yarn nsp-check is failing re: tough-cookie ReDOS

[muffinresearch]

This is due to https://nodesecurity.io/advisories/525

Running locally to get the extended tree shows tough-cookie is coming in via:

mozilla-addons-frontend@0.0.1 > jsdom@11.2.0 > request-promise-native@1.0.4 > tough-cookie@2.3.2

I think this being a dep of jsdom would mean this should only impacts tests if at all. This needs to be confirmed.

The upstream issue is: salesforce/tough-cookie#92

[tphan18]

I have the same vulnerability report this morning from a bunch of dependencies like

react-scripts@1.0.13 > jest@20.0.4 > jest-cli@20.0...

[kumar303]

Looks like we don't have any patches yet. We should probably get master back to green so we don't miss any unrelated failures. This should do it in a .nsprc:

{
  "exceptions": ["https://nodesecurity.io/advisories/525"]
}

[kumar303]

When we get an upstream fix, let's remove the exception added in mozilla/addons-frontend#3211

[g-k]

This is fixed upstream in tough-cookie 2.3.3 and request pulls that fix in for version 2.83.0.

[kumar303]

I think this being a dep of jsdom would mean this should only impacts tests if at all.

I also see us using tough-cookie for chokidar which is just a file watcher which we use purely for development.

$ npm ls tough-cookie
mozilla-addons-frontend@0.0.1 /Users/kumar/dev/addons-frontend
├─┬ chokidar-cli@1.2.0
│ └─┬ chokidar@1.7.0
│   └─┬ fsevents@1.1.2
│     └─┬ node-pre-gyp@0.6.36
│       └─┬ request@2.81.0
│         └── tough-cookie@2.3.2
├─┬ jsdom@11.2.0
│ └── tough-cookie@2.3.2
├── UNMET PEER DEPENDENCY react@15.6.2
├── UNMET PEER DEPENDENCY react-redux@5.0.6
└── UNMET PEER DEPENDENCY webpack@3.1.0