Starting in Cypress 15.10.0, Cypress.env() is deprecated and will be removed in Cypress 16.0.0.
This change is driven by the way Cypress.env() hydrates all Cypress environment values into the browser context, including values a test may never read. This makes it easy to unintentionally expose more data than intended.
We have not seen reports of this being exploited, but we are implementing this deprecation (and future removal) to move Cypress toward safer defaults and more explicit control over how configuration values are exposed during test execution. Teams may choose to rotate existing secrets as part of their normal security practices, but there is no indication of any event requiring urgency around that action.
What to do if you’re on Cypress 15.10.0+
- Migrate usage of Cypress.env()
- Use cy.env() for sensitive values that should remain outside the browser
- Use Cypress.expose() for values that are intentionally safe to expose
- Review your plugins and upgrade any versions that rely on Cypress.env().
- Some plugins, including @cypress/grep and @cypress/code-coverage, require upgrading to their latest major versions to remove this usage. Please see the migration guide for each plugin as there are breaking changes.
- Set 'allowCypressEnv: false' in your configuration. This causes any remaining Cypress.env() usage to fail with a message explaining the migration path.
If you cannot upgrade yet (Cypress < 15.10.0)
If upgrading immediately is not possible, we recommend moving any use of Cypress.env() that involves secrets or sensitive values to cy.task(). This keeps those values in the Node.js process and out of the browser. An example of this can be viewed here in our docs. This mitigation is only effective in Cypress v12.5.0 and later.
You can see the full set of changes included in v15.10.0 here. For specific Cypress.env migration patterns and examples, view the full guide here.
We’ll continue working with the community to share proven patterns, improve guidance, and smooth adoption as this rolls out.