Update request 2.72.x to 2.74.x to fix tough cookie vulnerability.

[m4bwav]

Resolves the vulnerability found in the old version of request. From Synk scan of an app that relies on stackexchange at https://snyk.io/test/npm/stack-exchange-markdown-retriever :

"ReDoS via long string of semicolons
high severity

Vulnerable module: tough-cookie
Introduced through: stackexchange@0.4.0

Detailed paths and remediation

Introduced through: stack-exchange-markdown-retriever@1.0.2 › stackexchange@0.4.0 › request@2.72.0 › tough-cookie@2.2.2 Remediation: Run snyk wizard to patch tough-cookie@2.2.2.

Overview

tough-cookie package versions 0.9.7 through 2.2.2 are vulnerable to a Regular expression Denial of Service (ReDoS) when long strings of semicolons in the Set-Cookie header, causes the event loop to block for excessive amounts of time.

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." 1"

[Trott]

request is updated to ^2.87.0 in 1.0.0-1 of this package, which you can get with npm install stackexchange@next. Or you can wait until 1.0.0 is published, which should be soon.

Thanks for the PR and sorry it sat so long!

[m4bwav]

Its all good!