LubosK
commented
1 year ago Hi @tgriesser , could you or someone from the team take a look at this PR? Thx in andvance
Closed BreakBB closed 1 year ago
LubosK
commented
1 year ago Hi @tgriesser , could you or someone from the team take a look at this PR? Thx in andvance
tim-bezhashvyly
commented
1 year ago +1
LubosK
commented
1 year ago We've also just got our pipeline audit job stalled by this ):
You can temporary solved it by adding tough-cookie to resolutions in package.json.
e.g.
"resolutions": { "tough-cookie": "^4.1.3" },
tim-bezhashvyly
commented
1 year ago For npm
"overrides": {
"tough-cookie": "^4.1.3"
}works as a temporary fix.
GoudekettingRM
commented
1 year ago Bump
herleraja
commented
1 year ago any update on this PR approval ?
jeffsays
commented
1 year ago bump - any chance this gets fixed soon @tgriesser?
anthony-b-dev
commented
1 year ago needing this approved and merged in as well please
MikeMcC399
commented
1 year ago I have added related issues which affect the repo without this PR
yarn add tough-cookieto update to ^4.1.3 causes an additional failure under Node.js 20 - installing and testing with Yarn (although it is already failing without the change).
MikeMcC399
commented
1 year ago npm install
npm audit --omit=devshows
found 0 vulnerabilitieswith this PR. 👍🏻
nagash77
commented
1 year ago Hi everyone, sorry for the late response. This PR was not seen by our team. I am having someone take a look to get this PR ready for merge if possible. I see some failing checks at the moment. Thank you for your patience.
cypress-app-bot
commented
1 year ago :tada: This PR is included in version 2.88.12 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
G-Rath
commented
1 year ago @nagash77 in case you've not seen it, there's also GHSA-p8p7-x288-28g6 which needs addressing - there is #30 and #28 open for that
PR Checklist:
npm testlocally and all tests are passing.Fixes #31 and therefore CVE-2023-26136
PR Description
As described in #31, the tough-cookie dependency had a prototype pollution issue before v4.1.3. This PR updates the tough-cookie dependency to fix this.