Policy on backporting fixes

[millerick]

My organization (unfortunately) still makes use of some older packages that use tough-cookie@~2.5.0 as a dependency. Is there any possibility that the fix in https://github.com/salesforce/tough-cookie/pull/283/files can be backported as a patch to that minor version? I would be more than happy to make the pull request to do so, but don't see a branch that matches with 2.5.0.

[colincasey]

@millerick what package dependency are you using that depends on tough-cookie@~2.5.0?

[millerick]

Unfortunately the long deprecated https://www.npmjs.com/package/request

[colincasey]

Yes, I had a suspicion it was request.

The good news is that you shouldn't need #283 though because of how request configures the CookieStore. If you look at the vulnerability details you'll see it says:

Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode.

You may have to confirm this against the version of request you're using but it's unlikely that they would have disabled this security feature.