Skip to content
This repository was archived by the owner on Nov 18, 2025. It is now read-only.

Update dependency codeceptjs to v3.7.5 [SECURITY] #204

Open
renovate wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency codeceptjs to v3.7.5 [SECURITY] #204

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 8, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
codeceptjs (source) 3.5.15 -> 3.7.5 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-57285

CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary commands.

Release Notes

Codeception/codeceptjs (codeceptjs)

v3.7.5

Compare Source

❤️ Thanks all to those who contributed to make this release! ❤️

v3.7.4

Compare Source

❤️ Thanks all to those who contributed to make this release! ❤️

🛩️ Features

  • Test Suite Shuffling: Randomize test execution order to discover test dependencies and improve test isolation (#​5051) - by @​NivYarmus

    

    • 



v3.7.3


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



➜  helloworld npx codeceptjs info
Environment information:

codeceptVersion:  "3.7.2"
nodeInfo:  18.19.0
osInfo:  macOS 14.4
cpuInfo:  (8) x64 Apple M1 Pro
osBrowsers:  "chrome: 133.0.6943.143, edge: 133.0.3065.92, firefox: not installed, safari: 17.4"
playwrightBrowsers:  "chromium: 133.0.6943.16, firefox: 134.0, webkit: 18.2"
helpers:  {
"Playwright": {
"url": "http://localhost",
...



🐛 Bug Fixes



v3.7.2


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



🐛 Bug Fixes


    

  • fix(stepByStepReport): no records html is generated when running with run-workers (#​4638)
    • 

  • fix(webdriver): bidi error in log with webdriver (#​4850)
    • 

  • fix(types): TS types of methods (Feature|Scenario)Config.config (#​4851)
    • 

  • fix: redundant popup log (#​4830)
    • 

  • fix(webdriver): grab browser logs using bidi protocol (#​4754)
    • 

  • fix(webdriver): screenshots for sessions (#​4748)
    • 



📖 Documentation



v3.7.1


Compare Source


    

  • Fixed reading charAt error in asyncWrapper.js
    • 



v3.7.0


Compare Source


This release introduces major new features and internal refactoring. It is an important step toward the 4.0 release planned soon, which will remove all deprecations introduced in 3.7.


🛩️ Features


🔥 Native Element Functions


A new Els API for direct element interactions has been introduced. This API provides low-level element manipulation functions for more granular control over element interactions and assertions:


    

  • element() - perform custom operations on first matching element
    • 

  • eachElement() - iterate and perform operations on each matching element
    • 

  • expectElement() - assert condition on first matching element
    • 

  • expectAnyElement() - assert condition matches at least one element
    • 

  • expectAllElements() - assert condition matches all elements
    • 



Example using all element functions:


const { element, eachElement, expectElement, expectAnyElement, expectAllElements } = require('codeceptjs/els')

// ...

Scenario('element functions demo', async ({ I }) => {
  // Get attribute of first button
  const attr = await element('.button', async el => await el.getAttribute('data-test'))

  // Log text of each list item
  await eachElement('.list-item', async (el, idx) => {
    console.log(`Item ${idx}: ${await el.getText()}`)
  })

  // Assert first submit button is enabled
  await expectElement('.submit', async el => await el.isEnabled())

  // Assert at least one product is in stock
  await expectAnyElement('.product', async el => {
    return (await el.getAttribute('data-status')) === 'in-stock'
  })

  // Assert all required fields have required attribute
  await expectAllElements('.required', async el => {
    return (await el.getAttribute('required')) !== null
  })
})


Els functions expose the native API of Playwright, WebDriver, and Puppeteer helpers. The actual el API will differ depending on which helper is used, which affects test code interoperability.


🔮 Effects introduced


Effects is a new concept that encompasses all functions that can modify scenario flow. These functions are now part of a single module. Previously, they were used via plugins like tryTo and retryTo. Now, it is recommended to import them directly:


const { tryTo, retryTo } = require('codeceptjs/effects')

Scenario(..., ({ I }) => {
  I.amOnPage('/')
  // tryTo returns boolean if code in function fails
  // use it to execute actions that may fail but not affect the test flow
  // for instance, for accepting cookie banners
  const isItWorking = tryTo(() => I.see('It works'))

  // run multiple steps and retry on failure
  retryTo(() => {
    I.click('Start Working!');
    I.see('It works')
  }, 5);
})


Previously tryTo and retryTo were available globally via plugins. This behavior is deprecated as of 3.7 and will be removed in 4.0. Import these functions via effects instead. Similarly, within will be moved to effects in 4.0.


check command added


npx codeceptjs check



This command can be executed locally or in CI environments to verify that tests can be executed correctly.


It checks:


    

  • configuration
    • 

  • tests
    • 

  • helpers
    • 



And will attempt to open and close a browser if a corresponding helper is enabled. If something goes wrong, the command will fail with a message. Run npx codeceptjs check on CI before actual tests to ensure everything is set up correctly and all services and browsers are accessible.


For GitHub Actions, add this command:


steps:


v3.6.10


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🐛 Bug Fixes

fix(cli): missing failure counts when there is failedHooks (#​4633) - by @​kobenguyent


v3.6.9


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🐛 Hot Fixes

fix: could not run tests due to missing invisi-data lib - by @​kobenguyent


v3.6.8


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



export const config: CodeceptJS.MainConfig = {
  tests:  '**/*.e2e.test.ts',
  retry: 4,
  output: './output',
  maskSensitiveData: true,
  emptyOutputFolder: true,
...

    I login {"username":"helloworld@test.com","password": "****"}
      I send post request "https://localhost:8000/login", {"username":"helloworld@test.com","password": "****"}
      › [Request] {"baseURL":"https://localhost:8000/login","method":"POST","data":{"username":"helloworld@test.com","password": "****"},"headers":{}}
      › [Response] {"access-token": "****"}




I.sendDeleteRequestWithPayload('/api/users/1', { author: 'john' })


🐛 Bug Fixes



> codeceptjs dry-run --steps --grep "(?=.*Checkout process)"



Add hint to "I.seeEmailAttachment" that under the hood parameter is treated as RegExp.
When you don't know it, it can cause a lot of pain, wondering why your test fails with I.seeEmailAttachment('Attachment(1).pdf') although it looks just fine, but actually I.seeEmailAttachment('Attachment\\(1\\).pdf is required to make the test green, in case the attachment is called "Attachment(1).pdf" with special character in it.




📖 Documentation



v3.6.7


Compare Source


v3.6.6


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



Zero-configuration when paired with other helpers like REST, Playwright:


// inside codecept.conf.js
{
  helpers: {
    Playwright: {...},
    SoftExpectHelper: {},
  }
}


// in scenario
I.softExpectEqual('a', 'b')
I.flushSoftAssertions() // Throws an error if any soft assertions have failed. The error message contains all the accumulated failures.



🐛 Bug Fixes



// fix the validation of httpAgent config. we could now pass ca, instead of key/cert.
{
  helpers: {
    REST: {
      endpoint: 'http://site.com/api',
      prettyPrintJson: true,
      httpAgent: {
         ca: fs.readFileSync(__dirname + '/path/to/ca.pem'),
         rejectUnauthorized: false,
         keepAlive: true
      }
    }
  }
}


📖 Documentation



v3.6.5


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



it('should wait for input text field to be disabled', () =>
      I.amOnPage('/form/wait_disabled').then(() => I.waitForDisabled('#text', 1)))

    it('should wait for input text field to be enabled by xpath', () =>
      I.amOnPage('/form/wait_disabled').then(() => I.waitForDisabled("//*[@​name = 'test']", 1)))

    it('should wait for a button to be disabled', () =>
      I.amOnPage('/form/wait_disabled').then(() => I.waitForDisabled('#text', 1)))

Waits for element to become disabled (by default waits for 1sec).
Element can be located by CSS or XPath.

@​param {CodeceptJS.LocatorOrString} locator element located by CSS|XPath|strict locator.
@​param {number} [sec=1] (optional) time in seconds to wait, 1 by default.
@​returns {void} automatically synchronized promise through #recorder



🐛 Bug Fixes



📖 Documentation



v3.6.4


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



Config:

...
REST: {
 ...
 printCurl: true,
 ...
}
...

› [CURL Request] curl --location --request POST https://httpbin.org/post -H ...



    

  • feat(AI): Generate PageObject, added types, shell improvement (#​4319) - by @​DavertMik

      

    • added askForPageObject method to generate PageObjects on the fly
      • 

    • improved AI types
      • 

    • interactive shell improved to restore history
      • 

    

    • 



Screenshot from 2024-06-17 02-47-37


🐛 Bug Fixes



📖 Documentation



v3.6.3


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



🐛 Bug Fixes



📖 Documentation



v3.6.2


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🛩️ Features



Support the httpAgent conf to create the TSL connection via REST helper


{
  helpers: {
    REST: {
      endpoint: 'http://site.com/api',
      prettyPrintJson: true,
      httpAgent: {
         key: fs.readFileSync(__dirname + '/path/to/keyfile.key'),
         cert: fs.readFileSync(__dirname + '/path/to/certfile.cert'),
         rejectUnauthorized: false,
         keepAlive: true
      }
    }
  }
}




Currently only screenshot of the active session is saved, this PR aims to save the screenshot of every session for easy debugging


Scenario('should save screenshot for sessions @​WebDriverIO @​Puppeteer @​Playwright', async ({ I }) => {
  await I.amOnPage('/form/bug1467');
  await I.saveScreenshot('original.png');
  await I.amOnPage('/');
  await I.saveScreenshot('main_session.png');
  session('john', async () => {
    await I.amOnPage('/form/bug1467');
    event.dispatcher.emit(event.test.failed, this);
  });

  const fileName = clearString('should save screenshot for active session @​WebDriverIO @​Puppeteer @​Playwright');
  const [original, failed] = await I.getSHA256Digests([
    `${output_dir}/original.png`,
    `${output_dir}/john_${fileName}.failed.png`,
  ]);

  // Assert that screenshots of same page in same session are equal
  await I.expectEqual(original, failed);

  // Assert that screenshots of sessions are created
  const [main_original, session_failed] = await I.getSHA256Digests([
    `${output_dir}/main_session.png`,
    `${output_dir}/john_${fileName}.failed.png`,
  ]);
  await I.expectNotEqual(main_original, session_failed);
});



Screenshot 2024-04-29 at 11 07 47



Find an element with class attribute


// find div with class contains 'form'
locate('div').withClassAttr('text')


    

  • fix(playwright): set the record video resolution (#​4311) - by @​KobeNguyent
    
You could now set the recording video resolution
    • 



  url: siteUrl,
  windowSize: '300x500',
  show: false,
  restart: true,
  browser: 'chromium',
  trace: true,
  video: true,
  recordVideo: {
    size: {
      width: 400,
      height: 600,
    },
  },



🐛 Bug Fixes



📖 Documentation



v3.6.1


Compare Source


❤️ Thanks all to those who contributed to make this release! ❤️


🐛 Bug Fixes

fix(cli): missing failure counts when there is failedHooks (#​4633) - by @​kobenguyent


v3.6.0


Compare Source


🛩️ Features


    

  • Introduced healers to improve stability of failed tests. Write functions that can perform actions to fix a failing test:
    • 



heal.addRecipe('reloadPageIfModalIsNotVisisble', {
  steps: ['click'],
  fn: async ({ error, step }) => {
    // this function will be executed only if test failed with
    // "model is not visible" message
    if (error.message.include('modal is not visible')) return

    // we return a function that will refresh a page
    // and tries to perform last step again
    return async ({ I }) => {
      I.reloadPage()
      I.wait(1)
      await step.run()
    }
    // if a function succeeds, test continues without an error
  },
})


    

  • 

    Breaking Change AI features refactored. Read updated AI guide:
    

      

    • removed dependency on openai
      • 

    • added support for Azure OpenAI, Claude, Mistal, or any AI via custom request function
      • 

    • --ai option added to explicitly enable AI features
      • 

    • heal plugin decoupled from AI to run custom heal recipes
      • 

    • improved healing for async/await scenarios
      • 

    • token limits added
      • 

    • token calculation introduced
      • 

    • OpenAI helper renamed to AI
      • 

    

    • 

  • 

    feat(puppeteer): network traffic manipulation. See #​4263 by @​KobeNguyenT
    

      

    • startRecordingTraffic
      • 

    • grabRecordedNetworkTraffics
      • 

    • flushNetworkTraffics
      • 

    • stopRecordingTraffic
      • 

    • seeTraffic
      • 

    • dontSeeTraffic
      • 

    

    • 

  • 

    feat(Puppeteer): recording WS messages. See #​4264 by @​KobeNguyenT
    

    • 



Recording WS messages:


      I.startRecordingWebSocketMessages();
      I.amOnPage('https://websocketstest.com/');
      I.waitForText('Work for You!');
      const wsMessages = I.grabWebSocketMessages();
      expect(wsMessages.length).to.greaterThan(0);



flushing WS messages:


      I.startRecordingWebSocketMessages();
      I.amOnPage('https://websocketstest.com/');
      I.waitForText('Work for You!');
      I.flushWebSocketMessages();
      const wsMessages = I.grabWebSocketMessages();
      expect(wsMessages.length).to.equal(0);



Examples:


// recording traffics and verify the traffic
I.startRecordingTraffic()
I.amOnPage('https://codecept.io/')
I.seeTraffic({ name: 'traffics', url: 'https://codecept.io/img/companies/BC_LogoScreen_C.jpg' })


// check the traffic with advanced params
I.amOnPage('https://openai.com/blog/chatgpt')
I.startRecordingTraffic()
I.seeTraffic({
  name: 'sentry event',
  url: 'https://images.openai.com/blob/cf717bdb-0c8c-428a-b82b-3c3add87a600',
  parameters: {
    width: '1919',
    height: '1138',
  },
})



Scenario('using playwright locator @​Playwright', () => {
  I.amOnPage('https://codecept.io/test-react-calculator/');
  I.click('7');
  I.click({ pw: '_react=t[name = "="]' });
  I.seeElement({ pw: '_react=t[value = "7"]' });
  I.click({ pw: '_react=t[name = "+"]' });
  I.click({ pw: '_react=t[name = "3"]' });
  I.click({ pw: '_react=t[name = "="]' });
  I.seeElement({ pw: '_react=t[value = "10"]' });
});



Scenario('using playwright data-testid attribute @​Playwright', () => {
    I.amOnPage('/');
    const webElements = await I.grabWebElements({ pw: '[data-testid="welcome"]' });
    assert.equal(webElements[0]._selector, '[data-testid="welcome"] >> nth=0');
    assert.equal(webElements.length, 1);
});




Network requests & responses can be mocked and modified. Use mockRoute which strictly follows Puppeteer's setRequestInterception API.


I.mockRoute('https://reqres.in/api/comments/1', request => {
  request.respond({
    status: 200,
    headers: { 'Access-Control-Allow-Origin': '*' },
    contentType: 'application/json',
    body: '{"name": "this was mocked" }',
  });
})



I.mockRoute('**/*.{png,jpg,jpeg}', route => route.abort());

// To disable mocking for a route call `stopMockingRoute`
// for previously mocked URL
I.stopMockingRoute('**/*.{png,jpg,jpeg}');



To master request intercepting use HTTPRequest object passed into mock request handler.


🐛 Bug Fixes







Configuration


📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).


🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.


Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.


🔕 Ignore: Close this PR and you won't be reminded about this update again.




    

  •  If you want to rebase/retry this PR, check this box
    • 





This PR was generated by Mend Renovate. View the repository job log.


    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



          

        
      




  




      

       
            



      

  
            


    

    

      
    

    


      


          @renovate
renovate
bot



        changed the title
chore(deps): update dependency codeceptjs to v3.7.5 [security]

Update dependency codeceptjs to v3.7.5 [SECURITY]


      Oct 16, 2025

    

  



  

  
  

  
      @renovate
  renovate
bot

        force-pushed
    the
        
      
  renovate/npm-codeceptjs-vulnerability


    
 branch
    from
    416d08a    to
    508dfc1      
    Compare
  



    October 21, 2025 09:32    
    









      

  
        





      

  
          

  
  

  
      @renovate
  renovate
bot

        force-pushed
    the
        
      
  renovate/npm-codeceptjs-vulnerability


    
 branch
    from
    508dfc1    to
    6d4662b      
    Compare
  



    October 22, 2025 09:45    
    













  
  

    

      

  




      


    


    

      

        
     

  
      Sign up for free
      to subscribe to this conversation on GitHub.
      Already have an account?
      Sign in.


  


      

    

  




  
          



      

  

    
    

    

  

    Reviewers
  


    

    No reviews






    

    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

      

    dependencies

  

    type:security









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
      

  

    

      1 participant