Upgrade tough-cookie to 4.3.1 to fix security vulnerability. #484
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses #483. There is a security vulnerability in the
tough-cookie
package for versions<4.3.1
- see https://nvd.nist.gov/vuln/detail/CVE-2023-26136. Previously@azure/ms-rest-js
depended on^3.0.0
, which lockedtough-cookie
to an unsecure version.Testing
Build (
npmrun build
) and tests (npm run test
) continue to succeed with this upgrade. In addition I reviewed the [release notes fortough-cookie@4.0.0
][https://github.com/salesforce/tough-cookie/releases/tag/v4.0.0] (the breaking change from3.x
). Here they are (annotated with [astegmaier]), with why I believe they will not break@azure/ms-rest-js
:universalify
,eslint
andprettier
) - [astegmaier] eslint and prettier are devDependencies oftough-cookie
so they shouldn't break consumers.universalify
seems to be aimed at backward-compatible usagepsl
andasync
- [astegmaier]async
is a devDependency oftough-cookie
, so an upgrade shouldn't break consumers.psl
also seems to be a pretty benign dependencyfindCookies()
- callback fn has to be last in order to comply withuniversalify
[astegmaier] it doesn't look like@azure/ms-rest-js
usesfindCookies
anywhere`.call()
to do inheritance using function prototypes - [astegmaier] it doesn't look like `@azurems-rest-js uses this pattern anywhere