Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

yarn nsp-check is failing re: tough-cookie ReDOS

See original GitHub issue

This is due to https://nodesecurity.io/advisories/525

Running locally to get the extended tree shows tough-cookie is coming in via:

mozilla-addons-frontend@0.0.1 > jsdom@11.2.0 > request-promise-native@1.0.4 > tough-cookie@2.3.2

I think this being a dep of jsdom would mean this should only impacts tests if at all. This needs to be confirmed.

The upstream issue is: https://github.com/salesforce/tough-cookie/issues/92

Issue Analytics

State:
Created 6 years ago
Reactions:1
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

kumar303commented, Sep 22, 2017

Looks like we don’t have any patches yet. We should probably get master back to green so we don’t miss any unrelated failures. This should do it in a .nsprc:

{
  "exceptions": ["https://nodesecurity.io/advisories/525"]
}

0reactions

kumar303commented, Sep 27, 2017

I think this being a dep of jsdom would mean this should only impacts tests if at all.

I also see us using tough-cookie for chokidar which is just a file watcher which we use purely for development.

$ npm ls tough-cookie
mozilla-addons-frontend@0.0.1 /Users/kumar/dev/addons-frontend
├─┬ chokidar-cli@1.2.0
│ └─┬ chokidar@1.7.0
│   └─┬ fsevents@1.1.2
│     └─┬ node-pre-gyp@0.6.36
│       └─┬ request@2.81.0
│         └── tough-cookie@2.3.2
├─┬ jsdom@11.2.0
│ └── tough-cookie@2.3.2
├── UNMET PEER DEPENDENCY react@15.6.2
├── UNMET PEER DEPENDENCY react-redux@5.0.6
└── UNMET PEER DEPENDENCY webpack@3.1.0