Tough-Cookie vulnerability. Possible approaches?

[Xantier]

We received a notification that there is a vulnerable version of tough-cookie coming from one of the dependencies of this package.

The CVE is in here:

• https://nvd.nist.gov/vuln/detail/CVE-2023-26136
• https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

There was an attempt to remove this dep within this PR: https://github.com/snyk/broker/pull/570/files but that never made to the final image since the dependency is needed.

What would be the best approaches to mitigate this?

[pavel-snyk]

@Xantier, thanks for pointing us to this vulnerability 💪.
We'll take a look on it this sprint and will respond in the issue.

[dtuite]

Hi @pavel-snyk. Wondering if your latest sprint turned up any info about this issue?

[aarlaud]

Hi there, we're working on swapping request in favor of got, so this issue should be eliminated. We're aiming to complete this early september. thanks for your patience

[snyksec]

🎉 This issue has been resolved in version 4.160.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀