Security Vulnerability : latest artillery has dependency on older version of tough-cookie, which has security vulnerability

[bhavishraj]

Version info:

2.0.2 latest
2.0.0-37

latest artillery has dependency on older version of tough-cookie, which has security vulnerability as mentioned in https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3 and is being fixed in 4.1.3 version of tough-cookie

[bhavishraj]

    "node_modules/@artilleryio/int-core": {
      "version": "2.2.2",
      "resolved": "https://registry.npmjs.org/@artilleryio/int-core/-/int-core-2.2.2.tgz",
      "integrity": "sha512-BYbheLZb7m+DrQt2OTM4uaX6IWbjYf/D9ZVi49WW5QdDOTsnWCjOES46iR0lM2hWKf0qF2ESajkDVm1ithvXOw==",
      "dev": true,
      "dependencies": {
        "@artilleryio/int-commons": "2.0.4",
        "@artilleryio/sketches-js": "^2.1.1",
        "agentkeepalive": "^4.1.0",
        "arrivals": "^2.1.2",
        "async": "^2.6.4",
        "chalk": "^2.4.2",
        "cheerio": "^1.0.0-rc.10",
        "cookie-parser": "^1.4.3",
        "csv-parse": "^4.16.3",
        "debug": "^4.3.1",
        "decompress-response": "^6.0.0",
        "deep-for-each": "^3.0.0",
        "driftless": "^2.0.3",
        "esprima": "^4.0.0",
        "eventemitter3": "^4.0.4",
        "fast-deep-equal": "^3.1.3",
        "filtrex": "^0.5.4",
        "form-data": "^3.0.0",
        "got": "^11.8.5",
        "hpagent": "^0.1.1",
        "https-proxy-agent": "^5.0.0",
        "lodash": "^4.17.19",
        "ms": "^2.1.3",
        "protobufjs": "^7.2.4",
        "proxy": "^1.0.2",
        "socket.io-client": "^4.5.1",
        "socketio-wildcard": "^2.0.0",
        "tough-cookie": "^4.0.0",
        "try-require": "^1.2.1",
        "uuid": "^8.0.0",
        "ws": "^7.5.7"
      }
    },

[hassy]

thanks @bhavishraj13, will handle this as part of routine dependency upgrades in the next release of the CLI

[Siddhant-K-code]

There is a related PR #1597 which again needs a bump to 4.1.3

[bernardobridge]

Hello 👋

The newest Artillery v2.0.6 should be on tough-cookie 4.1.3 from what I have seen. Please open an issue if you encounter any other security vulnerabilities.