Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade tough-cookie to a version without regex DoS vulnerability #226

Merged
merged 1 commit into from
Sep 22, 2017

Conversation

rouanw
Copy link
Contributor

@rouanw rouanw commented Sep 22, 2017

tough-cookie version <=2.3.2 is currently vulnerable to a regex denial of service attack. See https://nodesecurity.io/advisories/525.

This issue has been fixed in tough-cookie v2.3.3. See salesforce/tough-cookie#92.

@coveralls
Copy link

coveralls commented Sep 22, 2017

Coverage Status

Coverage remained the same at 100.0% when pulling 672cb28 on rouanw:upgrade_tough_cookie into 3c2c53c on request:master.

@willmorgan
Copy link

Thanks for the quick fix! ❤️

@rouanw
Copy link
Contributor Author

rouanw commented Sep 22, 2017

@analog-nico The builds on Travis for node 0.10, 0.12 and iojs are failing due to syntax errors. This seems to be caused by some dependencies using ES6 syntax. Not sure why this failure has begun now.

@rouanw
Copy link
Contributor Author

rouanw commented Sep 22, 2017

@willmorgan because the tough-cookie fix has been published to npm, you should be able to safely use request-promise because it should automatically pull in the fix due to the >= syntax used in the package.json. See https://docs.npmjs.com/misc/semver. I just like to be explicit 😄

I think it may take a little while for the NSP advisory to be updated.

@analog-nico analog-nico merged commit 894672d into request:master Sep 22, 2017
@analog-nico
Copy link
Member

Thanks a lot @rouanw ! I just published request-promise@4.2.2 that includes the fix.

FYI, the build didn’t work because request@latest requires node v4 and up. The build now uses request@2.76.0 for the old node environments which is the latest version that supports them.

@rouanw rouanw deleted the upgrade_tough_cookie branch September 22, 2017 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants