Skip to content
This repository has been archived by the owner on May 15, 2024. It is now read-only.

fix(createBrowserLikeFetch): configure tough-cookie for localhost #57

Merged
merged 1 commit into from
Jan 16, 2024
Merged

fix(createBrowserLikeFetch): configure tough-cookie for localhost #57

merged 1 commit into from
Jan 16, 2024

Conversation

smackfu
Copy link
Member

@smackfu smackfu commented Jan 11, 2024

Description

Pass allowSpecialUseDomains: true to getPublicSuffix.

Motivation and Context

This allows you to use this when running locally. Otherwise you get this error:

error: error creating store for request Error: Cookie has domain set to the public suffix "localhost" 
which is a special use domain. To allow this, configure your CookieJar with {allowSpecialUseDomain:true, 
rejectPublicSuffixes: false}.

[email protected] added an options parameter to getPublicSuffix and defaulted allowSpecialUseDomains to false, which is a breaking change, but they never reverted it. Also the error message is incorrect, it's not the CookieJar that needs to be configured.
https://github.com/salesforce/tough-cookie/blob/master/lib/pubsuffix-psl.ts#L45C17-L45C17

#50 worked around this by pinning to [email protected] but there is a security vulnerability in <4.1.3 so that is not ideal.
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

Note that dependabot PR #53 actually bumped the version to [email protected] so the bug fixed by #50 would have come back if a release had been done.

How Has This Been Tested?

Added unit test. Also packed and deployed to a module that was having this issue.

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation (adding or updating documentation)
  • Dependency update

Checklist:

  • My change requires a change to the documentation and I have updated the documentation accordingly.
  • My changes are in sync with the code style of this project.
  • There aren't any other open Pull Requests for the same issue/update.
  • These changes should be applied to a maintenance branch.
  • This change requires cross browser checks.
  • This change impacts caching for client browsers.
  • This change adds additional environment variable requirements for fetch-enhancers users.
  • I have added the Apache 2.0 license header to any new files created.

What is the Impact to Developers Using fetch-enhancers?

Can upgrade to non-vulnerable tough-cookie.

@smackfu smackfu requested a review from a team as a code owner January 11, 2024 20:03
@JAdshead JAdshead merged commit 2b484e5 into americanexpress:main Jan 16, 2024
4 checks passed
oneamexbot added a commit that referenced this pull request Jan 16, 2024
@oneamexbot
chore(release): 1.1.5 [skip ci]
1e778e6 
## [1.1.5](v1.1.4...v1.1.5) (2024-01-16)

### Bug Fixes

* **createBrowserLikeFetch:** configure tough-cookie for localhost ([#57](#57)) ([2b484e5](2b484e5))
@oneamexbot
Copy link
Contributor

🎉 This PR is included in version 1.1.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@smackfu smackfu changed the title fix(createBrowserLikeFetch): configure tough-cookie to work with loca… fix(createBrowserLikeFetch): configure tough-cookie for localhost Jan 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Matthew-Mallimo Matthew-Mallimo Matthew-Mallimo approved these changes

@JAdshead JAdshead JAdshead approved these changes

Assignees
No one assigned
Labels
one-app-team-review-requested released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smackfu @oneamexbot @JAdshead @Matthew-Mallimo