chronograf icon indicating copy to clipboard operation
chronograf copied to clipboard

Published 20 hours ago verified publisher icon influxdata

chore: fix tough-cookie dependency

Open tomklapka opened this issue 1 year ago • 0 comments

This PR deals with the tough-cookie Prototype Pollution vulnerability issue.

tough-cookie@~2.5.0 comes from cypress@^8.4.1 package which contains cypress/request@^2.88.6 dependency containing tough-cookie in the vulnerable version. Currently, it can't be upgraded because even the latest version of cypress does not contain correct/fixed version of tough-cookie. Due to the fact it is a dev-dependency we can tolerate it.

tough-cookie@~2.5.0 comes from [email protected] contains request@^2.88.0. Fixed by updating version of node-sass to ^8.0.0 which dropped usage of the tough-cookie dependency at all.

tough-cookie@^4.0.0 comes from jsdom@^19.0.0 - this pulls 4.1.3 as the latest version and it is considered safe.

tomklapka avatar Jul 21 '23 15:07 tomklapka