Cypress.io Blocking of Sorry Cypress and Currents
On September 27, 2023, Cypress.io activated a blocking that affected Sorry Cypress users and Currents customers. This blog post breaks down the technical implementation of the blocking, analyses the reasons and clarifies Currents position.
Cypress.io decided to block Currents, Sorry Cypress and DeploySentinel.
We are suspending our support of integration with Cypress starting from version 13.
We will continue to support prior versions of Cypress and provide assistance to the affected customers. Please contact our support channels for details.
We are seeing massive adoption of Playwright as the preferred testing framework. If you are interested in migrating your workflows to Playwright, we will be happy to be your partner during and after the transition.
We sincerely apologize for the interruption of your workflows and any inconvenience caused by those events.
See the Technical Analysis below.
Starting September 27, 2023, Sorry Cypress users and Currents customers started seeing the following message while trying to use one of our tools:
We've detected that you're using a 3rd party library that is not supported by Cypress: cypress-debugger. To continue running Cypress, please remove this library or reach out for help migrating.
The message is accompanied by a link to a blog post:
Cypress.io leadership mentions multiple topics without being specific: what plugins are being blocked, what are the criteria for blocking the plugins, and what are the third parties involved?
I had a few guesses, let me share them with you. Here's a list of currently blocked plugins.
cypress-cloud
It is a plugin that allows running Cypress tests in parallel and recording test results to alternative services like Sorry Cypress and Currents, skipping Cypress Cloud.
@deploysentinel/cypress-parallel
Is a fork of cypress-cloud
used by DeploySentinel (see below) to integrate with their recording dashboard.
@deploysentinel/cypress-debugger
In the summer of 2022, a small YC (S22) company DeploySentinel released an innovative DeploySentinel Cypress Debugger Plugin - the plugin allowed capturing everything that's happening in Cypress runs and later replay it using a cloud dashboard. The plugin is very helpful for troubleshooting failing CI tests. DeploySentinel also provided orchestration and parallelization by running a managed Sorry Cypress instance.
cypress-debugger
Inspired by DeploySentinel and Playwright Traces, Currents created a similar tool, available under cypress-debugger
umbrella. The plugin doesn't require access to any dashboard - it is standalone, open-source and free to use. It creates a "trace" file that you can store on your CI-attached storage and later replay in a browser (https://cypress-debugger.dev), similar to how Playwright Traces work.
Bottom line - those packages undermine Cypress.io's attempts to monetize the ecosystem, and thus are being blocked. See the full list of the blocked plugins in the Technical Analysis.
Reasons Behind the Blocking
Given the list of blocked plugins, it is now clear what parties Cypress.io leadership is referring to. The disclosure of not being able “to reach an agreement” is surprising, given that the mere existence of such attempts is usually covered by non-disclosure agreements.
Cypress is truly a great product - it revolutionized frontend development and testing, focusing on developers' experience and ease of use. Cypress has gained popularity and support, it leveraged the open-source angle in its distribution model, public messaging and marketing strategies.
Although Cypress, the tool, reached great adoption, Cypress.io, the company, needs to better monetize its “free” users to meet their financial goals. The economic climate, combined with major shifts in the testing industry escalated the urge to act and triggered a series of private and public actions. Not all of those actions are "ethical business practice".
Sorry Cypress and Currents' never intended to derail Cypress.io, its investors or employees. Instead, we have been focusing on helping our customers and users, using the modest resources we have.
Sorry Cypress is a community project built independently over 4 years by ~50 contributors. Currents is the commercial evolution of it, built solely based on our customers' requests and community feedback. We share our free tools (cypress-debugger, cypress-cloud) with the community, using the MIT-licensed Cypress app as a platform.
We’ve been keeping companies within Cypress ecosystem, preventing migration to alternative frameworks. We barely advertised our services - each of those companies and individuals had a reason to use an alternative. We’ve gained support from open-source enthusiasts, businesses, Cypress Ambassadors, and, surprisingly, even Cypress.io employees.
Currents Response
We realize that the current way of integrating with Cypress as a platform is no longer feasible. It creates uncertainty for our users and customers, a toxic, counter-productive tension for all involved.
Currents will suspend supporting its integration with Cypress starting from version 13.
We will continue supporting the previous versions of Cypress and will help our customers to adjust to that change.
Meanwhile, we are exploring options for providing a stable, independent and safe solution that doesn't provoke Cypress.io and ensures long-term peace of mind for our supporters and customers.
We sincerely apologize to the affected customers and users. We met many of you personally, listened to your feedback, and hopefully, were able to help you and your organization. We will assist the affected customers with adjusting to the change. Please contact our support channels for details.
We also want to use this opportunity to highlight our integration with Playwright 🎭. Many companies are already looking to switch or are in the process of adopting Playwright. We will be happy to be your partner during and after the transition, assisting in migrating your workflows to Playwright or alternative solutions.
Technical Analysis
Intro
Cypress.io already tried to implement technical blocking - first by adding integrity checks, then by improving network security. Later there were attempts to monetize Sorry Cypress via Cypress Cloud Gateway Connector. Now they are explicitly blocking our plugins.
As a background - Cypress installation has 2 components:
- an npm package - a lightweight NodeJS wrapper that parses command line flags, downloads and runs a platform-specific Electron binary application.
- Electron application - platform-specific binary code, it is hosted on Cypress.io CDN, usually pre-installed and cached on docker images.
The blocking is "injected" into the compiled binary app during the build process.
Affected Distributions
As of Oct 04, 2023, only linux
distributions for versions 13.2.0+
are affected. That's the most popular platform for CI environments. You can reproduce our finding by running Cypress with one of the packages installed in a docker container.
Updated on November 12, 2023
As of November 07, 2023, Cypress.io team expanded the blocking to linux
distributions of Cypress versions 12.1.0+
, causing a widespread disruption to Cypress users. We are now hosting blocking-free versions of Cypress 12 and below to prevent further interruptions of our users and customers workflows.
Blocking Implementation
Affected NPM packages
At launch, Cypress scans the contents of the local node_modules
directory, looking for specific packages:
- @deploysentinel/cypress-debugger
- @deploysentinel/cypress-parallel
- cypress-debugger
- @currents/cypress-debugger-support
- @currents/cypress-debugger-plugin
- cypress-cloud
- cypress-debug
- cypress-vscode
Updated on October 11, 2023
Due to a broader community interest and to avoid any confusion: all listed above packages are owned or affiliated with Currents, Sorry Cypress or DeploySentinel - we did not discover other affected authors. If any of those packages is present in the local node_modules
directory, regardless of being used, Cypress will halt the execution. Please refer to the example GitHub repository - it includes reproducible steps that confirm our findings.
Package Authors
Updated on August 09, 2024
In addition, Cypress reads the author
field of package.json
of the dependencies installed in node_modules
directory. It activates the blocking if the value is:
DeploySentinel
- or
Currents Software Inc
Environment Variables
Updated on August 09, 2024
Cypress also reads the environment variables set in the shell where it is executed. The presence of the following variables activates the blocking:
CURRENTS_RECORD_KEY
CURRENTS_PROJECT_ID
CURRENTS_API_URL
Blocked Configuration Files
Additionally, Cypress will not work if you have a currents.config.*
file in the project's root directory.
Tech Analysis Summary
The sole presence of any of those dependencies or files in your project will trigger the error with an offer to "migrate".
The blocking is not very comprehensive technically - it wouldn’t take much effort to pass. But as mentioned, we’d rather focus on a long-term and safe solution.
All third-party trademarks and materials (including logos, icons, marks and labels) referenced herein are the property of their respective owners.