Tough-cookie is a popular Node.js library providing robust RFC6265 compliant cookie and cookie jar functionality. Comparing versions 2.2.1 and 2.2.2, both share the same core features: implementing cookie handling according to the RFC6265 standard, making them ideal for managing cookies in HTTP clients and servers. They also share the same development dependencies, vows for testing and async for asynchronous operations. The descriptive text, license (BSD-3-Clause), repository information, and author details remain consistent between the versions.
The primary difference appears to be the release date. Version 2.2.2 was released on March 9, 2016, whereas version 2.2.1 was released on November 13, 2015. The newer version inevitably incorporates bug fixes or minor improvements accumulated over the intervening months relative to the earlier version. Developers seeking the most up-to-date and potentially more stable release should opt for version 2.2.2 from the npm registry. Both versions offer a well-established solution for implementing cookie management into systems and applications using Javascript (NodeJs). The dist.tarball links point towards the corresponding package downloads on npm. Use the latest one, unless older versions are needed. This library can be used to parse, serialize, and manage HTTP cookies according to the specifications as defined in the RFC specifications.
All the vulnerabilities related to the version 2.2.2 of the package
ReDoS via long string of semicolons in tough-cookie
Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Update to version 2.3.0 or later.
Regular Expression Denial of Service in tough-cookie
Affected versions of tough-cookie are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.
Update to version 2.3.3 or later.
tough-cookie Prototype Pollution vulnerability
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
