Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dependabot): fix tough-cookie security vulnerability #4212

Merged
merged 1 commit into from
Jul 10, 2023
Merged

fix(dependabot): fix tough-cookie security vulnerability #4212

merged 1 commit into from
Jul 10, 2023

Conversation

thaddmt
Copy link
Contributor

@thaddmt thaddmt commented Jul 8, 2023

Description of changes

Issue #, if available

Description of how you validated changes

Checklist

  • Have read the Pull Request Guidelines
  • PR description included
  • Relevant documentation is changed or added (and PR referenced)
  • yarn test passes and tests are updated/added
  • No side effects or sideEffects field updated

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@thaddmt thaddmt requested a review from a team as a code owner July 8, 2023 01:06
@changeset-bot
Copy link

changeset-bot bot commented Jul 8, 2023

⚠️ No Changeset found

Latest commit: 7741578

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@thaddmt thaddmt temporarily deployed to ci July 8, 2023 01:26 — with GitHub Actions Inactive
@thaddmt thaddmt temporarily deployed to ci July 8, 2023 01:26 — with GitHub Actions Inactive
@thaddmt thaddmt temporarily deployed to ci July 8, 2023 01:26 — with GitHub Actions Inactive
@thaddmt thaddmt temporarily deployed to ci July 8, 2023 01:26 — with GitHub Actions Inactive
zchenwei
zchenwei reviewed Jul 8, 2023
View reviewed changes
yarn.lock
version "4.1.2"
resolved "https://registry.npmjs.org/tough-cookie/-/tough-cookie-4.1.2.tgz#e53e84b85f24e0b65dd526f46628db6c85f6b874"
integrity sha512-G9fqXWoYFZgTc2z8Q5zaHy/vJMjm+WV0AkAeHxVCQiEB1b+dGvWzFW6QV07cY5jQ5gRkeid2qIkzkxUnmoQZUQ==
[email protected], tough-cookie@^4.0.0, tough-cookie@^4.1.2, tough-cookie@~2.5.0:
Copy link
Contributor

@zchenwei zchenwei Jul 8, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like one of the dependencies uses a v2. A little bit concerned about there will be a runtime problem since the fix needs to bump 2 majors.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that could depend on whether we use cookies in Cypress?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like the v2 dependency comes from this dependency - cypress-io/request#31

Other people reporting the same issue, but yeah it seems to not be directly related to our library at least

@reesscot
Copy link
Contributor

Can you include the full yarn why tough-cookie here?

@thaddmt
Copy link
Contributor Author

thaddmt commented Jul 10, 2023

Can you include the full yarn why tough-cookie here?

=> Found "[email protected]"
info Reasons this module exists

  • "project#jsdom" depends on it
  • Hoisted from "project#jsdom#tough-cookie"
  • Hoisted from "project#@aws-amplify#ui-docs#cypress#@cypress#request#tough-cookie"
  • Hoisted from "project#@aws-amplify#ui-angular-mono#jest-preset-angular#jest-environment-jsdom#jsdom#tough-cookie"

@thaddmt thaddmt requested review from reesscot and zchenwei July 10, 2023 16:31
zchenwei
zchenwei approved these changes Jul 10, 2023
View reviewed changes
Copy link
Contributor

@zchenwei zchenwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaddmt thaddmt merged commit 08cbc2a into main Jul 10, 2023
@thaddmt thaddmt deleted the fix-tough-cookie branch July 10, 2023 18:38
wlee221 pushed a commit that referenced this pull request Jul 14, 2023
@thaddmt @wlee221
fix(dependabot): fix tough-cookie security vulnerability (#4212)
f6188cc
wlee221 pushed a commit that referenced this pull request Jul 14, 2023
@thaddmt @wlee221
fix(dependabot): fix tough-cookie security vulnerability (#4212)
6303a6c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zchenwei zchenwei zchenwei approved these changes

@wlee221 wlee221 wlee221 approved these changes

@reesscot reesscot Awaiting requested review from reesscot

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thaddmt @reesscot @zchenwei @wlee221