Dependencies tough-cookie@2.2.2

[toniixyz]

Issue details

When installing BS via npm (-global, no sudo, Node via brew) i found two WARN

npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

Steps to reproduce/test case

/browser-sync 2.14.0 --> localtunnel 1.8.1 --> request 2.65.0 --> tough-cookie 2.2.2

&&

/browser-sync 2.14.0 --> chokidar@1.5.1 --> fsevents@1.0.14 --> node-pre-gyp@0.6.29 --> request@2.73.0 --> tough-cookie@2.2.2

Last version of Request@2.74.0 seems to have dependencies related to tough-cookie up to date (2.3.X)

Please specify which version of Browsersync, node and npm you're running

• Browsersync [ 2.14.0 ]
• Node [ v6.5.0 ]
• Npm [ 3.10.3 ]

Affected platforms

• linux
• windows
• OS X
• freebsd
• solaris
• other (please specify which)

Tnx for your work :)

[shakyShane]

Browsersync has all up-to-date deps now, we require chokidar to also update theirs. ping @es128

[es128]

Needs to happen at node-pre-gyp first.

Ping @springmeyer

[toniixyz]

Txn to everybody!

And seems that localtunnel request@2.65.0 too

"dependencies": {
"request": "2.65.0",
"yargs": "3.29.0",
"debug": "2.2.0",
"openurl": "1.1.0"

@defunctzombie

[springmeyer]

@es128 - node-pre-gyp uses request 2.x (https://github.com/mapbox/node-pre-gyp/blob/master/package.json#L27) and no longer bundles dependencies os of v0.6.27 (https://github.com/mapbox/node-pre-gyp/blob/master/CHANGELOG.md#0627) so all you should need to do is republish fsevents.

[es128]

fsevents was already republished with node-pre-gyp 0.6.29 a while ago. This issue isn't about the older vulnerability in request, it's in a different one of its dependencies.

But I was not aware I could drop bundledDependencies now - that's great news. Will give it a try soon.