Skip to content

moderate severity vulnerability in uuid@8.3.2 from @cypress/request@3.0.10 #33668

Open
Open
moderate severity vulnerability in uuid@8.3.2 from @cypress/request@3.0.10#33668
@MikeMcC399

Description

@MikeMcC399
MikeMcC399
opened on Apr 23, 2026

Current behavior

npm audit and Dependabot report a medium severity vulnerability GHSA-w5hq-g745-h8pq in uuid@8.3.2 (released Dec 2020), a transient dependency of @cypress/request@3.0.10 (current latest).

Desired behavior

Installing Cypress and executing npm audit should not report any vulnerability warnings.

Test code to reproduce

cd $(mktemp -d)
npm install cypress
npm audit

Cypress Version

15.14.1

Debug Logs

$ npm audit
# npm audit report

uuid  <14.0.0
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install cypress@4.2.0, which is a breaking change
node_modules/uuid
  @cypress/request  *
  Depends on vulnerable versions of uuid
  node_modules/@cypress/request
    cypress  >=4.3.0
    Depends on vulnerable versions of @cypress/request
    node_modules/cypress

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

$ npm ls uuid

└─┬ cypress@15.14.1
  └─┬ @cypress/request@3.0.10
    └── uuid@8.3.2

Other

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions