Starting in Cypress 15.10.0, Cypress.env() is deprecated and will be removed in Cypress 16.0.0. 

This change is driven by the way Cypress.env() hydrates all Cypress environment values into the browser context, including values a test may never read. This makes it easy to unintentionally expose more data than intended. 

We have not seen reports of this being exploited, but we are implementing this deprecation (and future removal) to move Cypress toward safer defaults and more explicit control o

Cypress's platform is a resource for developers and QA engineers, offering insights into end-to-end testing, test automation frameworks, and modern web application testing. Through articles, tutorials, and documentation, Cypress offers insights into writing and running automated tests for web applications. Developers can learn about Cypress's testing features, including real-time feedback, browser snapshots, and debugging tools, to ensure the quality and reliability of their web applications.

cypress

Cypress 15.10.0 deprecates Cypress.env() in favor of cy.env() and Cypress.expose() to prevent unintentional exposure of sensitive data. The old method hydrated all environment values into the browser context, creating security risks. Users should migrate to cy.env() for sensitive values and Cypress.expose() for safe values, update affected plugins like @cypress/grep and @cypress/code-coverage, and set allowCypressEnv: false in configuration. For older versions, use cy.task() to keep secrets in Node.js instead of the browser.

Environment Variable Access in Cypress v15.10.0+: Migrating to cy.env() and Cypress.expose()