Vulnerability of tough-cookie 2.3.2 bundled with the NodeJS package.

[NicolasPelletier]

Good morning,

I am using grpc version 1.6.0 with NodeJS 6.9.x and a simplified dependency tree looks like this:

┬ grpc@1.6.0
│ ├─┬ node-pre-gyp@0.6.36
│ │ ├─┬ request@2.81.0
│ │ │ ├─┬ tough-cookie@2.3.2

The problem comes from the version of tough-cookie. There is a vulnerability in tough-cookie version 2.3.2: salesforce/tough-cookie#92. This vulnerability was fixed in 2.3.3 by salesforce/tough-cookie#97.

The Whitesource software flags my application because of this vulnerability.

I don't know why node-pre-gyp is bundled with the package, but I'm pretty sure you have a reason for it so I will not ask to get a clean grpc package, without bundleDependencies. But, would it be possible to re-publish a version of grpc with a later version of node-pre-gyp bundled with it ? This will result into a later version of request which will result in version 2.3.3 of `tough-cookie'.

Thanks.

[murgatroid99]

We will publish a new version of grpc soon, and it will bundle a newer version of node-pre-gyp.

[murgatroid99]

I've published grpc@1.6.6. It bundles the newer version of node-pre-gyp