search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
281 stars 198 forks source link

[Resolve Dependabot Alert] tough-cookie Prototype Pollution vulnerability #63050

Open rmessina1010 opened 1 year ago

rmessina1010 commented 1 year ago

Description

Upgrade tough-cookie to a non vulnerable version. The upgrade to cypress 12.x.xshould solve some of the vulnerability issues in this alert. Might need to find an alternative to yo; upgraded to 4.3.1,the LSV, but that still uses a vulnerable version of tough-cookie. Node-sass, also depends on vulnerable version, our node upgrade and migration from node-sass should help to partially resolve this issue.

Dependabot Alert:

https://github.com/department-of-veterans-affairs/vets-website/security/dependabot/118

rsmithadhoc commented 1 year ago

@rmessina1010 I merged in the Cypress 12 update, you should be good to proceed.