npmpackage.info

Gathering detailed insights and metrics for tough-cookie

Other packages similar to tough-cookie

@types/tough-cookie

4.0.5

TypeScript definitions for tough-cookie

axios-cookiejar-support

5.0.3

Add tough-cookie support to axios.

@bundled-es-modules/tough-cookie

0.1.6

Mirror of tough-cookie, bundled and exposed as ES module

tough-cookie-file-store

2.0.3

A JSON file store for tough-cookie module

Gathering detailed insights and metrics for tough-cookie

tough-cookie

RFC6265 Cookies and CookieJar for Node.js

5.0.0

969

BSD-3-Clause

TypeScript

49.32 kB

10,898,278,596 7.4

Installations

npm install tough-cookie

Score

99.5

Supply Chain

100

Quality

82.5

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

3

Total

293

Closed

85

Merged

205

Issues

Open

13

Total

166

Closed

153

Releases

v5.0.0

Published on 09 Sept 2024

v4.1.4

Published on 29 Apr 2024

4.1.3

v4.1.3

Published on 05 Jun 2023

4.1.2 -- Patch and Bugfix Release

v4.1.2

Published on 25 Aug 2022

4.1.1

v4.1.1

Published on 24 Aug 2022

4.1.0

v4.1.0

Published on 22 Aug 2022

View all 7 releases

Developer

salesforce

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

>=16

Typescript Support

Yes

Node Version

22.5.0

NPM Version

10.8.2 Statistics

969 Stars

621 Commits

209 Forks

50 Watching

48 Branches

65 Contributors

Updated on 20 Nov 2024

Bundle Size

137.16 kB

Minified

49.32 kB

Minified + Gzipped

Bundlephobia

Languages

TypeScript (67.2%)

JavaScript (32.78%)

EJS (0.02%)

Total Downloads

Cumulative downloads

Total Downloads

10,898,278,596

Last day

-7.9%

8,858,754

Compared to previous day

Last week

2.8%

53,866,974

Compared to previous week

Last month

25.7%

208,037,294

Compared to previous month

Last year

-4.5%

1,965,453,653

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

tldts

Dev Dependencies

@eslint/js @microsoft/api-documenter @microsoft/api-extractor @types/jest @types/node async eslint eslint-config-prettier eslint-plugin-prettier genversion globals jest prettier ts-jest ts-node typescript typescript-eslint vows

Versions

Tough Cookie ·

A Node.js implementation of RFC6265 for cookie parsing, storage, and retrieval.

Getting Started

Install Tough Cookie using npm:

1npm install tough-cookie

or yarn:

1yarn add tough-cookie

Usage

1import { Cookie, CookieJar } from 'tough-cookie'
2
3// parse a `Cookie` request header
4const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1'.split(';').map(Cookie.parse)
5// generate a `Cookie` request header
6const cookieHeader = reqCookies.map(cookie => cookie.cookieString()).join(';')
7
8// parse a Set-Cookie response header
9const resCookie = Cookie.parse('foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT')
10// generate a Set-Cookie response header
11const setCookieHeader = cookie.toString()
12
13// store and retrieve cookies
14const cookieJar = new CookieJar() // uses the in-memory store by default
15await cookieJar.setCookie(resCookie, 'https://example.com/')
16const matchingCookies = await cookieJar.getCookies('https://example.com/')

[!IMPORTANT] For more detailed usage information, refer to the API docs.

RFC6265bis

Support for RFC6265bis is being developed. As these revisions to RFC6252 are still in Active Internet-Draft state, the areas of support that follow are subject to change.

SameSite Cookies

This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF attacks by disallowing SameSite cookies from being sent cross-origin.

Example

1import { CookieJar } from 'tough-cookie'
2
3const cookieJar = new CookieJar() // uses the in-memory store by default
4
5// storing cookies with various SameSite attributes
6await cookieJar.setCookie('strict=authorized; SameSite=strict', 'http://example.com/index.html')
7await cookieJar.setCookie('lax=okay; SameSite=lax', 'http://example.com/index.html')
8await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html')
9
10// retrieving cookies using a SameSite context
11const laxCookies = await cookieJar.getCookies('http://example.com/index.html', {
12  // the first cookie (strict=authorized) will not be returned if the context is 'lax'
13  // but the other two cookies will be returned
14  sameSiteContext: 'lax',
15})

[!NOTE] It is highly recommended that you read RFC6265bis - Section 8.8 for more details on SameSite cookies, security considerations, and defense in depth.

Cookie Prefixes

Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by inspecting the first few characters of the cookie's name.

Two prefixes are defined:

"__Secure-"

If a cookie's name begins with a case-sensitive match for the string __Secure-, then the cookie was set with a "Secure" attribute.
"__Host-"

If a cookie's name begins with a case-sensitive match for the string __Host-, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.

If prefixSecurity is enabled for CookieJar, then cookies that match the prefixes defined above but do not obey the attribute restrictions are not added.

You can define this functionality by passing in the prefixSecurity option to CookieJar. It can be one of 3 values:

silent: (default) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.
strict: Enable cookie prefix checking and error out if conditions are not met.
unsafe-disabled: Disable cookie prefix checking.

If ignoreError is passed in as true when setting a cookie then the error is silent regardless of the prefixSecurity option (assuming it's enabled).

Example

1import { CookieJar, MemoryCookieStore } from 'tough-cookie'
2
3const cookieJar = new CookieJar(new MemoryCookieStore(), {
4  prefixSecurity: 'silent'
5})
6
7// this cookie will be silently ignored since the url is insecure (http)
8await cookieJar.setCookie(
9  '__Secure-SID=12345; Domain=example.com; Secure;',
10  'http://example.com',
11)
12
13// this cookie will be stored since the url is secure (https)
14await cookieJar.setCookie(
15  '__Secure-SID=12345; Domain=example.com; Secure;',
16  'https://example.com',
17)

[!NOTE] It is highly recommended that you read RFC6265bis - Section 4.1.3 for more details on Cookie Prefixes.

Node.js Version Support

We follow the Node.js release schedule and support all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support for older versions of node, and we will do so in consultation with our community.

Stable Version

The latest stable version of the package.

Stable Version

5.0.0

HIGH

7.5/10

Summary

Regular Expression Denial of Service in tough-cookie

Affected Versions

< 2.3.3

Patched Versions

2.3.3

MODERATE

6.5/10

Summary

tough-cookie Prototype Pollution vulnerability

Affected Versions

< 4.1.3

Patched Versions

4.1.3

MODERATE

5.3/10

Summary

ReDoS via long string of semicolons in tough-cookie

Affected Versions

< 2.3.0

Patched Versions

2.3.0

10

Maintained

Determines if the project is "actively maintained".

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

9

Security-Policy

Determines if the project has published a security policy.

7

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

3

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 3

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/ci.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yaml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/salesforce/tough-cookie/integration.yaml/master?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:52
Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:53
Warn: npmCommand not pinned by hash: .github/workflows/integration.yaml:88
Info: 0 out of 12 GitHub-owned GitHubAction dependencies pinned
Info: 7 out of 10 npmCommand dependencies pinned

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

Score

7.4

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More