🚨 [security] Update tough-cookie 3.0.1 → 4.1.3 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ tough-cookie (3.0.1 → 4.1.3) · Repo · Changelog

Security Advisories 🚨

🚨 tough-cookie Prototype Pollution vulnerability

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Release Notes

4.1.3

Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

4.1.2

What's Changed

• fix: allow set cookies with localhost by @colincasey in #253

Full Changelog: v4.1.1...v4.1.2

4.1.1

Patch Release

What's Changed

• fix: allow special use domains by default by @colincasey in #249
• 4.1.1 Patch -- allow special use domains by default by @awaterma in #250

Full Changelog: v4.1.0...v4.1.1

4.1.0

v4.1.0

Minor release, focused mainly on resolving reported issues and some minor feature work.

What's Changed

• Create CHANGELOG.md by @ShivanKaul in #189
• Missing param validation issue145 by @medelibero-sfdc in #193
• Create SECURITY.md by @ShivanKaul in #201
• Create CODE_OF_CONDUCT.md by @ShivanKaul in #200
• Fix for issue #195 by @medelibero-sfdc in #202
• Add explanation and more special-use domains by @ShivanKaul in #203
• Sync of constructor options for serialization by @medelibero-sfdc in #204
• Returned null in case of empty cookie value by @vsin12 in #196
• 132 str trim not a function by @awaterma in #209
• Fix for issue #153 by @medelibero-sfdc in #210
• Fix permuteDomain with trailing dot by @ruoho-sfdc in #216
• Issue #213 -- added gh-actions flow for building and testing tough-co… by @awaterma in #218
• Issue #210 -- Updated workflow to use npm install. by @awaterma in #220
• @GH-215 -- Tests that document localhost behavior when set as domain. by @awaterma in #221
• fix: MemoryCookieStore methods should exist on the prototype, not on the class. by @wjhsf in #226
• Unit test cases for allowSpecialUseDomain option by @colincasey in #225
• [Snyk] Upgrade universalify from 0.1.2 to 0.2.0 by @snyk-bot in #228
• React Native Support by @colincasey in #227
• Adding Updating CODEOWNERS with ECCN as per Export Control Compliance by @svc-scm in #223
• fix: domain match routine by @colincasey in #236
• Stop using the internal NodeJS punycode module by @gboer in #238
• Initial documentation review by @mcarey86 in #234
• fix: distinguish between no samesite and samesite=none by @colincasey in #240
• Prepare tough-cookie 4.1 for publishing (updated GitHub actions, move… by @awaterma in #242
• 4.1.0 release to NPM by @awaterma in #245

New Contributors

• @vsin12 made their first contribution in #196
• @ruoho-sfdc made their first contribution in #216
• @wjhsf made their first contribution in #226
• @colincasey made their first contribution in #225
• @snyk-bot made their first contribution in #228
• @svc-scm made their first contribution in #223
• @gboer made their first contribution in #238
• @mcarey86 made their first contribution in #234

Full Changelog: v4.0.0...v4.1.0

4.0.0

• SameSite cookie support
• Cookie prefix support
• Support for promises
• Use ESLint and Prettier to apply consistent, modern formatting
• '.local' support
• Numerous bug fixes!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
• Prevent prototype pollution in cookie memstore (#283)
• Fix documentation for store.findCookies, missing allowSpecialUseDomain property (#257)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

---

This change is 

[changelogg]

Hey! Changelogs info seems to be missing or might be in incorrect format.
Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
- tag: changelog_text
OR
You can add tag in PR header or while doing a commit too
(tag) PR header
or
tag: PR header
Valid tags: added / feat, changed, deprecated, fixed / fix, removed, security, build, ci, chore, docs, perf, refactor, revert, style, test
Thanks!
For more info, check out changelogg docs