Old insecure tough-cookie present in meteor’s nodejs 14

Copied from Slack

The 3rd party package tough-cookie is present in a very old version with a critical vulnerability in the meteor nodejs 14 build/docker image. Why is it even there?



First, is this an issue in Meteor 3?

After a short investigation, it’s the request package that has a dependency with touch-cookie

"dependencies": { ...
    "tough-cookie": "~2.5.0",

As of Feb 11th 2020, request is fully deprecated :wink:

Request is embedded here : https://github.com/meteor/node-v14-esm/blob/release-v14.x/deps/npm/node_modules/request/package.json

1 Like

@grubba @denyhs @fredmaiaarantes not really sure how much can be done here.

1 Like

I’m unsure too. In Meteor v3.0, this won’t be an issue, I hope.

@grubba Node 20.11.1 does not use anymore “request” (https://github.com/nodejs/node/blob/v20.11.1/deps/npm/package.json), so you’re safe if you don’t use it in another package specific to meteor 3.

As request is not maintained above 2.88.2, and still have this 2.5.0 dependency on tough-cookie, it’s hard to fix without knowing why request was added in nodejs v14.21.3 (https://github.com/nodejs/node/blob/v14.21.3/deps/npm/package.json)