1) tough-cookie@~2.5.0 comes from cypress@^8.4.1 package which contains cypress/request@^2.88.6 dependency containing tough-cookie in the vulnerable version. Currently, it can't be upgraded because even the latest version of cypress does not contain correct/fixed version of tough-cookie. Due to the fact it is a dev-dependency we can tolerate it.
2) tough-cookie@~2.5.0 comes from node-sass@7.0.0 contains request@^2.88.0. Fixed by updating version of node-sass to ^8.0.0 which dropped usage of the tough-cookie dependency at all.
3) tough-cookie@^4.0.0 comes from jsdom@^19.0.0 - this pulls 4.1.3 as the latest version and it is considered safe.
This PR deals with the https://github.com/influxdata/chronograf/security/dependabot/77 issue.
1) tough-cookie@~2.5.0 comes from cypress@^8.4.1 package which contains cypress/request@^2.88.6 dependency containing tough-cookie in the vulnerable version. Currently, it can't be upgraded because even the latest version of cypress does not contain correct/fixed version of tough-cookie. Due to the fact it is a dev-dependency we can tolerate it.
2) tough-cookie@~2.5.0 comes from node-sass@7.0.0 contains request@^2.88.0. Fixed by updating version of node-sass to ^8.0.0 which dropped usage of the tough-cookie dependency at all.
3) tough-cookie@^4.0.0 comes from jsdom@^19.0.0 - this pulls 4.1.3 as the latest version and it is considered safe.