ReDoS Vulnerability in [email protected]

[kevdougful]

Got this warning on npm install

[email protected]: ReDoS vulnerability parsing Set-Cookie

[mwittig]

I am wondering wether or not this dependency is required at all as 'tough-cookie' is not used by the source.

[FlorianWendelborn]

You can install and run npm-check to find out. ;)

[mwittig]

You can install and run npm-check to find out. ;)

As expected, npm-check has confirmed my assumption.

tough-cookie   ?  MAJOR UP  Major update available. https://github.com/salesforce/tough-cookie
                            npm install --save [email protected] to go from 1.2.0 to 2.3.2
               ?  NOTUSED?  Still using tough-cookie?
                            Depcheck did not find code similar to require('tough-cookie') or import from 'tough-cookie'.
                            Check your code before removing as depcheck isn't able to foresee all ways dependencies can be used.
                            Use --skip-unused to skip this check.
                            To remove this package: npm uninstall --save tough-cookie

Use npm-check -u for interactive update.