Patch npm package 'tough-cookie' version

The recently upgrade cypress installation (`12.7.1` -> `12.7.2`) has resulted in a vulnerability warning: https://app.circleci.com/pipelines/github/ministryofjustice/hmpps-community-accommodation-tier-2-ui/519/workflows/4ea28190-5859-4266-87de-6c4ff38d402d/jobs/1381 This is [CWE 1321](https://github.com/advisories?query=cwe%3A1321) [tough-cookie Prototype Pollution vulnerability](GHSA-72xf-g2v4-qvf3) and comes from cypress' `@cypress/request package` This has not yet been fixed in cypress though there's a PR: cypress-io/request#32 We declare a temporary 'override' in `package.json` to force this upgrade.
ministryofjustice · Jul 24, 2023 · 374d452 · 374d452
1 parent 932c3f6
commit 374d452
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 16 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -206,5 +206,8 @@
     "supertest": "^6.3.3",
     "ts-jest": "^29.1.0",
     "typescript": "^5.1.6"
+  },
+  "overrides": {
+    "tough-cookie": "^4.1.3"
   }
 }