* fix(vite-dev-server): exclude CT specs from Vite 8 JSX refresh
Prevents duplicate describe/it registration in headed mode when specs define
local React components (HMR self-accept). Sets oxc.jsxRefreshExclude for Vite 8.
Fixes#33750
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(vite-dev-server): scope jsxRefreshInclude so CSS is not transformed by Oxc
Pair jsxRefreshExclude with a script-only jsxRefreshInclude pattern; Vite's
createFilter(undefined, exclude) otherwise matches all non-spec assets.
Add unit tests including CSS path regression coverage.
Co-authored-by: Cursor <cursoragent@cursor.com>
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
* chore(deps): upgrade listr 3.x to 9.x
* use important strings to assert install output instead of fragile snapshots
* rm unused `enquirer` dep; write cli test results
* revert persisting junit xml for now
* ensure VerboseRenderer implements LstrRenderer contract
* remove unnecessary vendorized VerboseRenderer; use behavioral assertions in verify instead of brittle snapshots
* make most `any` types in cli installer explicit; remove unused deps
* changelog
* rm trailing slash from pr link
* Update cli/lib/tasks/install.ts
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* simplify task list definitions; improve type annotations
* fix version output; improve readability of task generation
* rm unused types
* revert error handling regression
* fix implicit any
* more readability improvements; better listr mocking
* apply similar readability improvements to verify
* fix order of verify -> welcome message
* chore: skip adding the install comment on the commit (#33685)
* update axios (#33687)
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Matt Schile <mschile@cypress.io>
* dependency: update ts-loader in webpack-preprocessor-batteries-included
* adds debug for ts loader rules to investigate publish binary failure
* rm extra debug
* update ts-loader in extension and server
* chore: upgrade simple-git to 3.36.0 to fix RCE vulnerability
Resolves Snyk SNYK-JS-SIMPLEGIT-15456078 (Critical Remote Code
Execution) in simple-git@3.33.0. The existing ^3.32.3 ranges in
packages/data-context and packages/app already cover 3.36.0, so
only a relock was needed. Carried the TasksPendingQueue static-field
patch forward to 3.36.0.
* fix: strip unsafe target from <base> tags to keep AUT inside Cypress frame
A `<base target="_top">` (or `_parent`) is inherited by every untargeted
<a> and <form> on the page, so navigations escape the AUT iframe even
though the existing runtime guards only inspect each element's own
`target` attribute. Strip the attribute in both the AST and regex HTML
rewriters at proxy time, and neutralize dynamically inserted `<base>`
tags from the driver's click/submit capture-phase handlers as a backup.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: match target keywords case-insensitively and always neutralize base on click
Two gaps in the driver runtime backstop for `<base target>`:
- `HTMLBaseElement.target` reflects the raw content attribute without case
normalization, but the browser matches `_top` / `_parent` case-insensitively
at navigation time. Lowercase the comparison so `<base target="_TOP">` is
also neutralized.
- The click handler previously gated `neutralizeUnsafeBaseTarget` inside the
`tagName === 'A'` check, which fails for clicks on descendants of an anchor
(e.g. `<a><img>`). The base-target neutralization is document-scoped, so it
must run regardless of which descendant the click lands on.
Add E2E regressions for both scenarios.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs: add changelog entry for <base> target rewrite fix
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs: clarify gating in <base> target changelog entry
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: make <base> target regex work under replaceStream's match re-apply
replace_stream.ts re-applies each pattern to the already-matched substring
(`match.replace(pattern, replacement)`), so any boundary char enforced via
a positive lookahead falls off the end of the match and the lookahead fails
at end-of-string — silently skipping the replacement in the stream path
while the in-memory `strip()` path still worked.
Capture the boundary char in group 2 and re-emit it via `$2` so both paths
produce identical output. Add stream-path regressions covering quoted,
single-quoted, unquoted, and self-closing <base> variants.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs: reword test comments to describe behavior directly
Drop "Regression:" / test-justification framing in favor of comments that
describe the HTML or stream behavior the test exercises.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: route <base> target neutralization through handleInvalidTarget
Move neutralizeUnsafeBaseTarget into handleInvalidTarget so every caller —
same-origin submit events, anchor clicks, and the cross-origin
form.submit() patch — gets document-scoped neutralization consistently.
The anchor click handler keeps an explicit neutralize call on the
descendant-click path (where handleInvalidTarget does not run because
e.target is not the anchor itself).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* test: rename driver spec from .cy.js to .cy.ts
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* perf(reporter): tear down Scroller scroll listener on reset and reassignment
setContainer and __reset could leave multiple scroll handlers on the same
container because each setContainer added a new anonymous listener and
never called removeEventListener.
Use a stable handler plus _listenToScrolls / _stopListeningToScrolls so the
previous node is always unsubscribed before attaching to a new container,
and __reset unsubscribes before clearing state.
Add a unit test for repeated setContainer and extend the test container type
so removeEventListener is typed as a Sinon spy.
* changelog entry
* fix broken tests
* fix unit test
* move changelog
* fix: pass inflateRaw override to decryptResponse for large cy.prompt payloads
The jose library caps decompressed JWE payloads at ~250KB by default. Larger
cy.prompt /plan responses (which carry cached selectors and chains) inflated
past that limit and produced DecryptionError: decryption operation failed.
Match the 5MB ceiling the services-side @packages/encryption decrypt already
configures.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Update CHANGELOG for version 15.14.1
Added changelog entry for version 15.14.1 with bugfix details.
* Update CHANGELOG.md
* Apply suggestion from @ryanthemanuel
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* perf(driver): allowlist keys kept after log memory cleanup when tests drop out of numTestsKeptInMemory
Replace blocklisted string keys with REDUCE_MEMORY_PRESERVED_KEYS so
reduceMemory nulls every other field (including custom Cypress.log data)
when tests drop out of numTestsKeptInMemory. Add vitest coverage.
* changelog entry
* remove viewportHeight and Width in cleanup
* add back some necessary keys
* fix: login attempts subsequent to a cancelled one now launch the browser and can complete (#33366)
* fix: login attempts subsequent to a cancelled one now launch the browser and can complete
* resolve cached responses with a bluebird promise instead of a native promise
* adds typedefs for @cypress/request and extends interfaces so that api/index.ts can be better typed
* correct type declaration in packages/server/lib/cloud/user.ts
* clean up ts/package.json
* changelog
* rm expect-error directive and repalce with ignore - why is driver typechecking this?
* changelog
* fix: reject cy.intercept delay values >= 2^31
setTimeout uses a signed 32-bit integer internally, so delay values
>= 2^31 (~24.8 days) are silently coerced to 1ms. This causes the
delay to be effectively ignored with no indication to the user.
Add validation in validateStaticResponse to throw a clear error
when delay >= 2^31, consistent with how throttleKbps is validated.
Fixes#33183
* fix: add changelog entry and fix lint padding
- Add changelog entry for delay validation to cli/CHANGELOG.md
- Fix padding-line-between-statements lint error (blank line after const)
* fix: use 2**31 notation instead of 2^31 and add PR link to changelog
Address review feedback: use JavaScript exponentiation notation (2**31)
instead of mathematical caret notation (2^31) in comments and changelog
to avoid confusion with JavaScript's XOR operator. Also add the missing
PR reference link in the changelog entry.
* Update CHANGELOG.md
Moves the changelog entry to 15.11.1
* Fix off-by-one error
* Update error message with regard to off-by-one
* Fix test with regard to off-by-one
* lint
* Update CHANGELOG.md
---------
Co-authored-by: Cacie Prins <cacieprins@users.noreply.github.com>
Co-authored-by: Matt Schile <mschile@cypress.io>
* perf: strip values not from public config API from being sent in Cloud recording
* Add changelog entry
* Apply suggestion from @mschile
Co-authored-by: Matt Schile <mschile@cypress.io>
* Apply suggestion from @jennifer-shehane
---------
Co-authored-by: Matt Schile <mschile@cypress.io>
* chore: remove experimentalPromptCommand config
* Update with code review
* feat: add projectId handling in CyPromptLifecycleManager and ProjectBase
- Enhanced ProjectBase to include projectId in the context.
- Updated CyPromptLifecycleManager to utilize projectId, with fallback handling when project configuration fails.
- Added tests to verify behavior when project configuration is unavailable, ensuring fallback projectId is used correctly.
* Update with code review
* Update with code review
* chore: rerun tests on unloadEvent instead of on beforeunload
* update changelog
* fix changelog
* check for spec dirty data store to actually run the beforeunload clean up
* clean up _deferCleanupToUnload flag
* update changelog
* update changelog entry
* Update cli/CHANGELOG.md
Co-authored-by: Matt Schile <mschile@cypress.io>
---------
Co-authored-by: Matt Schile <mschile@cypress.io>
* fix(deps): remediate package vulnerabilities
- Bump minimatch from 3.1.2 to 3.1.3 in data-context, driver, and
network packages to address ReDoS vulnerability
- Add yarn resolutions to pin minimatch across transitive dependencies
(lerna, nx, editorconfig, graphql-config, mocha, serve-handler)
- Add serialize-javascript 7.0.3 resolution to fix XSS vulnerability
- Remove obsolete socket.io-parser resolution
- Bump vite from 3.2.11 to 4.5.12 in outdated-deps test projects and
update corresponding e2e test assertions
- Bump Angular 21 test project dependencies from ^21.0.0 to ^21.2.0
* fix(deps): pin mocha minimatch resolution to 3.1.3
- Change mocha-7.2.0/minimatch resolution from 5.1.8 to 3.1.3 since
mocha 7.2.0 depends on minimatch ^3.0.4, which is incompatible with
the 5.x major version. This removes the unused minimatch@5.1.8 entry
from yarn.lock.
* docs(changelog): add entries for minimatch and serialize-javascript upgrades
- Add dependency update changelog entries for minimatch 3.1.3 and
serialize-javascript 7.0.3 vulnerability remediations in PR #33461
* chore: update CI cache version to 03-10-2026
* docs(cli): move minimatch and serialize-javascript entries to 15.13.0
Move the minimatch and serialize-javascript dependency upgrade entries
from 15.12.0 to the pending 15.13.0 release section so they are listed
under the correct version.
Closes#33461
Made-with: Cursor
Matt Schile