tough-cookie vulnerability

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[X] I have joined the Ory Community Slack.
[X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

This is neither a bug nor a sensitive vulnerability, but I was directed here by an Ory rep. NPM reports 4 moderate severity vulnerabilities on install of ory/cli. The deal is that ory/cli depends on a version of binwrap, which depends on request (4 years depricated), which depends on tough-cookie 2.5.0. A vulnerability was found in June 2023 affacting tough-cookie versions prior to 4.1.3.

I take it this is not a concern to you, since this vulnerability has stood for the better part of a year. But if that's the case, I'd appreciate it if you'd share why. You've got Slack and a discussions channel here on Github (and a few silently closed PRs from dependabot) but I have yet to see anything addressing this.

I would strongly prefer to keep my NPM vulnerabilities to 0. I'm only beginning my project with Ory and I don't yet have a great grip on how all the peices fit together, e.g. how necessary this package is for development/production. So I can see the resolution being "you should use ory/cli as a dev dependency only" or "you can just not use ory/cli" or "sorry, try Keycloak or SuperTokens I guess".

I appreciate your time!

Reproducing the bug

npm install @ory/cli

Relevant log output

No response

Relevant configuration

No response

Version

0.3.2

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

None

Additional Context

No response

ory / cli