Skip to content

chore(deps): update dependency codeceptjs to v3.7.5 [security]#1145

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-codeceptjs-vulnerability
Open

chore(deps): update dependency codeceptjs to v3.7.5 [security]#1145
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-codeceptjs-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Sep 23, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
codeceptjs (source) 3.7.33.7.5 age confidence

CodeceptJS's incomprehensive sanitation can lead to Command Injection

CVE-2025-57285 / GHSA-34w8-mcwr-vg29

More information

Details

CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

codeceptjs/CodeceptJS (codeceptjs)

v3.7.5

Compare Source

3.7.5

❤️ Thanks all to those who contributed to make this release! ❤️

✨ Features

  • feat: Add configurable sensitive data masking with custom patterns (#​5109)
Backward Compatible Boolean Configuration
// codecept.conf.js
exports.config = {
  maskSensitiveData: true, // Uses built-in patterns for common sensitive data
  // ... other config
}
Advanced Custom Patterns Configuration
// codecept.conf.js
exports.config = {
  maskSensitiveData: {
    enabled: true,
    patterns: [
      {
        name: 'Email',
        regex: /(\b[A-Za-z0-9._%+-]+@​[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b)/gi,
        mask: '[MASKED_EMAIL]'
      },
      {
        name: 'Credit Card',
        regex: /\b(?:\d{4}[- ]?){3}\d{4}\b/g,
        mask: '[MASKED_CARD]'
      },
      {
        name: 'Phone Number',
        regex: /(\+?1[-.\s]?)?\(?([0-9]{3})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{4})/g,
        mask: '[MASKED_PHONE]'
      }
    ]
  },
  // ... other config
}

## Example Output

With the above configuration, sensitive data is automatically masked:

**Before:**

Given I have user email "john.doe@company.com"
And I have credit card "4111 1111 1111 1111"
And I have phone number "+1-555-123-4567"

**After:**

Given I have user email "[MASKED_EMAIL]"
And I have credit card "[MASKED_CARD]"
And I have phone number "[MASKED_PHONE]"
  • feat(playwright): Add Custom Strategy Locators support (#​5090)
exports.config = {
  helpers: {
    Playwright: {
      url: 'http://localhost',
      browser: 'chromium',
      customLocatorStrategies: {
        byRole: (selector, root) => {
          return root.querySelector(`[role="${selector}"]`);
        },
        byTestId: (selector, root) => {
          return root.querySelector(`[data-testid="${selector}"]`);
        },
        byDataQa: (selector, root) => {
          const elements = root.querySelectorAll(`[data-qa="${selector}"]`);
          return Array.from(elements); // Return array for multiple elements
        }
      }
    }
  }
}

And used in tests with the same syntax as other locator types:

I.click({byRole: 'button'});           // Find by role attribute
I.see('Welcome', {byTestId: 'title'}); // Find by data-testid
I.fillField({byDataQa: 'email'}, 'test@example.com');
  • feat(reporter): Enable HTML reporter by default in new projects (#​5105)
plugins: {
  htmlReporter: {
    enabled: true
  }
}

HTML report

  • feat(cli): make test file hyperlink clickable (#​5078) - by @​kobenguyent
    test file hyperlink clickable

  • feat: Introduce CodeceptJS WebElement Class to mirror helpers’ element instance (#​5091)

Unified API Methods
  • Element Properties: getText(), getAttribute(), getProperty(), getInnerHTML(), getValue()
  • Element State: isVisible(), isEnabled(), exists(), getBoundingBox()
  • Element Interactions: click(), type()
  • Child Element Search: $() and $$() methods for finding sub-elements
  • Native Access: getNativeElement() and getHelper() for advanced operations
Updated Helper Methods
  • grabWebElement() and grabWebElements() now return WebElement instances instead of native elements
  • Added missing grabWebElement() method to WebDriver and Puppeteer helpers
  • Maintains backward compatibility through getNativeElement() method
// Works consistently across all helpers
const element = await I.grabWebElement('#button');
const text = await element.getText();
const childElements = await element.$$('.child');
await element.click();

// Element searching within elements
const form = await I.grabWebElement('#contact-form');
const nameInput = await form.$('#name');
await nameInput.type('John Doe');
  • feat: support feature.only like Scenario.only (#​5087)
    Example:

    Feature.only('Checkout Flow', () => {
      Scenario('complete order', ({ I }) => {
        // test steps here
      });
    });

🐛 Bug Fixes

  • fix(utils): resolve command injection vulnerability in emptyFolder (#​5190) - by @​mhassan1
  • bugfix: prevent WebDriver error without Bidi protocol (#​5095) - by @​ngraf
  • fix(playwright): relaunch browser correctly with restart: 'session' in run-workers --by pool (#​5118) - by @​Samuel-StO
  • fix: JSONResponse helper to preserve original onResponse behavior (#​5106) - by @​myprivaterepo
  • fix: use platformName for mobile click detection (Android touchClick bug) (#​5107) - by @​mirao
  • fix: Properly stop network traffic recording (#​5127) - by @​Samuel-StO
  • fix: mocha retries losing CodeceptJS-specific properties (#​5099)
  • fix: missing codeceptjs/effects types (#​5094) - by @​kobenguyent
  • fix: tryTo steps appearing in test failure traces (#​5088)
  • fix: JUnit XML test case name inconsistency with retries (#​5082)
  • fix: waitForText timeout regression in Playwright helper (#​5093)
  • fix(Playwright): I.waitForText() caused unexpected delay (#​5077)
  • fix: I.seeResponseContainsJson not working (#​5081)

New Contributors

Full Changelog: codeceptjs/CodeceptJS@3.7.4...3.7.5

v3.7.4

Compare Source

3.7.4

❤️ Thanks all to those who contributed to make this release! ❤️

🛩️ Features

  • Test Suite Shuffling: Randomize test execution order to discover test dependencies and improve test isolation (#​5051) - by @​NivYarmus

    # Shuffle tests to find order-dependent failures using lodash.shuffle algorithm
    npx codeceptjs run --shuffle
    
    # Combined with grep and other options
    npx codeceptjs run --shuffle --grep "@​smoke" --steps
  • Enhanced Interactive Debugging: Better logging for I.grab* methods in live interactive mode for clearer debugging output (#​4986) - by @​owenizedd

    // Interactive pause() now shows detailed grab results with JSON formatting
    I.amOnPage('/checkout')
    pause()  // Interactive shell started
    > I.grabTextFrom('.price')
    Result $res= "Grabbed text: $29.99"  // Pretty-printed JSON output
    > I.grabValueFrom('input[name="email"]')
    {"value":"user@example.com"}  // Structured JSON response

    🐛 Bug Fixes

  • Playwright Session Traces: Fixed trace file naming convention and improved error handling for multi-session test scenarios (#​5073) - by @​julien-ft-64 @​kobenguyent

    // Example outputs:
    // - a1b2c3d4-e5f6_checkout_login_test.failed.zip
    // - b2c3d4e5-f6g7_admin_dashboard_test.failed.zip

    Trace files use UUID prefixes with sessionName_testTitle.status.zip format

  • Worker Data Injection: Resolved proxy object serialization preventing data sharing between parallel test workers (#​5072) - by @​kobenguyent

    // Fixed: Complex objects can now be properly shared and injected between workers
    // Bootstrap data sharing in codecept.conf.js:
    exports.config = {
      bootstrap() {
        share({
          userData: { id: 123, preferences: { theme: 'dark' } },
          apiConfig: { baseUrl: 'https://api.test.com', timeout: 5000 },
        })
      },
    }
    
    // In tests across different workers:
    const testData = inject()
    console.log(testData.userData.preferences.theme) // 'dark' - deep nesting works
    console.log(Object.keys(testData)) // ['userData', 'apiConfig'] - key enumeration works
    
    // Dynamic sharing during test execution:
    share({ newData: 'shared across workers' })
  • Hook Exit Codes: Fixed improper exit codes when test hooks fail, ensuring CI/CD pipelines properly detect failures (#​5058) - by @​kobenguyent

    # Before: Exit code 0 even when beforeEach/afterEach failed
    # After: Exit code 1 when any hook fails, properly failing CI builds
  • TypeScript Effects Support: Added complete TypeScript definitions for effects functionality (#​5027) - by @​kobenguyent

    // Import effects with full TypeScript type definitions
    import { tryTo, retryTo, within } from 'codeceptjs/effects'
    
    // tryTo returns Promise<boolean> for conditional actions
    const success: boolean = await tryTo(async () => {
      await I.see('Cookie banner')
      await I.click('Accept')
    })
    
    // retryTo with typed parameters for reliability
    await retryTo(() => {
      I.click('Submit')
      I.see('Success')
    }, 3) // retry up to 3 times

    Note: Replaces deprecated global plugins - import from 'codeceptjs/effects' module

  • Mochawesome Screenshot Uniqueness: Fixed screenshot naming to prevent test failures from being overwritten when multiple tests run at the same time (#​4959) - by @​Lando1n

    // Problem: When tests run in parallel, screenshots had identical names
    // This caused later test screenshots to overwrite earlier ones
    
    // Before: All failed tests saved as "screenshot.png"
    // Result: Only the last failure screenshot was kept
    
    // After: Each screenshot gets a unique name with timestamp
    // Examples:
    // - "login_test_1645123456.failed.png"
    // - "checkout_test_1645123789.failed.png"
    // - "profile_test_1645124012.failed.png"
    
    // Configuration in codecept.conf.js:
    helpers: {
      Mochawesome: {
        uniqueScreenshotNames: true // Enable unique naming
      }
    }

    Ensures every failed test keeps its own screenshot for easier debugging

📖 Documentation

New Contributors

Full Changelog: codeceptjs/CodeceptJS@3.7.3...3.7.4


Configuration

📅 Schedule: (in timezone Europe/London)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Sep 23, 2025
@renovate renovate Bot requested review from a team as code owners September 23, 2025 23:56
@renovate renovate Bot requested review from danielwilsonkainos, jyothi-balla and reespozzi and removed request for a team September 23, 2025 23:56
@renovate renovate Bot enabled auto-merge (squash) October 17, 2025 12:04
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch 2 times, most recently from 50fe279 to 77dee8b Compare October 21, 2025 19:16
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from 77dee8b to a455c05 Compare November 10, 2025 22:50
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from a455c05 to 33933a7 Compare November 18, 2025 23:14
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from 33933a7 to 8c99204 Compare December 3, 2025 17:04
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch 2 times, most recently from 94033ca to cce6ca0 Compare December 19, 2025 13:06
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from cce6ca0 to 8052010 Compare December 19, 2025 23:40
@hmcts-jenkins-j-to-z hmcts-jenkins-j-to-z Bot requested a deployment to preview December 22, 2025 09:45 Abandoned
@renovate renovate Bot changed the title chore(deps): update dependency codeceptjs to v3.7.5 [security] chore(deps): update dependency codeceptjs to v3.7.5 [security] - autoclosed Jan 14, 2026
@renovate renovate Bot closed this Jan 14, 2026
auto-merge was automatically disabled January 14, 2026 03:15

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-codeceptjs-vulnerability branch January 14, 2026 03:15
@renovate renovate Bot changed the title chore(deps): update dependency codeceptjs to v3.7.5 [security] - autoclosed chore(deps): update dependency codeceptjs to v3.7.5 [security] Jan 14, 2026
@renovate renovate Bot reopened this Jan 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch 2 times, most recently from 8052010 to 9b54f56 Compare January 14, 2026 08:10
@renovate renovate Bot enabled auto-merge (squash) January 14, 2026 12:57
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from 9b54f56 to da06512 Compare January 19, 2026 17:38
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from da06512 to 331a758 Compare February 2, 2026 21:04
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch 2 times, most recently from 423c924 to ed16deb Compare February 17, 2026 22:34
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from ed16deb to bf997ca Compare March 5, 2026 19:52
@renovate renovate Bot changed the title chore(deps): update dependency codeceptjs to v3.7.5 [security] chore(deps): update dependency codeceptjs to v3.7.5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 03:05

Pull request was closed

@renovate renovate Bot changed the title chore(deps): update dependency codeceptjs to v3.7.5 [security] - autoclosed chore(deps): update dependency codeceptjs to v3.7.5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from bf997ca to 44f2211 Compare March 30, 2026 21:35
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from 44f2211 to f4ee231 Compare April 8, 2026 21:16
@renovate renovate Bot enabled auto-merge (squash) April 8, 2026 21:16
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from f4ee231 to c31c011 Compare April 27, 2026 12:43
@renovate renovate Bot changed the title chore(deps): update dependency codeceptjs to v3.7.5 [security] chore(deps): update dependency codeceptjs to v3.7.5 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 17:21

Pull request was closed

@renovate renovate Bot changed the title chore(deps): update dependency codeceptjs to v3.7.5 [security] - autoclosed chore(deps): update dependency codeceptjs to v3.7.5 [security] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch 2 times, most recently from c31c011 to 521587b Compare April 28, 2026 00:11
@renovate renovate Bot enabled auto-merge (squash) April 29, 2026 21:03
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from 521587b to ffc287d Compare April 29, 2026 21:03
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from ffc287d to 9b7c724 Compare May 12, 2026 18:02
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch 2 times, most recently from a0b42aa to cdb7e6b Compare June 2, 2026 03:50
@renovate renovate Bot force-pushed the renovate/npm-codeceptjs-vulnerability branch from cdb7e6b to 866d4cd Compare June 11, 2026 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ns:rpe prd:rpe

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants