Summary
browserstack-cypress-cli depends on decompress@4.2.1, which has a critical path traversal vulnerability (CVE-2026-53486). There is no patched version available upstream — the package has been unmaintained since 2018.
This triggers Dependabot/npm audit critical alerts for all consumers of browserstack-cypress-cli >= 1.24.2.
Affected Files
bin/helpers/buildArtifacts.js:14 — const decompress = require('decompress');
bin/helpers/reporterHTML.js:9 — const decompress = require('decompress');
Proposed Fix
You already have unzipper@^0.12.3 as a dependency, and buildArtifacts.js already uses it as a fallback (line ~160). The natural migration is to:
- Replace
decompress() calls with unzipper.Extract() in both files
- Remove
decompress from package.json dependencies
This would eliminate the vulnerability for all downstream consumers without any breaking API changes.
Impact
- All versions from 1.24.2 to 1.36.12 are affected
- npm audit reports 2 critical vulnerabilities (decompress itself + browserstack-cypress-cli depending on it)
- Organizations with zero-critical-alert policies are forced to dismiss or patch
Workaround
Consumers can dismiss the Dependabot alert since the exploitability is low (input comes exclusively from BrowserStack's authenticated HTTPS API), but this is not ideal for compliance.
References
Summary
browserstack-cypress-clidepends ondecompress@4.2.1, which has a critical path traversal vulnerability (CVE-2026-53486). There is no patched version available upstream — the package has been unmaintained since 2018.This triggers Dependabot/npm audit critical alerts for all consumers of
browserstack-cypress-cli >= 1.24.2.Affected Files
bin/helpers/buildArtifacts.js:14—const decompress = require('decompress');bin/helpers/reporterHTML.js:9—const decompress = require('decompress');Proposed Fix
You already have
unzipper@^0.12.3as a dependency, andbuildArtifacts.jsalready uses it as a fallback (line ~160). The natural migration is to:decompress()calls withunzipper.Extract()in both filesdecompressfrompackage.jsondependenciesThis would eliminate the vulnerability for all downstream consumers without any breaking API changes.
Impact
Workaround
Consumers can dismiss the Dependabot alert since the exploitability is low (input comes exclusively from BrowserStack's authenticated HTTPS API), but this is not ideal for compliance.
References