Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Policy on backporting fixes #293

Closed
millerick opened this issue Jul 18, 2023 · 4 comments
Closed

Policy on backporting fixes #293

millerick opened this issue Jul 18, 2023 · 4 comments

Comments

@millerick
Copy link

millerick commented Jul 18, 2023

My organization (unfortunately) still makes use of some older packages that use tough-cookie@~2.5.0 as a dependency. Is there any possibility that the fix in https://github.com/salesforce/tough-cookie/pull/283/files can be backported as a patch to that minor version? I would be more than happy to make the pull request to do so, but don't see a branch that matches with 2.5.0.

@colincasey
Copy link
Contributor

@millerick what package dependency are you using that depends on tough-cookie@~2.5.0?

@millerick
Copy link
Author

Unfortunately the long deprecated https://www.npmjs.com/package/request

@colincasey
Copy link
Contributor

Yes, I had a suspicion it was request.

The good news is that you shouldn't need #283 though because of how request configures the CookieStore. If you look at the vulnerability details you'll see it says:

Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode.

You may have to confirm this against the version of request you're using but it's unlikely that they would have disabled this security feature.

@wjhsf
Copy link
Contributor

wjhsf commented Jun 21, 2024

To provide an explicit answer and close the issue, we are planning on releasing v5 in the near future. Once we do that, we will will only backport security fixes for v4. We will guarantee backports for at least one year. After that we will decide on a case by case basis, depending on the severity of the issue and the number of users impacted.

@wjhsf wjhsf closed this as completed Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants