fix(sdk): upgrade cypress due to vulnerable dependency

[lscheffel-tbx]

What did I change:

• Upgraded Cypress version to remove vulnerable form-data version from package-lock.json.
• Confirmed vulnerability does not affect any customer and/or user, and the vulnerable form-data package was not being directly used in the SDK, being in the package-lock.json only because it is a dev dependency of cypress > requests.

QA Notes:

• Upgrade Cypress to a version that uses a newer and non-vulnerable version of form-data.
• run npm install and npm test.

Related Tickets:

https://linear.app/testbox/issue/SEC-7/browsersdk-form-data-uses-unsafe-random-function-in-form-data-for

Did you...

• test the code locally?
• run unit tests and updated to account for the changes?
• lint the code?
• format the code?
• test the code on staging?

Summary by CodeRabbit

• Chores
  • Updated development testing dependency to the latest stable version.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[lscheffel-tbx]

Dependabot flagged a security vulnerability in form-data@2.3.3, a transitive dependency introduced via the chain cypress → @cypress/request → form-data. Since Cypress is a devDependency used only for testing and is not bundled into the published SDK, this vulnerability had no impact on SDK consumers—they never receive Cypress or its dependencies when installing @testboxlab/browser. To resolve the alert, we upgraded Cypress from ^11.0.1 to ^13.15.0 (installed as 13.17.0), which pulls in @cypress/request@3.0.9 and form-data@4.0.5, satisfying the ≥2.5.4 requirement. The Cypress upgrade is a major version jump (11→13), but our test suite uses only standard, stable Cypress APIs (cy.visit, cy.window, cy.spy, cy.stub, cy.get, cy.wait) that remain unchanged. The package-lock.json also migrated from lockfileVersion 2 to 3 during npm install, which removed ~10k lines of redundant legacy dependency metadata—this is expected npm behavior and does not affect functionality.

[coderabbitai]

Walkthrough

Updated the Cypress devDependency version in package.json from ^11.0.1 to ^13.15.0. This is a configuration-level dependency update with no changes to public APIs or control flow.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json	Updated Cypress devDependency from ^11.0.1 to ^13.15.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Straightforward version bump with no functional code changes
• Verify compatibility with existing test suite if regression tests are run

Poem

🐰 Cypress climbed two versions tall,
From eleven to thirteen, standing proud,
The testing framework answers the call,
With better tools and fixes vowed.
Hop along to newer heights! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: upgrading Cypress to address a vulnerable dependency, which matches the primary objective of the PR.
Linked Issues check	✅ Passed	The PR successfully addresses SEC-7 objectives by upgrading Cypress to remove the vulnerable form-data dependency, verifying no direct impact on SDK, and confirming the fix.
Out of Scope Changes check	✅ Passed	All changes are scoped to the security objective; only the Cypress version update in package.json was modified with no extraneous alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description follows the required template and provides comprehensive technical details including what changed, QA notes, related tickets, and a completed checklist.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch SEC-7

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 930da7d and ae340bf.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run Cypress tests

🔇 Additional comments (1)

package.json (1)

32-32: Address incomplete staging verification.

The PR description notes that staging tests have not been completed. This is a gap in validation for a security fix that spans a major version upgrade (Cypress 11 → 13). Please ensure staging tests are run and pass before merging to confirm the upgrade works end-to-end in your deployment pipeline.