fix(deps): update dependency tough-cookie to v4 [security]#1004
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency tough-cookie to v4 [security]#1004renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
3 times, most recently
from
March 20, 2024 09:57
38082f9 to
38e9d4c
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
from
April 3, 2024 15:01
38e9d4c to
e3e6622
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
May 23, 2024 14:35
70a9dd9 to
9a81936
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
from
June 17, 2024 08:21
9a81936 to
7f83c30
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
July 18, 2024 10:29
9799602 to
561e722
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
3 times, most recently
from
July 26, 2024 13:56
51c19bc to
c60d611
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
September 17, 2024 07:26
dc5fffa to
49d90ef
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
October 16, 2024 15:16
be88498 to
4558285
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
January 13, 2025 07:56
fa1df1d to
96a233d
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
from
March 14, 2025 08:33
96a233d to
9b50823
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
3 times, most recently
from
April 1, 2025 13:54
014a6b4 to
7fc4dff
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
12 times, most recently
from
April 2, 2025 13:00
36b94e0 to
44b1fd8
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
4 times, most recently
from
August 22, 2025 14:33
bb7e919 to
87647f5
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
March 30, 2026 20:30
87647f5 to
504c355
Compare
renovate
Bot
force-pushed
the
renovate/npm-tough-cookie-vulnerability
branch
2 times, most recently
from
April 27, 2026 23:39
504c355 to
a6fc506
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.5.0→^4.0.0tough-cookie Prototype Pollution vulnerability
CVE-2023-26136 / GHSA-72xf-g2v4-qvf3
More information
Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in
rejectPublicSuffixes=falsemode. This issue arises from the manner in which the objects are initialized.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
salesforce/tough-cookie (tough-cookie)
v4.1.3: 4.1.3Compare Source
Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the
inspectutility is affected by this change, we felt this change was important enough to be pushed into the next patch.v4.1.2: 4.1.2 -- Patch and Bugfix ReleaseCompare Source
What's Changed
Full Changelog: salesforce/tough-cookie@v4.1.1...v4.1.2
v4.1.1: 4.1.1Compare Source
Patch Release
What's Changed
Full Changelog: salesforce/tough-cookie@v4.1.0...v4.1.1
v4.1.0: 4.1.0Compare Source
v4.1.0
Minor release, focused mainly on resolving reported issues and some minor feature work.
What's Changed
allowSpecialUseDomainoption by @colincasey in #225New Contributors
Full Changelog: salesforce/tough-cookie@v4.0.0...v4.1.0
v4.0.0: Version 4.0.0Compare Source
Breaking Changes (Major Version)
universalify,eslintandprettier)pslandasyncfindCookies()- callback fn has to be last in order to comply withuniversalify.call()to do inheritance using function prototypesMinor Changes
v3.0.1Compare Source
v3.0.0Compare Source
Configuration
📅 Schedule: (in timezone Europe/Paris)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.