10.3

Package:
https://github.com/cypress-io/request/blob/master/package.json

Simplest Example to Reproduce

https://nvd.nist.gov/vuln/detail/CVE-2021-44907

Possible Solution

Upgrade qs package

Summary

Simplest Example to Reproduce

request({
  method: 'GET',
  url: 'http://example.com', // a public URL that we can hit to reproduce, if possible
  more: { 'options': 'here' }
},

Expected Behavior

Current Behavior

Possible Solution

Context

Your Environment

Summary

This vulnerability revealed by snyk

Possible Solution

Keep an eye on this PR which fixes the dependency and upgrade accordingly.

Using old crypto and causing firewall to block all of cypress due to this dependency.
Please see the sonar explanation below (specifically root cause).
You can see the 2 year old use of SHA1 all throughout that lib\oauth.js file.

Explanation

The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure. With enough resources an attacker might be able to crack the authentication mechanism and cause security attacks.

Detection

The application is vulnerable by using this component.

Recommendation

There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control.

Root Cause

request-2.88.5.tgz <= package/lib/oauth.js : [2.56.0 , )

Summary

karma is a web server generally used for tests, and it's included along with a series of helpers. However, it does not seem to be really used. It's not invoked from any script. Browser tests seem to be skipped.

Simplest Example to Reproduce

Run git grep "karma start" for instance. There might be other ways of checking it, but unless it's used internally (or was used), I don't see how it's checked nowadays.

Expected Behavior

It should be used, possibly for browser tests. It does not seem to have been substituted by anything else.

Current Behavior

npm run test-browser just skips the test.

Possible Solution

Eliminate karma and all browser tests, since they don't seem to be used at all. Alternatively, get it back to work...

Context

karma* introduce several vulnerabilities, and they're simply dead code, apparently. If it's not used, it's best to eliminate it.

Summary

Many packages seem to be a few majors behind their current release; karma is an example.

Simplest Example to Reproduce

I found this while doing npm uninstall har-validator which effectively does not seem to be used. This revealed a karma* conflict, which revealed several vulnerabilities when upgrading:

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '0.10 || 0.12 || 4 || 5 || 6' },
npm WARN EBADENGINE   current: { node: 'v16.2.0', npm: '7.19.1' }
npm WARN EBADENGINE }
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: The sprintf package is deprecated in favor of sprintf-js.
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: this package is now deprecated
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated [email protected]: https://about.codecov.io/blog/codecov-uploader-deprecation-plan/
npm WARN deprecated [email protected]: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 880 packages, and audited 883 packages in 60s

46 packages are looking for funding
  run `npm fund` for details

36 vulnerabilities (2 low, 16 moderate, 9 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Expected Behavior

Even if it's not a production library in most modules, I would expect some maintenance updates.

Possible Solution

Upgrade of all dependencies, and corresponding testing

Context

This is causing deprecated warnings, as well as snyk alerts, up and down the line.

Your Environment

https://www.npmjs.com/package/har-validator

node version 16.13.0
npm version 8.1.0

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two Factor Authentication for your account, set its level to "Authorization only" in your account settings. semantic-release cannot publish with the default "
Authorization and writes" level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Summary

When @cypress/request is run in a Node.js 21.x or 22.x environment, a deprecation notice is output:

[DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.

punycode has been deprecated in Node.js since v7.0.0. Starting with Node.js 21.x the deprecation is actively announced at run-time (see nodejs/node#47202).

The linked deprecation notice contains the text:

"The version of the punycode module bundled in Node.js is being deprecated. In a future major version of Node.js this module will be removed."

This poses a risk for the future use of @cypress/request.

Simplest Example to Reproduce

Create the following file as request_test.js

const request = require('@cypress/request');
request('https://github.com/cypress-io/request');

In a Node.js 22.x environment, install @cypress/request and execute with

node --trace-deprecation request_test.js

Alternatively execute the following in a clone of this repo:

npm install
export NODE_OPTIONS=--trace-deprecation
npm run test-ci

Expected Behavior

No deprecation warning should be produced when using @cypress/request under Node.js 22.x

Current Behavior

When Node.js v21.0.0 is used, then running the test produces a deprecation warning:

$ node --trace-deprecation request_test.js
(node:3952) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
    at node:punycode:3:9
    at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:397:7)
    at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:333:10)
    at loadBuiltinModule (node:internal/modules/helpers:101:7)
    at Module._load (node:internal/modules/cjs/loader:1006:17)
    at Module.require (node:internal/modules/cjs/loader:1237:19)
    at require (node:internal/modules/helpers:176:18)
    at Object.<anonymous> (/home/mike/github/request_test/node_modules/psl/index.js:5:16)
    at Module._compile (node:internal/modules/cjs/loader:1378:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1437:10)

showing that [email protected] is the problematic call.

$ npm ls psl
└─┬ @cypress/[email protected]
  └─┬ [email protected]
    └── [email protected]

• See issue lupomontero/psl#315

Solution options

The Node.js punycode deprecation notice contains hints on how to update to a supported environment. It seems that this will not be possible to implement for @cypress/request without major changes.

punycode is not used directly by @cypress/request so the issue could only be solved by updating dependencies. Since [email protected] is already the latest version and codecov has been deprecated. At first glance that would seem to block resolving the issue through simple version update of dependencies.

Some dependencies are proposed for update through PR #45, however this does not solve the issue. It would require quite some effort to dig into each of the dependencies to check their relationship with this issue.

The repo request/request from which @cypress/request is forked, was already deprecated on Feb 11, 2020 and therefore there will be no resolution available from the upstream repo.

Dependency tree

$ npm ls punycode
@cypress/[email protected]
├─┬ [email protected]
│ ├── [email protected]
│ └─┬ [email protected]
│   └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └─┬ [email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected]
└─┬ [email protected]
  └── [email protected]

[email protected]

├─┬ [email protected]
│ ├── [email protected]
│ └─┬ [email protected]
│   └── [email protected] deduped

browserify current version is [email protected] published 3 years ago.

[email protected]

├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped

[email protected] is the latest version and the package has been deprecated.

[email protected]

├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped

karma-browserify current version is [email protected] published 2 years ago.

Context

https://nodejs.org/dist/latest-v21.x/docs/api/punycode.html#punycode

Since the version of the punycode module bundled in Node.js is being deprecated and it will be removed in a future major version of Node.js, there is a risk that at some time in the future @cypress/request will no longer work.

Your Environment

Version:
@cypress/[email protected]
@cypress/[email protected]
@cypress/[email protected]

yarn install
yarn test

is successful for Node.js 18.16.1 and fails for 18.17.1 & 20.7.0 running on Ubuntu 22.04.3 LTS.

Node.js 18.16.1

runs successfully (with some warnings), tested locally, on Node.js 18.16.1:

Suites:   ​54 passed​, ​54 of 54 completed​
Asserts:  ​​​1500 passed​, ​of 1500​

Node.js 18.17.0 18.17.1 (LTS)

fails tested locally, on Node.js 18.17.1:

Suites:   ​1 failed​, ​53 passed​, ​54 of 54 completed​
Asserts:  ​​​1 failed​, ​1478 passed​, ​of 1479​

Node.js 20.5.0, 20.5.1 20.6.1 20.7.0

fails tested locally, on Node.js 20.7.0:

Suites:   ​2 failed​, ​52 passed​, ​54 of 54 completed​
Asserts:  ​​​3 failed​, ​1480 passed​, ​of 1483​

Edit: Updated and retested with @cypress/[email protected]
Updated and retested with @cypress/[email protected]. Node.js 16 results removed, since this version is now end-of-life.

The GitHub Actions workflow .github/workflows/yarn.yaml fails when run.

1..54
# failed 1 of 54 tests

See job 15513946632

.github/workflows/yarn.yaml does not specify any particular version of Node.js to install and therefore runs against the default version Node.js 18.17.0 of the GitHub ubuntu-latest (ubuntu-22.04) runner.

Hi,

I have cypress UI tests running successfully until few days ago when our authentication team has made a change that redirects the page twice, previously only once. This change has caused my tests to fail at cy.visit('/') with error

"We attempted to make an http request to this url but the request failed without a response
https://mybetawebsite/
We received this error at network level
Error: Exceeded maxRedirects. Probably stuck in a redirect loop https://mybetawebsite/redirect=signin&redirect=signin
at processRedirect (/private/var/folders/.........../Cypress.app/Contents/Resources/app/packages/server/node_modules/@cypress/request/lib/redirect.js:104:24..........."

When I asked them about this error, they told me to follow the redirect a second time.
"Just follow the same redirects a second time. You'll need to update your tests to follow the redirects a second time over."

I know cy.visit follows redirects (https://docs.cypress.io/api/commands/visit#Redirects) , but it does only once or multiple times?

Previously, when my tests were passing, I could see 302(redirection) at cy.visit (to different url for auth) and test used to continue and pass.

in my cypress.json, baseUrl: https://mybetawebsite/

How do I handle second redirect?

I have tried
1.increasing redirectionLimit in cypress.json (dinot work),
2. cy.intercept , but I cannot mention a url to redirect to because it is dynamic and comes from the another team
3. cypress retries ( i don't think this is the solution and it didnot work either)

the "if(self.redirectsFollowed >= self.maxRedirects)" in node_modules/@cypress/request/lib/redirect.js:104:24 is generating the issue. But how do I increase this maxRedirects

The request package through 2.88.2 for Node.js and the @cypress/request package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Summary

The dependency on har-validator was removed in #11, but it is still referenced at https://github.com/cypress-io/request/blob/master/lib/har.js#L5

Simplest Example to Reproduce

Install cypress as a dependency using yarn.

Expected Behavior

yarn install succeeds.

Current Behavior

yarn install fails with an error similar to the following:

[5/5] Building fresh packages...
--
  | error /var/www/node_modules/cypress: Command failed.
  | Exit code: 1
  | Command: node index.js --exec install
  | Arguments:
  | Directory: /var/www/node_modules/cypress
  | Output:
  | internal/modules/cjs/loader.js:905
  | throw err;
  | ^
  |  
  | Error: Cannot find module 'har-validator'
  | Require stack:
  | - /var/www/node_modules/@cypress/request/lib/har.js
  | - /var/www/node_modules/@cypress/request/request.js
  | - /var/www/node_modules/@cypress/request/index.js
  | - /var/www/node_modules/cypress/lib/tasks/download.js
  | - /var/www/node_modules/cypress/lib/tasks/install.js
  | - /var/www/node_modules/cypress/index.js
  | at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15)
  | at Function.Module._load (internal/modules/cjs/loader.js:746:27)
  | at Module.require (internal/modules/cjs/loader.js:974:19)
  | at require (internal/modules/cjs/helpers.js:93:18)
  | at Object.<anonymous> (/var/www/node_modules/@cypress/request/lib/har.js:5:16)
  | at Module._compile (internal/modules/cjs/loader.js:1085:14)
  | at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
  | at Module.load (internal/modules/cjs/loader.js:950:32)
  | at Function.Module._load (internal/modules/cjs/loader.js:790:12)
  | at Module.require (internal/modules/cjs/loader.js:974:19)
  | at require (internal/modules/cjs/helpers.js:93:18)
  | at Object.<anonymous> (/var/www/node_modules/@cypress/request/request.js:23:11)
  | at Module._compile (internal/modules/cjs/loader.js:1085:14)
  | at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
  | at Module.load (internal/modules/cjs/loader.js:950:32)
  | at Function.Module._load (internal/modules/cjs/loader.js:790:12) {
  | code: 'MODULE_NOT_FOUND',
  | requireStack: [
  | '/var/www/node_modules/@cypress/request/lib/har.js',
  | '/var/www/node_modules/@cypress/request/request.js',
  | '/var/www/node_modules/@cypress/request/index.js',
  | '/var/www/node_modules/cypress/lib/tasks/download.js',
  | '/var/www/node_modules/cypress/lib/tasks/install.js',
  | '/var/www/node_modules/cypress/index.js'
  | ]
  | }

Possible Solution

Reinstate har-validator as a dependency until its references can be updated or removed.

Context

Your Environment

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Cannot push to the Git repository.

semantic-release cannot push the version tag to the branch master on the remote Git repository with URL https://[secure]@github.com/cypress-io/request.git.

This can be caused by:

• a misconfiguration of the repositoryUrl option
• the repository being unavailable
• or missing push permission for the user configured via the Git credentials on your CI environment

Good luck with your project ✨

Your semantic-release bot 📦🚀

• Follow-on to #37

Version:

@cypress/[email protected]

npm install yarn@latest -g
git clone https://github.com/cypress-io/request
cd request
yarn install
node ./tests/test-form-data.js

fails for Node.js 20.8.0 20.12.1
running on Ubuntu 22.04.3 22.04.4 LTS.

The test succeeds with Node.js 18.18.1 18.20.1LTS.

Other tests called by yarn test succeed on Node.js 18.x and 20.x

Logs

$ node ./tests/test-form-data.js
TAP version 13
# multipart formData
ok 1 should be truthy
ok 2 should be truthy
ok 3 should be truthy
ok 4 should be truthy
ok 5 should be truthy
ok 6 should be truthy
ok 7 should be truthy
ok 8 should be truthy
ok 9 should be truthy
ok 10 should be truthy
ok 11 should be truthy
ok 12 should be truthy
ok 13 should be truthy
ok 14 should be truthy
ok 15 should be truthy
ok 16 should be truthy
ok 17 should be truthy
ok 18 should be truthy
ok 19 should be equal
ok 20 should be equal
ok 21 should be equivalent
# multipart formData + JSON
ok 22 should be truthy
ok 23 should be truthy
ok 24 should be truthy
ok 25 should be truthy
ok 26 should be truthy
ok 27 should be truthy
ok 28 should be truthy
ok 29 should be truthy
ok 30 should be truthy
ok 31 should be truthy
ok 32 should be truthy
ok 33 should be truthy
ok 34 should be truthy
ok 35 should be truthy
ok 36 should be truthy
ok 37 should be truthy
ok 38 should be truthy
ok 39 should be truthy
ok 40 should be equal
ok 41 should be equal
ok 42 should be equivalent
# multipart formData + basic auth
ok 43 should be equal
not ok 44 should be equal
  ---
    operator: equal
    expected: 200
    actual:   400
    at: Request._callback (/home/mike/github/cypress-io/request/tests/test-form-data.js:114:9)
    stack: |-
      Error: should be equal
          at Test.assert [as _assert] (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:443:48)
          at Test.bound [as _assert] (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:89:17)
          at Test.equal (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:604:7)
          at Test.bound [as equal] (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:89:17)
          at Request._callback (/home/mike/github/cypress-io/request/tests/test-form-data.js:114:9)
          at self.callback (/home/mike/github/cypress-io/request/request.js:183:22)
          at Request.emit (node:events:514:28)
          at Request.<anonymous> (/home/mike/github/cypress-io/request/request.js:1156:10)
          at Request.emit (node:events:514:28)
          at IncomingMessage.<anonymous> (/home/mike/github/cypress-io/request/request.js:1070:12)
  ...
not ok 45 should be equivalent
  ---
    operator: deepEqual
    expected: 'done'
    actual:   ''
    at: Request._callback (/home/mike/github/cypress-io/request/tests/test-form-data.js:115:9)
    stack: |-
      Error: should be equivalent
          at Test.assert [as _assert] (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:443:48)
          at Test.bound [as _assert] (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:89:17)
          at Test.tapeDeepEqual (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:641:7)
          at Test.bound [as deepEqual] (/home/mike/github/cypress-io/request/node_modules/tape/lib/test.js:89:17)
          at Request._callback (/home/mike/github/cypress-io/request/tests/test-form-data.js:115:9)
          at self.callback (/home/mike/github/cypress-io/request/request.js:183:22)
          at Request.emit (node:events:514:28)
          at Request.<anonymous> (/home/mike/github/cypress-io/request/request.js:1156:10)
          at Request.emit (node:events:514:28)
          at IncomingMessage.<anonymous> (/home/mike/github/cypress-io/request/request.js:1070:12)
  ...

1..45
# tests 45
# pass  43
# fail  2

Summary

The version of tough-cookie package in use is 2.5.0, which is old version and is vulnerable to CVE-2023-26136

This should be updated to 4.1.3 (or higher). The main cypress release should then also be updated to include this new release of request.

https://www.cve.org/CVERecord?id=CVE-2023-26136

Package:
https://github.com/cypress-io/request/blob/master/package.json

Simplest Example to Reproduce

https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Possible Solution

https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873