If you believe you've found a potential security issue in any Cypress Docker image please consider the following:
- Cypress Docker images released through this repo are convenience images with selected bundled and versioned components.
- They are intended for use in Continuous Integration (CI) or other non-public, isolated, sandboxed environments.
- Any security issue must be addressed by the component owner before any related fix can flow into a new Cypress Docker image.
- Released images are considered frozen and remain released. Newest packages have the tag
latestapplied.
Each time a new cypress/factory image is built, it uses the base Docker image defined as BASE_IMAGE in the factory/.env file and installs any additional Debian packages from the stable distribution. This means any security issues which have been resolved by Debian are resolved in a new cypress/factory build. Other Cypress Docker images are built on top of cypress/factory and include any Debian security fixes as well.
Refer to Debian security for further information.
Debian is used in cypress/factory, cypress/base, cypress/browsers and cypress/included Cypress Docker images.
Please refer to the associated browser owner's documentation regarding browser security vulnerabilities.
Browsers are included in cypress/browsers and cypress/included Cypress Docker images.
For issues with Cypress, we recommend checking the Cypress issue list to see if a vulnerability has already been reported there. Otherwise Cypress Security and Compliance provides more information on reporting a security issue.
Cypress is included only in cypress/included Cypress Docker images.