Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in tough-cookie through request #608

Closed
holm opened this issue Jul 25, 2016 · 2 comments · Fixed by #612 or #613
Closed

Security vulnerability in tough-cookie through request #608

holm opened this issue Jul 25, 2016 · 2 comments · Fixed by #612 or #613
Assignees
@jmdobry
Labels
type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@holm
Copy link

holm commented Jul 25, 2016

tough-cookie has a ReDOS vulnerability that is fixed in 2.3.0. This repo depends on request, which has recently been updated to require the fixed version. See https://nodesecurity.io/advisories/130.

It would be great if this could be updated to support 2.74.0 of request and released.

Note that google-auth-library also requires request, so this will need be updated also, and the updated version used here also.
@holm
Copy link
Author

holm commented Jul 25, 2016

Issue for google-auth-library filed at googleapis/google-auth-library-nodejs#90

@jmdobry
Copy link
Contributor

jmdobry commented Jul 25, 2016
edited

Thanks for pointing this out, will update soon.

@jmdobry jmdobry added the type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. label Jul 25, 2016
@jmdobry jmdobry self-assigned this Jul 25, 2016
bengourley added a commit to bengourley/google-api-nodejs-client that referenced this issue Aug 5, 2016
@bengourley
Upgrade request dependency, fixes googleapis#608
9a156e9 
`tough-cookie`, a transitive dependency of this module
via `request`, has a security vulnerability:

https://nodesecurity.io/advisories/130

`request` has already upgraded its dependency to fix
the issue, so it's just a matter of bumping the version
depended on here.
@bengourley bengourley mentioned this issue Aug 5, 2016
Merged
3 tasks
jmdobry pushed a commit that referenced this issue Aug 6, 2016
@bengourley @jmdobry
Upgrade request dependency, fixes #608 (#612)
1586e6f 
`tough-cookie`, a transitive dependency of this module
via `request`, has a security vulnerability:

https://nodesecurity.io/advisories/130

`request` has already upgraded its dependency to fix
the issue, so it's just a matter of bumping the version
depended on here.
@jmdobry jmdobry mentioned this issue Aug 6, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmdobry jmdobry

Labels
type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
2 participants
@holm @jmdobry