Cypress.io Blocking of Sorry Cypress and Currents

Starting September 27, 2023, Sorry Cypress users and Currents customers started seeing the following message while trying to use one of our tools:

We've detected that you're using a 3rd party library that is not supported by Cypress: cypress-debugger. To continue running Cypress, please remove this library or reach out for help migrating.

The message is accompanied by a link to a blog post:

Cypress.io leadership mentions multiple topics without being specific: what plugins are being blocked, what are the criteria for blocking the plugins, and what are the third parties involved?

I had a few guesses, let me share them with you. Here's a list of currently blocked plugins.

• cypress-cloud

It is a plugin that allows running Cypress tests in parallel and recording test results to alternative services like Sorry Cypress and Currents, skipping Cypress Cloud.

• @deploysentinel/cypress-parallel

Is a fork of cypress-cloud used by DeploySentinel (see below) to integrate with their recording dashboard.

• @deploysentinel/cypress-debugger

In the summer of 2022, a small YC (S22) company DeploySentinel released an innovative DeploySentinel Cypress Debugger Plugin - the plugin allowed capturing everything that's happening in Cypress runs and later replay it using a cloud dashboard. The plugin is very helpful for troubleshooting failing CI tests. DeploySentinel also provided orchestration and parallelization by running a managed Sorry Cypress instance.

• cypress-debugger

Inspired by DeploySentinel and Playwright Traces, Currents created a similar tool, available under cypress-debugger umbrella. The plugin doesn't require access to any dashboard - it is standalone, open-source and free to use. It creates a "trace" file that you can store on your CI-attached storage and later replay in a browser (https://cypress-debugger.dev), similar to how Playwright Traces work.

Bottom line - those packages undermine Cypress.io's attempts to monetize the ecosystem, and thus are being blocked. See the full list of the blocked plugins in the Technical Analysis.

Reasons Behind the Blocking

Given the list of blocked plugins, it is now clear what parties Cypress.io leadership is referring to. The disclosure of not being able “to reach an agreement” is surprising, given that the mere existence of such attempts is usually covered by non-disclosure agreements.

Cypress is truly a great product - it revolutionized frontend development and testing, focusing on developers' experience and ease of use. Cypress has gained popularity and support, it leveraged the open-source angle in its distribution model, public messaging and marketing strategies.

Although Cypress, the tool, reached great adoption, Cypress.io, the company, needs to better monetize its “free” users to meet their financial goals. The economic climate, combined with major shifts in the testing industry escalated the urge to act and triggered a series of private and public actions. Not all of those actions are "ethical business practice".

Sorry Cypress and Currents' never intended to derail Cypress.io, its investors or employees. Instead, we have been focusing on helping our customers and users, using the modest resources we have.

Sorry Cypress is a community project built independently over 4 years by ~50 contributors. Currents is the commercial evolution of it, built solely based on our customers' requests and community feedback. We share our free tools (cypress-debugger, cypress-cloud) with the community, using the MIT-licensed Cypress app as a platform.

We’ve been keeping companies within Cypress ecosystem, preventing migration to alternative frameworks. We barely advertised our services - each of those companies and individuals had a reason to use an alternative. We’ve gained support from open-source enthusiasts, businesses, Cypress Ambassadors, and, surprisingly, even Cypress.io employees.

Currents Response

We realize that the current way of integrating with Cypress as a platform is no longer feasible. It creates uncertainty for our users and customers, a toxic, counter-productive tension for all involved.

Currents will suspend supporting its integration with Cypress starting from version 13.

We will continue supporting the previous versions of Cypress and will help our customers to adjust to that change.

Meanwhile, we are exploring options for providing a stable, independent and safe solution that doesn't provoke Cypress.io and ensures long-term peace of mind for our supporters and customers.

We sincerely apologize to the affected customers and users. We met many of you personally, listened to your feedback, and hopefully, were able to help you and your organization. We will assist the affected customers with adjusting to the change. Please contact our support channels for details.

We also want to use this opportunity to highlight our integration with Playwright 🎭. Many companies are already looking to switch or are in the process of adopting Playwright. We will be happy to be your partner during and after the transition, assisting in migrating your workflows to Playwright or alternative solutions.

Technical Analysis

Intro

Cypress.io already tried to implement technical blocking - first by adding integrity checks, then by improving network security. Later there were attempts to monetize Sorry Cypress via Cypress Cloud Gateway Connector. Now they are explicitly blocking our plugins.

As a background - Cypress installation has 2 components:

• an npm package - a lightweight NodeJS wrapper that parses command line flags, downloads and runs a platform-specific Electron binary application.
• Electron application - platform-specific binary code, it is hosted on Cypress.io CDN, usually pre-installed and cached on docker images.

The blocking is "injected" into the compiled binary app during the build process.

Affected Distributions

As of Oct 04, 2023, only linux distributions for versions 13.2.0+ are affected. That's the most popular platform for CI environments. You can reproduce our finding by running Cypress with one of the packages installed in a docker container.

Edit November 12, 2023: As of November 07, 2023, Cypress.io team expanded the blocking to linux distributions of Cypress versions 12.1.0+, causing a widespread disruption to Cypress users. We are now hosting blocking-free versions of Cypress 12 and below to prevent further interruptions of our users and customers workflows.

Blocking Implementation

Affected NPM packages

At launch, Cypress scans the contents of the local node_modules directory, looking for specific packages:

- @deploysentinel/cypress-debugger
- @deploysentinel/cypress-parallel

- cypress-debugger
- @currents/cypress-debugger-support
- @currents/cypress-debugger-plugin

- cypress-cloud
- cypress-debug
- cypress-vscode

Edit October 11, 2023: Due to a broader community interest and to avoid any confusion: all listed above packages are owned or affiliated with Currents, Sorry Cypress or DeploySentinel - we did not discover other affected authors. If any of those packages is present in the local node_modules directory, regardless of being used, Cypress will halt the execution. Please refer to the example GitHub repository - it includes reproducible steps that confirm our findings.

Local Filesystem Packages

In addition, Cypress reads package.json of the direct filesystem dependencies defined as file:/. For example:

"packageName": "file:/path/to/local/package"

Cypress will read its package.json author field and block if the value is:

• DeploySentinel
• or Currents Software Inc

Blocked Configuration Files

Additionally, Cypress will not work if you have a currents.config.* file in the project's root directory.

Tech Analysis Summary

The sole presence of those dependencies or files in your project will trigger the error with an offer to "migrate".

The blocking is not very comprehensive technically - it wouldn’t take much effort to pass. But as mentioned, we’d rather focus on a long-term and safe solution.

---

All third-party trademarks and materials (including logos, icons, marks and labels) referenced herein are the property of their respective owners.