Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: browserstack/browserstack-cypress-cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.36.5
Choose a base ref
...
head repository: browserstack/browserstack-cypress-cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.36.6
Choose a head ref
  • 17 commits
  • 4 files changed
  • 7 contributors

Commits on Apr 16, 2026

  1. fix(security): prevent command injection via cypress_config_file [APS… 

    …-18613]

- Replace execSync() with execFileSync() in loadJsFile() to avoid shell
  interpolation of user-controlled cypress_config_filepath values
- Pass NODE_PATH via env option instead of shell command prefix, which
  works cross-platform (Unix and Windows) without shell metacharacters
- Add validateFilePath() defense-in-depth check that rejects paths
  containing shell metacharacters before they reach any exec call
- Update unit tests to verify execFileSync is called with array args
  and to confirm command injection payloads are rejected

Resolves: APS-18613
    @avinash-bharti
    avinash-bharti committed Apr 16, 2026
    Configuration menu
    Copy the full SHA
    6dbf8f9 View commit details
    Browse the repository at this point in the history

Commits on Apr 27, 2026

  1. fix(security): allow Windows backslash paths and add file-not-found U… 

    …X [APS-18613]

Address review feedback on PR #1080:

- Remove backslash (\) from DANGEROUS_PATH_CHARS regex so legitimate Windows
  absolute/relative paths (C:\Users\..., .\subdir\..., \\server\share\...) are
  no longer rejected. Backslash is a path separator on Windows, not a shell
  metacharacter — and the actual security boundary is execFileSync (no shell
  invocation), not the regex.

- Add an fs.existsSync() check inside loadJsFile() that throws a clear
  "Cypress config file not found at: <path>" error before invoking
  execFileSync. This is purely a UX improvement — existsSync alone would NOT
  prevent injection; the metacharacter regex + execFileSync remain the
  security guarantees.

- Update unit tests:
  * Add positive tests for Windows-style absolute, Program-Files (with
    spaces), relative (.\subdir\...) and UNC (\\server\share\...) paths
  * Add a positive test in loadJsFile that exercises the same Windows paths
    end-to-end without throwing
  * Add a test for the new file-not-found path that confirms execFileSync
    is NOT invoked when the file is missing
  * Update existsSync call-count assertion from calledOnce to calledTwice
    (UX check + cleanup unlink)

Resolves: APS-18613
    @avinash-bharti
    avinash-bharti committed Apr 27, 2026
    Configuration menu
    Copy the full SHA
    9bb1f6f View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/master' into fix/APS-18613-comma… 

    …nd-injection-cypress-config
    @avinash-bharti
    avinash-bharti committed Apr 27, 2026
    Configuration menu
    Copy the full SHA
    d2d1c21 View commit details
    Browse the repository at this point in the history

Commits on Apr 29, 2026

  1. Merge branch 'master' into fix/APS-18613-command-injection-cypress-co… 

    …nfig
    @karanshah-browserstack
    karanshah-browserstack authored Apr 29, 2026
    Configuration menu
    Copy the full SHA
    986f0d2 View commit details
    Browse the repository at this point in the history

Commits on May 4, 2026

  1. capture cy.log at enqueue time so logs survive sync test failures

    @anish353
    anish353 committed May 4, 2026
    Configuration menu
    Copy the full SHA
    6e5aaf5 View commit details
    Browse the repository at this point in the history

Commits on May 5, 2026

  1. correct command:enqueued event name

    @anish353
    anish353 committed May 5, 2026
    Configuration menu
    Copy the full SHA
    0fb6a7c View commit details
    Browse the repository at this point in the history

  2. dispatch cy.log via Cypress.backend, bypassing the queue

    @anish353
    anish353 committed May 5, 2026
    Configuration menu
    Copy the full SHA
    b4cb261 View commit details
    Browse the repository at this point in the history

  3. updated code

    @anish353
    anish353 committed May 5, 2026
    Configuration menu
    Copy the full SHA
    edf2e19 View commit details
    Browse the repository at this point in the history

  4. removed unnecessary comments

    @anish353
    anish353 committed May 5, 2026
    Configuration menu
    Copy the full SHA
    54b6f03 View commit details
    Browse the repository at this point in the history

Commits on May 7, 2026

  1. fix(security): pin serialize-javascript to >=7.0.5 via npm overrides … 

    …[APS-18800]

Fixes GHSA-5c6j-r48x-rmvq (RCE) and GHSA-qj8w-gfj5-8c6v (DoS) in the
transitive serialize-javascript dependency pulled in by mocha. Uses npm's
native `overrides` field — no third-party workarounds needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    @karanshah-browserstack @claude
    karanshah-browserstack and claude committed May 7, 2026
    Configuration menu
    Copy the full SHA
    21f71a0 View commit details
    Browse the repository at this point in the history

Commits on May 8, 2026

  1. Merge pull request #1096 from browserstack/security/fix-serialize-jav… 

    …ascript-rce-aps-18800

[APS-18800] fix(security): upgrade serialize-javascript to 7.0.3 to fix RCE
    @dheerajbstack
    dheerajbstack authored May 8, 2026
    Configuration menu
    Copy the full SHA
    2a3e52d View commit details
    Browse the repository at this point in the history

Commits on May 11, 2026

  1. Merge branch 'master' into sdk-5709

    @anish353
    anish353 authored May 11, 2026
    Configuration menu
    Copy the full SHA
    56e11ea View commit details
    Browse the repository at this point in the history

Commits on May 12, 2026

  1. Merge pull request #1094 from browserstack/sdk-5709 

    Fix cy logs not appearing in dashboard for failing test
    @agrawal-ayush
    agrawal-ayush authored May 12, 2026
    Configuration menu
    Copy the full SHA
    6d2ac1a View commit details
    Browse the repository at this point in the history

Commits on May 13, 2026

  1. Merge branch 'master' into fix/APS-18613-command-injection-cypress-co… 

    …nfig
    @karanshah-browserstack
    karanshah-browserstack authored May 13, 2026
    Configuration menu
    Copy the full SHA
    e9f1fbc View commit details
    Browse the repository at this point in the history

  2. Merge pull request #1080 from browserstack/fix/APS-18613-command-inje… 

    …ction-cypress-config

[APS-18613] fix: prevent command injection via cypress_config_file in loadJsFile
    @karanshah-browserstack
    karanshah-browserstack authored May 13, 2026
    Configuration menu
    Copy the full SHA
    8884dc3 View commit details
    Browse the repository at this point in the history

  3. Revert "[APS-18800] fix(security): upgrade serialize-javascript to 7.… 

    …0.3 to fix RCE"
    @karanshah-browserstack
    karanshah-browserstack authored May 13, 2026
    Configuration menu
    Copy the full SHA
    59b1bcb View commit details
    Browse the repository at this point in the history

  4. Merge pull request #1101 from browserstack/revert-1096-security/fix-s… 

    …erialize-javascript-rce-aps-18800

Revert "[APS-18800] fix(security): upgrade serialize-javascript to 7.0.3 to fix RCE"
    @karanshah-browserstack
    karanshah-browserstack authored May 13, 2026
    Configuration menu
    Copy the full SHA
    40517f3 View commit details
    Browse the repository at this point in the history
Loading