Skip to content

Security: Replace vulnerable decompress dependency with unzipper (CVE-2026-53486) #1150

Description

@camilaadimas

Summary

browserstack-cypress-cli depends on decompress@4.2.1, which has a critical path traversal vulnerability (CVE-2026-53486). There is no patched version available upstream — the package has been unmaintained since 2018.

This triggers Dependabot/npm audit critical alerts for all consumers of browserstack-cypress-cli >= 1.24.2.

Affected Files

  • bin/helpers/buildArtifacts.js:14const decompress = require('decompress');
  • bin/helpers/reporterHTML.js:9const decompress = require('decompress');

Proposed Fix

You already have unzipper@^0.12.3 as a dependency, and buildArtifacts.js already uses it as a fallback (line ~160). The natural migration is to:

  1. Replace decompress() calls with unzipper.Extract() in both files
  2. Remove decompress from package.json dependencies

This would eliminate the vulnerability for all downstream consumers without any breaking API changes.

Impact

  • All versions from 1.24.2 to 1.36.12 are affected
  • npm audit reports 2 critical vulnerabilities (decompress itself + browserstack-cypress-cli depending on it)
  • Organizations with zero-critical-alert policies are forced to dismiss or patch

Workaround

Consumers can dismiss the Dependabot alert since the exploitability is low (input comes exclusively from BrowserStack's authenticated HTTPS API), but this is not ideal for compliance.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions