Closed lasmil closed 12 months ago
This can be achieves by updating: postman-request and postman-runtime to the latest version because they are using @postman/tough-cookie Based on the following dependency tree for newman:
There's a MR already opened for 2 weeks but no merge yet, hope they do it soon
I am able to get by it with package override temporarily. I also had to disable-cookies in request settings as it looks like postman-request is not compatible with tough-cookies 4.1.3
Any word on when this may be addressed?
I am able to get by it with package override temporarily. I also had to disable-cookies in request settings as it looks like postman-request is not compatible with tough-cookies 4.1.3
@peachyo I was able to resolve this with just overrides, no need to change cookie settings in my request. Here are my package.json overrides:
"overrides": {
"newman": {
"postman-request": "^2.88.1-postman.33",
"semver": "^7.5.4",
"tough-cookie": "^4.1.3",
"word-wrap": "^1.2.5"
}
},
The key is to also override postman-request
.
This is fixed in Newman v6.
Newman Version (can be found via newman -v): 5.3.2 OS details (type, version, and architecture): Ubuntu Are you using Newman as a library, or via the CLI? npm package Did you encounter this recently, or has this bug always been there: New CVE has been open on 2023-07-03 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26136 Expected behaviour: Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873