Skip to content

[Security] Bump tough-cookie and chii

Dependabot requested to merge dependabot-npm_and_yarn-multi-550d1d3480 into master

Bumps tough-cookie to 4.1.4 and updates ancestor dependency chii. These dependencies need to be updated together.

Updates tough-cookie from 2.5.0 to 4.1.4 This update includes a security fix.

Vulnerabilities fixed

tough-cookie Prototype Pollution vulnerability Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Patched versions: 4.1.3 Affected versions: < 4.1.3

Release notes

Sourced from tough-cookie's releases.

v4.1.4

https://www.npmjs.com/package/tough-cookie/v/4.1.4

What's Changed

New Contributors

Full Changelog: https://github.com/salesforce/tough-cookie/compare/v4.1.3...v4.1.4

4.1.3

Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

4.1.2 -- Patch and Bugfix Release

What's Changed

Full Changelog: https://github.com/salesforce/tough-cookie/compare/v4.1.1...v4.1.2

4.1.1

Patch Release

What's Changed

Full Changelog: https://github.com/salesforce/tough-cookie/compare/v4.1.0...v4.1.1

4.1.0

v4.1.0

Minor release, focused mainly on resolving reported issues and some minor feature work.

What's Changed

... (truncated)

Commits
  • cacbc37 Bump version to 4.1.4
  • a48fb3a Add tests for url validation
  • 50e69bf Merge pull request #261 from postmanlabs/fix/url-string-validation
  • 1253d58 Merge pull request #409 from corvidism/validators-to-string
  • 238367e Add local alias for toString
  • 4ff4d29 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
  • 12d4747 Prevent prototype pollution in cookie memstore (#283)
  • f06b72d Fix documentation for store.findCookies, missing allowSpecialUseDomain proper...
  • cf6debd Fix incorrect string validation for URL
  • b1a8898 fix: allow set cookies with localhost (#253)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ccasey, a new releaser for tough-cookie since your current version.


Updates chii from 1.10.0 to 1.15.0

Release notes

Sourced from chii's releases.

v1.15.0

  • feat: shadow dom
  • chore: update dependencies

v1.14.0

  • feat: dark mode
  • fix: memory leak #51

v1.13.0

  • feat: os icon
  • chore: update chobitsu

v1.12.3

  • fix: target.js cdn attribute

v1.12.2

  • fix: firefox elements panel

v1.12.1

  • fix: default favicon

v1.12.0

  • feat: update devtools frontend
  • feat: support safari

v1.11.1

  • chore: update chobitsu

v1.11.0

  • feat: support IndexedDB
  • feat: support WebSocket
Changelog

Sourced from chii's changelog.

1.15.0 (3 Oct 2024)

  • feat: shadow dom
  • chore: update dependencies

1.14.0 (23 Sep 2024)

  • feat: dark mode
  • fix: memory leak #51

1.13.0 (3 Sep 2024)

  • feat: os icon
  • chore: update chobitsu

1.12.3 (29 Aug 2024)

  • fix: target.js cdn attribute

1.12.2 (29 Aug 2024)

  • fix: firefox elements panel

1.12.1 (29 Aug 2024)

  • fix: default favicon

1.12.0 (29 Aug 2024)

  • feat: update devtools frontend
  • feat: support safari

1.11.1 (20 Aug 2024)

  • chore: update chobitsu

1.11.0 (31 Jul 2024)

  • feat: support IndexedDB
  • feat: support WebSocket
Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports