Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Security upgrade tough-cookie from 4.0.0 to 4.1.3 #144

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade tough-cookie from 4.0.0 to 4.1.3 #144

wants to merge 1 commit into from

Conversation

Luidog
Copy link
Owner

@Luidog Luidog commented Jul 1, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 718/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5		 Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873		 No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: tough-cookie The new version differs by 69 commits.
  • 4ff4d29 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
  • 12d4747 Prevent prototype pollution in cookie memstore (#283)
  • f06b72d Fix documentation for store.findCookies, missing allowSpecialUseDomain property (#257)
  • b1a8898 fix: allow set cookies with localhost (#253)
  • ec70796 4.1.1 Patch -- allow special use domains by default (#250)
  • d4ac580 fix: allow special use domains by default (#249)
  • 79c2f7d 4.1.0 release to NPM (#245)
  • 4fafc17 Prepare tough-cookie 4.1 for publishing (updated GitHub actions, move Dockerfile version to Node:16) (#242)
  • aa4396d fix: distinguish between no samesite and samesite=none (#240)
  • b8d7511 Modernize README (#234)
  • 8088047 Merge pull request #238 from gboer/fix/actually-use-punycode-package
  • 9a12cb0 Stop using the internal NodeJS punycode module, and instead use the punycode package (also because the internal punycode NodeJS module is deprecated)
  • 9b10131 Merge pull request #236 from salesforce/fix/235_domain_matching
  • 35b7a13 fix: domain match routine
  • 30246e6 Adding Updating CODEOWNERS with ECCN as per Export Control Compliance (#223)
  • 2921fbd Merge pull request #227 from colincasey/bugfix/222_react_native_support
  • 8ef9e80 Merge branch 'master' into bugfix/222_react_native_support
  • dd96218 fix: upgrade universalify from 0.1.2 to 0.2.0 (#228)
  • 0ef85bb Update test/node_util_fallback_test.js
  • a312304 Merge branch 'master' into bugfix/222_react_native_support
  • 733f5c5 Update node_util_fallback_test.js
  • d079268 Unit test cases for `allowSpecialUseDomain` option (#225)
  • cca932a Support for React Native
  • 59a1b3d Support for React Native

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Luidog @snyk-bot