chore(deps): update dependency tough-cookie to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tough-cookie	2.5.0 -> 4.1.3

GitHub Vulnerability Alerts

CVE-2023-26136

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

---

Release Notes

salesforce/tough-cookie (tough-cookie)

v4.1.3: 4.1.3

Compare Source

Security fix for Prototype Pollution discovery in #​282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

v4.1.2: 4.1.2 -- Patch and Bugfix Release

Compare Source

What's Changed

• fix: allow set cookies with localhost by @​colincasey in https://github.com/salesforce/tough-cookie/pull/253

Full Changelog: salesforce/tough-cookie@v4.1.1...v4.1.2

v4.1.1: 4.1.1

Compare Source

Patch Release

What's Changed

• fix: allow special use domains by default by @​colincasey in https://github.com/salesforce/tough-cookie/pull/249
• 4.1.1 Patch -- allow special use domains by default by @​awaterma in https://github.com/salesforce/tough-cookie/pull/250

Full Changelog: salesforce/tough-cookie@v4.1.0...v4.1.1

v4.1.0: 4.1.0

Compare Source

v4.1.0

Minor release, focused mainly on resolving reported issues and some minor feature work.

What's Changed

• Create CHANGELOG.md by @​ShivanKaul in https://github.com/salesforce/tough-cookie/pull/189
• Missing param validation issue145 by @​medelibero-sfdc in https://github.com/salesforce/tough-cookie/pull/193
• Create SECURITY.md by @​ShivanKaul in https://github.com/salesforce/tough-cookie/pull/201
• Create CODE_OF_CONDUCT.md by @​ShivanKaul in https://github.com/salesforce/tough-cookie/pull/200
• Fix for issue #​195 by @​medelibero-sfdc in https://github.com/salesforce/tough-cookie/pull/202
• Add explanation and more special-use domains by @​ShivanKaul in https://github.com/salesforce/tough-cookie/pull/203
• Sync of constructor options for serialization by @​medelibero-sfdc in https://github.com/salesforce/tough-cookie/pull/204
• Returned null in case of empty cookie value by @​vsin12 in https://github.com/salesforce/tough-cookie/pull/196
• 132 str trim not a function by @​awaterma in https://github.com/salesforce/tough-cookie/pull/209
• Fix for issue #​153 by @​medelibero-sfdc in https://github.com/salesforce/tough-cookie/pull/210
• Fix permuteDomain with trailing dot by @​ruoho-sfdc in https://github.com/salesforce/tough-cookie/pull/216
• Issue #​213 -- added gh-actions flow for building and testing tough-co… by @​awaterma in https://github.com/salesforce/tough-cookie/pull/218
• Issue #​210 -- Updated workflow to use npm install. by @​awaterma in https://github.com/salesforce/tough-cookie/pull/220
• @​GH-215 -- Tests that document localhost behavior when set as domain. by @​awaterma in https://github.com/salesforce/tough-cookie/pull/221
• fix: MemoryCookieStore methods should exist on the prototype, not on the class. by @​wjhsf in https://github.com/salesforce/tough-cookie/pull/226
• Unit test cases for allowSpecialUseDomain option by @​colincasey in https://github.com/salesforce/tough-cookie/pull/225
• [Snyk] Upgrade universalify from 0.1.2 to 0.2.0 by @​snyk-bot in https://github.com/salesforce/tough-cookie/pull/228
• React Native Support by @​colincasey in https://github.com/salesforce/tough-cookie/pull/227
• Adding Updating CODEOWNERS with ECCN as per Export Control Compliance by @​svc-scm in https://github.com/salesforce/tough-cookie/pull/223
• fix: domain match routine by @​colincasey in https://github.com/salesforce/tough-cookie/pull/236
• Stop using the internal NodeJS punycode module by @​gboer in https://github.com/salesforce/tough-cookie/pull/238
• Initial documentation review by @​mcarey86 in https://github.com/salesforce/tough-cookie/pull/234
• fix: distinguish between no samesite and samesite=none by @​colincasey in https://github.com/salesforce/tough-cookie/pull/240
• Prepare tough-cookie 4.1 for publishing (updated GitHub actions, move… by @​awaterma in https://github.com/salesforce/tough-cookie/pull/242
• 4.1.0 release to NPM by @​awaterma in https://github.com/salesforce/tough-cookie/pull/245

New Contributors

• @​vsin12 made their first contribution in https://github.com/salesforce/tough-cookie/pull/196
• @​ruoho-sfdc made their first contribution in https://github.com/salesforce/tough-cookie/pull/216
• @​wjhsf made their first contribution in https://github.com/salesforce/tough-cookie/pull/226
• @​colincasey made their first contribution in https://github.com/salesforce/tough-cookie/pull/225
• @​snyk-bot made their first contribution in https://github.com/salesforce/tough-cookie/pull/228
• @​svc-scm made their first contribution in https://github.com/salesforce/tough-cookie/pull/223
• @​gboer made their first contribution in https://github.com/salesforce/tough-cookie/pull/238
• @​mcarey86 made their first contribution in https://github.com/salesforce/tough-cookie/pull/234

Full Changelog: salesforce/tough-cookie@v4.0.0...v4.1.0

v4.0.0: Version 4.0.0

Compare Source

Breaking Changes (Major Version)

• Modernized JS Syntax
  • Use ESLint and Prettier to apply consistent, modern formatting (add dependency on universalify, eslint and prettier)
• Upgraded version dependencies for psl and async
• Re-order parameters for findCookies() - callback fn has to be last in order to comply with universalify
• Use Classes instead of function prototypes to define classes
  • Might break people using .call() to do inheritance using function prototypes

Minor Changes

• SameSite cookie support
• Cookie prefix support
• Support for promises
• '.local' support
• Numerous bug fixes!

v3.0.1

Compare Source

v3.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cypress-app-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

[jennifer-shehane]

This seems to be out of date...

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

[cypress]

cypress    Run #60293

Run Properties:   Passed #60293  •  2b91aa657e: Merge branch 'develop' into renovate/npm-tough-cookie-vulnerability

Project	cypress
Branch Review	renovate/npm-tough-cookie-vulnerability
Run status	Passed #60293
Run duration	17m 27s
Commit	2b91aa657e: Merge branch 'develop' into renovate/npm-tough-cookie-vulnerability
Committer	Jennifer Shehane
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	7
Pending	1099
Skipped	0
Passing	26542
View all changes introduced in this branch ↗︎

UI Coverage  45.56%
Untested elements	191
Tested elements	164

Accessibility  92.54%
Failed rules	3 critical   8 serious   2 moderate   2 minor
Failed elements	890