Tough-cookie, a widely-used npm package for handling RFC6265 cookies and cookie jars in Node.js, saw a significant update between versions 2.4.3 and 2.5.0. The newer version, 2.5.0, released on November 26, 2018, incorporates updated dependencies, most notably psl (Public Suffix List) which jumps from version 1.1.24 to 1.1.28, and punycode which moves from 1.4.1 to 2.1.1. These dependency updates likely address security vulnerabilities, improve compatibility with newer standards, and potentially refine parsing logic related to domain name handling and internationalized domain names, enhancing the overall robustness of cookie management.
While the core description of the package remains consistent, focusing on RFC6265 compliance and cookie jar functionality, developers should be aware of the increased size of the package. Version 2.5.0 shows an increased unpackedSize to 86644 bytes with 10 files against version 2.4.3 with 83959 bytes and 9 files. This suggests the addition of new features, increased support, or changes in compilation. The development dependencies (devDependencies) remain mostly the same, with the exception of vows, upgrading from 0.8.1 to 0.8.2. Given that these packages are used for testing and development, this change likely involves improvements to the testing suite. By updating, developers can expect security improvements and better cookie handling based on current standards.
All the vulnerabilities related to the version 2.5.0 of the package
tough-cookie Prototype Pollution vulnerability
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
