Patch npm package 'tough-cookie' version #99

edavey · 2023-07-24T10:59:11Z

The recently upgraded cypress installation (12.7.1 -> 12.7.2) has resulted in a vulnerability warning

and comes from cypress' @cypress/request package

This has not yet been fixed in cypress though there's a PR waiting to be merged:

We declare a temporary 'override' in package.json to force this upgrade.

The recently upgraded cypress installation (`12.7.1` -> `12.7.2`) has resulted in a vulnerability warning: https://app.circleci.com/pipelines/github/ministryofjustice/hmpps-community-accommodation-tier-2-ui/519/workflows/4ea28190-5859-4266-87de-6c4ff38d402d/jobs/1381 This is [CWE 1321](https://github.com/advisories?query=cwe%3A1321) [tough-cookie Prototype Pollution vulnerability](GHSA-72xf-g2v4-qvf3) and comes from cypress' `@cypress/request package` This has not yet been fixed in cypress though there's a PR waiting to be merged: cypress-io/request#32 We declare a temporary 'override' in `package.json` to force this upgrade.

edavey force-pushed the fix/tough-cookie-vuln-in-cypress-request branch from 374d452 to e944a16 Compare July 24, 2023 11:00

edavey requested a review from patrickjfl July 24, 2023 11:00

patrickjfl approved these changes Jul 24, 2023

View reviewed changes

edavey merged commit 1e9379f into main Jul 24, 2023

edavey deleted the fix/tough-cookie-vuln-in-cypress-request branch July 24, 2023 16:56

Provide feedback