Merge pull request #32159 from cypress-io/merge_develop_15

chore: merge `develop` into `release/15.0.0`

Author: AtofStryker

.circleci/workflows.yml

@@ -2,7 +2,7 @@ version: 2.1
 
 chrome-stable-version: &chrome-stable-version "138.0.7204.183"
 chrome-beta-version: &chrome-beta-version "139.0.7258.66"
-firefox-stable-version: &firefox-stable-version "137.0"
+firefox-stable-version: &firefox-stable-version "141.0"
 
 orbs:
   browser-tools: circleci/[email protected]

cli/CHANGELOG.md

@@ -31,6 +31,8 @@ _Released 07/29/2025 (PENDING)_
 
 - Fixed an issue where Create from Component feature might not be able to parse React components from project files. Fixed in [#31457](https://github.com/cypress-io/cypress/pull/31457).
 - Fixed an issue where `isSecureContext` would be `false` on localhost when testing with Cypress. Addresses [#18217](https://github.com/cypress-io/cypress/issues/18217).
+- Fixed an issue where Angular legacy `Output()` decorators were broken when making component instance field references safe. Fixes [#32137](https://github.com/cypress-io/cypress/issues/32137).
+- Upgraded `tmp` from `~0.2.3` to `~0.2.4`. This removes the [CVE-2025-54798](https://github.com/advisories/GHSA-52f5-9888-hmc6) vulnerability being reported in security scans. Addresses [#32176](https://github.com/cypress-io/cypress/issues/32176).
 
 **Misc:**
 
@@ -43,6 +45,14 @@ _Released 07/29/2025 (PENDING)_
 - Upgraded bundled Node.js version from `20.18.1` to `22.15.1`. Addresses [#31257](https://github.com/cypress-io/cypress/issues/31257). Addressed in [#31912](https://github.com/cypress-io/cypress/pull/31912).
 - Upgraded bundled Chromium version from `130.0.6723.137` to `136.0.7103.149`. Addresses [#31257](https://github.com/cypress-io/cypress/issues/31257). Addressed in [#31912](https://github.com/cypress-io/cypress/pull/31912).
 
+## 14.5.4
+
+_Released 8/07/2025_
+
+**Dependency Updates:**
+
+- Upgraded `tar-fs` to `2.1.3` and `3.1.0` in places we can control, to resolve [CVE-2024-12905](https://github.com/advisories/GHSA-pq67-2wwv-3xjx). `@puppeteer/browsers` still references `3.0.4`, but it is only used to download browsers which is not a feature of `puppeteer` that we utilize. Addressed in [#32160](https://github.com/cypress-io/cypress/pull/32160).
+
 ## 14.5.3
 
 _Released 7/25/2025_

cli/package.json

@@ -60,7 +60,7 @@
     "request-progress": "^3.0.0",
     "semver": "^7.7.1",
     "supports-color": "^8.1.1",
-    "tmp": "~0.2.3",
+    "tmp": "~0.2.4",
     "tree-kill": "1.2.2",
     "untildify": "^4.0.0",
     "yauzl": "^2.10.0"

cli/types/cypress.d.ts

@@ -3828,7 +3828,7 @@ declare namespace Cypress {
     validate?: () => Promise<false | void> | void
   }
 
-  type SameSiteStatus = 'no_restriction' | 'strict' | 'lax'
+  type SameSiteStatus = 'no_restriction' | 'strict' | 'lax' | 'unspecified'
 
   interface SelectFileOptions extends Loggable, Timeoutable, ActionableOptions {
     /**
@@ -3879,8 +3879,8 @@ declare namespace Cypress {
      */
     expiry: number
     /**
-     * The cookie's SameSite value. If set, should be one of `lax`, `strict`, or `no_restriction`.
-     * `no_restriction` is the equivalent of `SameSite=None`. Pass `undefined` to use the browser's default.
+     * The cookie's SameSite value. If set, should be one of `lax`, `strict`, `no_restriction`, or `unspecified`.
+     * `no_restriction` is the equivalent of `SameSite=None`. Pass `undefined` to use the browser's default ('unspecified' is the default for Firefox 140 and up).
      * Note: `no_restriction` can only be used if the secure flag is set to `true`.
      * @default undefined
      */

guides/eslint-migration.md

@@ -108,39 +108,50 @@ For each package in the batch:
      - In each migrated package, add `@packages/eslint-config` to `devDependencies` (use a relative file path if not published to npm).
    - **Add ESLint as a dev dependency:**
      - Since `@packages/eslint-config` has ESLint as a peer dependency, add `eslint: "^9.18.0"` to `devDependencies`.
-4. **Run lint and autofix:**
+4. **Add lint-staged configuration:**
+   - Add a `lint-staged` section to the package's `package.json`:
+     ```json
+     {
+       "lint-staged": {
+         "**/*.{js,jsx,ts,tsx}": "eslint --fix"
+       }
+     }
+     ```
+   - This ensures that when files are staged for commit, they are automatically linted and fixed using the package's local ESLint configuration.
+5. **Run lint and autofix:**
    - From the package root, run:
      ```
      npx eslint . --ext .js,.ts,.tsx,.jsx --fix
      ```
    - Manually fix any remaining lint errors.
-5. **Verify TypeScript configuration:**
+6. **Verify TypeScript configuration:**
    - Ensure the package has a valid `tsconfig.json` that works with the new ESLint config.
    - Run `npx tsc --noEmit` to check for TypeScript compilation errors.
    - Verify that the new ESLint config can properly parse TypeScript files in the package.
-6. **Run tests for the package** to ensure nothing broke.
-7. **Commit changes** with a clear message, e.g.:
+7. **Run tests for the package** to ensure nothing broke.
+8. **Commit changes** with a clear message, e.g.:
    ```
    chore(npm/grep): migrate to @packages/eslint-config and remove legacy eslint-plugin-dev
    ```
 
-### 3. **Open a PR for Each Batch**
+### 4. **Open a PR for Each Batch**
 - Keep each migration PR focused (one batch per PR).
 - List all affected packages in the PR description.
 - Include a checklist for each package:
   - [ ] Removed old ESLint config
   - [ ] Added new config
+  - [ ] Added lint-staged configuration
   - [ ] Ran lint and fixed errors
   - [ ] Ran tests
 
-### 4. **Document Issues or Gaps**
+### 5. **Document Issues or Gaps**
 - If you hit any missing rules or plugin gaps, note them for follow-up.
 - If a package needs a custom override, add it in a local `eslint.config.ts` (prefer to upstream to the shared config if possible).
 
-### 5. **Deprecate and Remove Old Plugin**
+### 6. **Deprecate and Remove Old Plugin**
 - Once all packages are migrated, remove `@cypress/eslint-plugin-dev` from the repo and CI.
 
-### 6. **Simplify Lint-Staged Configuration**
+### 7. **Simplify Lint-Staged Configuration**
 After all packages are migrated, simplify the lint-staged configuration in root `package.json`:
 
 ```json
@@ -152,7 +163,7 @@ After all packages are migrated, simplify the lint-staged configuration in root
 }
 ```
 
-### 7. **Update Lerna/Monorepo Config**
+### 8. **Update Lerna/Monorepo Config**
 - Ensure all packages reference the new config in their `package.json`/`eslint.config.ts`.
 - Update documentation and developer onboarding guides.
 
@@ -317,6 +328,7 @@ For each package, ensure you've completed:
 - [ ] Removed `.eslintrc*` files
 - [ ] Created `eslint.config.ts` with proper configuration
 - [ ] Added required dependencies (`eslint`, `@packages/eslint-config`, `jiti`)
+- [ ] Added lint-staged configuration to `package.json`
 - [ ] Created/updated `tsconfig.json` that extends base config
 - [ ] Updated ESLint scripts (removed `--ext` flag)
 - [ ] Ran `yarn lint` successfully

npm/angular/src/mount.ts

@@ -424,7 +424,10 @@ function setupComponent<T> (
     getComponentOutputs(fixture.componentRef.componentType).forEach((key) => {
       const property = component[key]
 
-      if (property instanceof EventEmitter) {
+      // With the introduction of https://github.com/cypress-io/cypress/pull/31993, we want to make sure that component inputs are reference safe inside cy.mount().
+      // However, the exception to this is if the user passes in a Cypress output spy as a property in order to maintain backwards compatibility.
+      // @ts-expect-error
+      if (property instanceof EventEmitter || (config?.componentProperties?.hasOwnProperty(key) && config?.componentProperties[key] instanceof EventEmitter)) {
       // only assign props if they are passed into the component
         if (config?.componentProperties?.hasOwnProperty(key)) {
         // @ts-expect-error

npm/grep/package.json

@@ -40,6 +40,9 @@
     "cypress",
     "grep"
   ],
+  "lint-staged": {
+    "**/*.{js,jsx,ts,tsx,json}": "eslint --fix"
+  },
   "resolutions": {
     "jiti": "^2.4.2"
   },

package.json

@@ -132,7 +132,6 @@
     "chai": "4.5.0",
     "chai-as-promised": "7.1.1",
     "chalk": "2.4.2",
-    "check-dependencies": "1.1.0",
     "check-more-types": "2.24.0",
     "commander": "6.2.1",
     "common-tags": "1.8.0",
@@ -265,27 +264,7 @@
     ]
   },
   "lint-staged": {
-    "npm/grep/**/*.{js,jsx,ts,tsx}": "yarn lint:fix",
-    "*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "cli/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "packages/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "scripts/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "system-tests/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "tooling/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/angular/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/cypress-schematic/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/eslint-plugin-dev/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/mount-utils/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/puppeteer/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/react/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/svelte/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/vite-dev-server/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/vite-plugin-cypress-esm/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/vue/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/webpack-batteries-included-preprocessor/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/webpack-dev-server/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/webpack-preprocessor/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
-    "npm/xpath/**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
+    "**/*.{js,jsx,ts,tsx,json,eslintrc,vue}": "eslint --fix",
     "*workflows.yml": "node scripts/format-workflow-file.js"
   },
   "resolutions": {

packages/driver/cypress/e2e/commands/cookies.cy.js

@@ -1374,10 +1374,17 @@ describe('src/cy/commands/cookies', () => {
 
       cy.setCookie('five', 'bar')
 
-      // @see https://bugzilla.mozilla.org/show_bug.cgi?id=1624668
-      // TODO(webkit): pw webkit has the same issue as firefox (no "unspecified" state), need a patched binary
-      if (Cypress.isBrowser('firefox') || Cypress.isBrowser('webkit')) {
-        cy.getCookie('five').should('include', { sameSite: 'no_restriction' })
+      // @see https://bugzilla.mozilla.org/show_bug.cgi?id=1550032
+      // Firefox bidi returns "unspecified" for sameSite;
+      // webkit & firefox < 135 return "no_restriction" for sameSite;
+      // other browsers do not return sameSite at all
+      const sameSite = (
+        Cypress.isBrowser('webkit')
+      ) ? 'no_restriction' :
+        Cypress.isBrowser('firefox') ? 'unspecified' : null
+
+      if (sameSite) {
+        cy.getCookie('five').should('include', { sameSite })
       } else {
         cy.getCookie('five').should('not.have.property', 'sameSite')
       }
@@ -1515,7 +1522,7 @@ describe('src/cy/commands/cookies', () => {
           assertLogLength(this.logs, 1)
           expect(lastLog.get('error').message).to.eq(stripIndent`
             If a \`sameSite\` value is supplied to \`cy.setCookie()\`, it must be a string from the following list:
-              > no_restriction, lax, strict
+              > no_restriction, lax, strict, unspecified
             You passed:
               > bad`)
 

packages/driver/cypress/e2e/e2e/e2e_cookies.cy.js

@@ -8,7 +8,7 @@ const cleanse = (cookies) => {
   })
 }
 
-const firefoxDefaultSameSite = Cypress.isBrowser({ family: 'firefox' }) ? { sameSite: 'no_restriction' } : {}
+const firefoxDefaultSameSite = Cypress.isBrowser({ family: 'firefox' }) ? { sameSite: 'unspecified' } : {}
 
 describe('e2e cookies spec', () => {
   it('simple cookie', () => {