tough-cookie critical vulnerability

[jaime-az]

Hi, seems like the version of the tough-cookie library used in version 4.3.3 has a critical vulnerability.

CVE-2023-26136

[tough-cookie]
Impacted version: 3.0.1
Fix version: 4.1.3

[SimeonC]

From the dependencies there are issues opened on lower repositories that'll have to be fixed. Once popsicle-cookie-jar has updated we can just run npm update popsicle-cookie-jar and it should update (and as long as it's just a 1.0.0 -> 1.0.1 release)

• popsicle is vulnerable to Prototype Pollution serviejs/popsicle#156
• tough-cookie is vulnerable to Prototype Pollution serviejs/popsicle-cookie-jar#11
• Update tough-cookie to fix vulnerability report serviejs/popsicle-cookie-jar#12

└─ client-oauth2@4.3.3
    └─ popsicle@12.1.0
       └─ popsicle-cookie-jar@1.0.0
          └─  tough-cookie@3.0.1

[kconvery]

popsicle 12.1.2 is now available so could we please see if we can get this vulnerability resolved.

[SimeonC]

@kconvery It looks like popsicle was just a patch version up. If you run npm update popsicle the issue should be fixed.