Skip to content

[Security] Bump tough-cookie and chii

Dependabot requested to merge dependabot-npm_and_yarn-multi-f728e6f655 into master

Bumps tough-cookie to 5.0.0 and updates ancestor dependency chii. These dependencies need to be updated together.

Updates tough-cookie from 2.5.0 to 5.0.0 This update includes a security fix.

Vulnerabilities fixed

tough-cookie Prototype Pollution vulnerability Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Patched versions: 4.1.3 Affected versions: < 4.1.3

Release notes

Sourced from tough-cookie's releases.

v5.0.0

Summary

Breaking Changes

  • We've migrated the project to TypeScript! First-party types are now available.
  • The minimum supported version of node is v18.
  • We no longer provide official support for non-node enviroments.

API Changes

  • We've standardized most of our exposed interfaces to accept both null and undefined and return only undefined.
  • getCookie and getCookies now accept a string or URL as a parameter.
  • We've removed the inspect function in favor of node's util.inspect.custom symbol. Cookies may appear different when logged in non-node environments.

Other Changes

  • Fixed the expiry time not updating when a cookie is updating.
  • Fixed validation errors not getting called in some callbacks.
  • New documentation that is always kept up to date!
  • Performance improvements.

What's Changed

... (truncated)

Commits
  • 7ed1b8a Merge pull request #451 from salesforce/prepare_v5
  • cbaa1a5 Prepare v5 release
  • 57b534c 5.0.0
  • 2e6b3f4 Bump eslint from 8.57.0 to 9.9.1 (#449)
  • b72cdb2 Bump the dev-dependencies group with 2 updates (#448)
  • 93d550b upgrade typescript-eslint to 8.0.1 (#440)
  • 07a7a4d Bump the dev-dependencies group with 6 updates (#444)
  • 9b78073 Bump tldts from 6.1.37 to 6.1.41 in the production-dependencies group (#443)
  • 25a769c Bump the dev-dependencies group across 1 directory with 6 updates (#439)
  • 99dab1b Bump tldts from 6.1.32 to 6.1.37 in the production-dependencies group (#436)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ccasey, a new releaser for tough-cookie since your current version.


Updates chii from 1.10.0 to 1.15.3

Release notes

Sourced from chii's releases.

v1.15.3

  • fix: embedded mode not resizable on mobile #81

v1.15.2

  • fix: ws dead loop

v1.15.1

  • fix: cache network requests before enable #53
  • chore: minor ui update

v1.15.0

  • feat: shadow dom
  • chore: update dependencies

v1.14.0

  • feat: dark mode
  • fix: memory leak #51

v1.13.0

  • feat: os icon
  • chore: update chobitsu

v1.12.3

  • fix: target.js cdn attribute

v1.12.2

  • fix: firefox elements panel

v1.12.1

  • fix: default favicon

v1.12.0

  • feat: update devtools frontend
  • feat: support safari

v1.11.1

  • chore: update chobitsu

v1.11.0

  • feat: support IndexedDB
  • feat: support WebSocket
Changelog

Sourced from chii's changelog.

1.15.3 (27 Oct 2024)

  • fix: embedded mode not resizable on mobile #81

1.15.2 (17 Oct 2024)

  • fix: ws dead loop

1.15.1 (16 Oct 2024)

  • fix: cache network requests before enable #53
  • chore: minor ui update

1.15.0 (3 Oct 2024)

  • feat: shadow dom
  • chore: update dependencies

1.14.0 (23 Sep 2024)

  • feat: dark mode
  • fix: memory leak #51

1.13.0 (3 Sep 2024)

  • feat: os icon
  • chore: update chobitsu

1.12.3 (29 Aug 2024)

  • fix: target.js cdn attribute

1.12.2 (29 Aug 2024)

  • fix: firefox elements panel

1.12.1 (29 Aug 2024)

  • fix: default favicon

1.12.0 (29 Aug 2024)

  • feat: update devtools frontend
  • feat: support safari

1.11.1 (20 Aug 2024)

  • chore: update chobitsu

1.11.0 (31 Jul 2024)

... (truncated)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports