Old insecure tough-cookie present in meteor’s nodejs 14

permb · February 7, 2024, 12:19pm

Copied from Slack

The 3rd party package tough-cookie is present in a very old version with a critical vulnerability in the meteor nodejs 14 build/docker image. Why is it even there?

usr/local/v14.21.4/lib/node_modules/npm/node_modules/tough-cookie/package.json

storyteller · February 9, 2024, 2:47pm

First, is this an issue in Meteor 3?

lc3t35 · March 10, 2024, 10:43pm

After a short investigation, it’s the request package that has a dependency with touch-cookie

github.com

request/request/blob/master/package.json

{
  "name": "request",
  "description": "Simplified HTTP request client.",
  "keywords": [
    "http",
    "simple",
    "util",
    "utility"
  ],
  "version": "2.88.1",
  "author": "Mikeal Rogers <mikeal.rogers@gmail.com>",
  "repository": {
    "type": "git",
    "url": "https://github.com/request/request.git"
  },
  "bugs": {
    "url": "http://github.com/request/request/issues"
  },
  "license": "Apache-2.0",
  "engines": {

This file has been truncated. show original

"dependencies": { ...
    "tough-cookie": "~2.5.0",
...},

As of Feb 11th 2020, request is fully deprecated

Request is embedded here : https://github.com/meteor/node-v14-esm/blob/release-v14.x/deps/npm/node_modules/request/package.json

storyteller · March 11, 2024, 9:33am

@grubba @denyhs @fredmaiaarantes not really sure how much can be done here.

grubba · March 11, 2024, 12:08pm

I’m unsure too. In Meteor v3.0, this won’t be an issue, I hope.

lc3t35 · March 11, 2024, 6:02pm

@grubba Node 20.11.1 does not use anymore “request” (https://github.com/nodejs/node/blob/v20.11.1/deps/npm/package.json), so you’re safe if you don’t use it in another package specific to meteor 3.

As request is not maintained above 2.88.2, and still have this 2.5.0 dependency on tough-cookie, it’s hard to fix without knowing why request was added in nodejs v14.21.3 (https://github.com/nodejs/node/blob/v14.21.3/deps/npm/package.json)