If you believe you've found a potential security issue in any Cypress Docker image please consider the following:

• Cypress Docker images released through this repo are convenience images with selected bundled and versioned components.
• They are intended for use in Continuous Integration (CI) or other non-public, isolated, sandboxed environments.
• Any security issue must be addressed by the component owner before any related fix can flow into a new Cypress Docker image.
• Released images are considered frozen and remain released. Newest packages have the tag latest applied.

Each time a new cypress/factory image is built, it uses the base Docker image defined as BASE_IMAGE in the factory/.env file and installs any additional Debian packages from the stable distribution. This means any security issues which have been resolved by Debian are resolved in a new cypress/factory build. Other Cypress Docker images are built on top of cypress/factory and include any Debian security fixes as well.

Refer to Debian security for further information.

Debian is used in cypress/factory, cypress/base, cypress/browsers and cypress/included Cypress Docker images.

Please refer to the associated browser owner's documentation regarding browser security vulnerabilities.

Browsers are included in cypress/browsers and cypress/included Cypress Docker images.

For issues with Cypress, we recommend checking the Cypress issue list to see if a vulnerability has already been reported there. Otherwise Cypress Security and Compliance provides more information on reporting a security issue.

Cypress is included only in cypress/included Cypress Docker images.