security: update tough-cookie dependency to 4.1.3 #32
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LubosK
approved these changes
Jul 10, 2023
zheliazkov
approved these changes
Jul 10, 2023
|
Hi @tgriesser , could you or someone from the team take a look at this PR? Thx in andvance |
|
+1 |
You can temporary solved it by adding |
|
For npm "overrides": {
"tough-cookie": "^4.1.3"
}works as a temporary fix. |
zach-green-proscia
approved these changes
Jul 19, 2023
|
Bump |
|
any update on this PR approval ? |
edavey
added a commit
to ministryofjustice/hmpps-community-accommodation-tier-2-ui
that referenced
this pull request
Jul 24, 2023
The recently upgrade cypress installation (`12.7.1` -> `12.7.2`) has resulted in a vulnerability warning: https://app.circleci.com/pipelines/github/ministryofjustice/hmpps-community-accommodation-tier-2-ui/519/workflows/4ea28190-5859-4266-87de-6c4ff38d402d/jobs/1381 This is [CWE 1321](https://github.com/advisories?query=cwe%3A1321) [tough-cookie Prototype Pollution vulnerability](GHSA-72xf-g2v4-qvf3) and comes from cypress' `@cypress/request package` This has not yet been fixed in cypress though there's a PR: cypress-io/request#32 We declare a temporary 'override' in `package.json` to force this upgrade.
edavey
added a commit
to ministryofjustice/hmpps-community-accommodation-tier-2-ui
that referenced
this pull request
Jul 24, 2023
The recently upgraded cypress installation (`12.7.1` -> `12.7.2`) has resulted in a vulnerability warning: https://app.circleci.com/pipelines/github/ministryofjustice/hmpps-community-accommodation-tier-2-ui/519/workflows/4ea28190-5859-4266-87de-6c4ff38d402d/jobs/1381 This is [CWE 1321](https://github.com/advisories?query=cwe%3A1321) [tough-cookie Prototype Pollution vulnerability](GHSA-72xf-g2v4-qvf3) and comes from cypress' `@cypress/request package` This has not yet been fixed in cypress though there's a PR waiting to be merged: cypress-io/request#32 We declare a temporary 'override' in `package.json` to force this upgrade.
|
bump - any chance this gets fixed soon @tgriesser? |
|
needing this approved and merged in as well please |
vmendez-marklogic
approved these changes
Jul 31, 2023
herleraja
approved these changes
Jul 31, 2023
vicorotto
approved these changes
Jul 31, 2023
|
I have added related issues which affect the repo without this PR
yarn add tough-cookieto update to |
npm install
npm audit --omit=devshows with this PR. 👍🏻 |
|
Hi everyone, sorry for the late response. This PR was not seen by our team. I am having someone take a look to get this PR ready for merge if possible. I see some failing checks at the moment. Thank you for your patience. |
jordanpowell88
approved these changes
Aug 1, 2023
MikeMcC399
reviewed
Aug 1, 2023
.github/workflows/yarn.yaml
Outdated
| jobs: | ||
| build: | ||
| name: Install and test with yarn | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: "18" |
There was a problem hiding this comment.
To get the tests to pass, you need to use Node.js 16.
MikeMcC399
reviewed
Aug 1, 2023
.github/workflows/yarn.yaml
Outdated
| - uses: actions/checkout@v3 | ||
| - uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: "18" |
There was a problem hiding this comment.
Suggested change
| node-version: "18" | |
| node-version: 16.16.0 |
This matches Cypress' .node-version.
3 tasks
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 1, 2023
cypress issue will be fixed after: cypress-io/request#32
3 tasks
|
🎉 This PR is included in version 2.88.12 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
@nagash77 in case you've not seen it, there's also GHSA-p8p7-x288-28g6 which needs addressing - there is #30 and #28 open for that |
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 7, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 7, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 9, 2023
cypress issue will be fixed after: cypress-io/request#32
dmzoneill
pushed a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 9, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 9, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 15, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 17, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Aug 17, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Sep 1, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Sep 6, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Sep 11, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Sep 19, 2023
cypress issue will be fixed after: cypress-io/request#32
fullsushidev
added a commit
to RedHatInsights/tower-analytics-frontend
that referenced
this pull request
Sep 21, 2023
cypress issue will be fixed after: cypress-io/request#32
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Checklist:
npm testlocally and all tests are passing.Fixes Vulnerable version of tough-cookie in use (2.5.0) CVE-2023-26136 #31 and therefore CVE-2023-26136
PR Description
As described in #31, the tough-cookie dependency had a prototype pollution issue before v4.1.3. This PR updates the tough-cookie dependency to fix this.