Skip to content

Commit

Permalink
Patch npm package 'tough-cookie' version
Browse files Browse the repository at this point in the history 
The recently upgraded cypress installation (`12.7.1` ->
`12.7.2`) has resulted in a vulnerability warning:

https://app.circleci.com/pipelines/github/ministryofjustice/hmpps-community-accommodation-tier-2-ui/519/workflows/4ea28190-5859-4266-87de-6c4ff38d402d/jobs/1381

This is [CWE 1321](https://github.com/advisories?query=cwe%3A1321)

[tough-cookie Prototype Pollution vulnerability](GHSA-72xf-g2v4-qvf3)

and comes from cypress' `@cypress/request package`

This has not yet been fixed in cypress though there's a PR
waiting to be merged:

cypress-io/request#32

We declare a temporary 'override' in `package.json` to force
this upgrade.
  • Loading branch information
@edavey
edavey committed Jul 24, 2023
1 parent 932c3f6 commit e944a16
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 16 deletions.
59 changes: 43 additions & 16 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,5 +206,8 @@
"supertest": "^6.3.3",
"ts-jest": "^29.1.0",
"typescript": "^5.1.6"
},
"overrides": {
"tough-cookie": "^4.1.3"
}
}

0 comments on commit e944a16

Please sign in to comment.