TL;DR
- Cypress introduced targeted blocking for projects and other libraries relying on the 3rd party NPM module:
cypress-cloud
in v13 and, as of today, v12. - The decision to implement blocking was a final measure, taken only after sincere and dedicated attempts spanning multiple months to explore and exhaust alternative options.
- Our actions are in response to a multi-year pattern of behavior from Sorry-Cypress and Currents.dev, who inappropriately leveraged our brand and products to create and promote a copycat commercial service.
- Cypress remains committed to open source and our mission. We view development of plugins as a critical part of a healthy community, including those that compete with the capabilities of our commercial product.
- We regret having to devote effort to defending the company from the disruptive tactics of bad actors and the inconvenience this may have caused to some.
- We remain hard at work realizing our vision of providing product teams with clear visibility into the health and quality of their applications.
Introduction
We originally published a blog post stating that we blocked the usage of certain third-party solutions with Cypress. While this post explained what we were doing, it didnât disclose details as to why we made that decision. The brevity of our messaging led to a void that allowed many within the community to understandably draw inaccurate and troubling assertions regarding our actions. We hope to dispel false assumptions, rumors, and innuendo through increased transparency in this post.
To be perfectly clear, our position and commitment to open source and the community remain unchanged. We continue to invest our engineering resources into the development and maintenance of the Cypress App, as well as support the community in troubleshooting issues and triaging bugs reported via our GitHub issues.
That said, in this situation, we have elected to take direct action to protect the ongoing development and investment in Cypress. We hope this post provides additional context for our rationale and substantiates our ongoing commitment to open source.
Open Source is our DNA
We believe encouraging, promoting, and fostering 3rd party authorship, contributions and enhancements is central to creating a healthy open source ecosystem. Open source has and will always be core to our identity.
Our decision to block the 3rd party NPM module cypress-cloud
was based on the patterns described below, which uniquely apply to this specific situation and are not indicative of a broader approach to limit competitors or contributors who build plugins and integrations into Cypress. This decision was our last and final resort, made only after genuine and concerted efforts, exhausting all other alternative avenues over the last several months.
Patterns of a bad actor
Andrew Goldis, a multiyear user of the Cypress Cloud, originally created âSorry-Cypressâ, an open-source, self-hosted product using our company name to compete with our Cloud service. He then raised venture capital for âCurrents.devâ as a commercial service, leveraging Sorry-Cypress for lead generation to fuel the growth of Currents.dev.
Brand Misappropriation
Sorry-Cypress and Currents.dev, have demonstrated a pattern of inappropriately leveraging our product and brand names to increase the discoverability of their products and create confusion within the broader community and ecosystem.
To illustrate, letâs first lay out the usage and naming patterns that have been used:
- Sorry-Cypress, which inappropriately uses our company name in their product
cy2
, an NPM package used to send data from Cypress to Sorry-Cypress and Currents.dev
When the community surfaced the concern of using our brand name and violating our terms of service, Sorry-Cypress publicly acknowledged the source of confusion. Sorry-Cypress justified their rationale that using our product name benefited from greater "discoverability" because it uses âCypressâ in its name and it enables improved âSEO rankingâ.
Later, after releasing Currents.dev, they went further by creating cypress-cloud
, an NPM package used to send data to both Sorry-Cypress and Currents.dev.
Not only is the cypress-cloud
NPM package using the identical name to our own commercial service âCypress Cloudâ, but they chose this name deliberately and knowingly because of that reason. When publishing this package, they went so far as to specifically call this out as the primary benefit of utilizing that name.
Why
cypress-cloud
?Thatâs a package name that was reserved for a long time for a different project. With the recent developments I realized it can be a good catchy name that is easy to remember and discover. Cypress.io team renamed their cloud service from Cypress Dashboard to Cypress Cloud, which can help new users to discover this package.
(Source)
Their decision to choose this package based on its name being identical to our service was not only intentional, but by inspecting the timeline of when this occurred, we can demonstrate a pattern of violating NPM terms of service.
8/11/2022 | Currents.dev publishes cypress-cloud on NPM, a violation of âpackage squattingâ by not publishing any code or functionality |
11/16/2022 5:25pm | Cypress publicly renames their commercial service from âCypress Dashboardâ to âCypress Cloudâ |
11/16/2022 11:53pm | Currents.dev creates the cypress-cloud Github repo 6 hours after we publicly rename our service. No code or commits are published. |
12/11/2022 | Currents.dev pushes the first commit to the Github repo |
NPMâs terms of service define Acceptable Content that specifically forbids:
- âContent that exists only to "reserve" a name, whether a package name, user name, or organization name.â
- âContent in violation of law, infringing the intellectual property rights of others, violating the privacy or other rights of others, or in violation of any agreement with a third party.â
We will leave it up to the reader to determine whether âthis name/package was reserved for a long time for a different projectâ considering it was published only to package squat with NPM. They published no code, functionality, or an associated Github repo until after we renamed our service.
Package squatting
cypress-cloud
was not the only instance of squatting on a package name. We observed this pattern repeated across a myriad of different Cypress names. None of these packages have any functionality. They only existed to reserve the name.
Examples of this include:
- cypress-debug
- cypress-vscode
- cypress-cloud-debug (since removed)
- cypress-stream (since removed)
- cypress-parallelize (since removed)
- cypress-runner (since removed)
- cypress-tracer (since removed)
- cypress-grid (since removed)
This list is not intended to be exhaustive but is meant to illustrate a pattern of violating NPMâs terms of service.
Beyond package squatting on NPM and publishing repos on Github using Cypressâ brand name, domains such as https://cypress.app (which has since been taken down) were registered to create further confusion, as well as leverage our brand and the associated goodwill.
Despite raising concerns about the usage of our brand, Sorry-Cypress stated that âWe will continue supporting this project as long as it is feasible technically and legallyâ.
Copycat Tactics
Currents.dev describes their services as âa drop-in replacement for Cypress Dashboardâ, which in our opinion, is a disturbingly similar version of the Cypress Cloud. We have observed patterns of replicating the user experience, feature release timing, product feature names, marketing language, documentation, and pricing value metrics that go beyond simple derivatives of the work done by Cypress.
Our terms of use, similar to any other commercial service, specifically define the appropriate use of our service and brand to protect our IP and prohibit infringing on it.
Financial Leeching
The Cypress App has been primarily developed, maintained, distributed, and supported by employees of Cypress over the last decade, representing tens of millions of dollars of investment. This investment is made possible by the Cypress Cloud, which serves as the financial engine ensuring the Cypress App remains a robust and reliable open source tool for all users.
Currents could have forked the Cypress App, which is MIT licensed, and assumed the burden of maintaining and supporting an alternative version of the App, including bearing the monthly cost (petabytes of bandwidth) for hosting the binaries.
Instead, Currents.dev leveraged our brand and assets to create a competing commercial service with an artificially low cost structure, predicated on Cypress bearing the full costs required to support the App.
Moving Forward
While Sorry-Cypress may have started out intending to keep âcompanies within the Cypress ecosystem", the actions of its creator demonstrate clear parasitic behavior designed to enrich themselves at the expense of Cypress.
We chose to take measures to defend the company from the disruptive tactics of this bad actor to support our continued innovation and investment in open source for the benefit of our users, employees, and company.
We hope this post has clarified any uncertainties and addressed concerns that may have arisen from our initial communication.
While we regret having to devote effort in this regard, this has not distracted us from our mission. We have been hard at work on several innovative features to further the vision on which Cypress was built. We recently highlighted a few of these in a presentation by our founder Brian Mann at our first Cypress Conference this year. We canât wait to share more about these exciting developments with you in the near future.