Policy on backporting fixes

[millerick]

My organization (unfortunately) still makes use of some older packages that use tough-cookie@~2.5.0 as a dependency. Is there any possibility that the fix in https://github.com/salesforce/tough-cookie/pull/283/files can be backported as a patch to that minor version? I would be more than happy to make the pull request to do so, but don't see a branch that matches with 2.5.0.

[colincasey]

@millerick what package dependency are you using that depends on tough-cookie@~2.5.0?

[millerick]

Unfortunately the long deprecated https://www.npmjs.com/package/request

[colincasey]

Yes, I had a suspicion it was request.

The good news is that you shouldn't need #283 though because of how request configures the CookieStore. If you look at the vulnerability details you'll see it says:

Affected versions of this package are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode.

You may have to confirm this against the version of request you're using but it's unlikely that they would have disabled this security feature.

[wjhsf]

To provide an explicit answer and close the issue, we are planning on releasing v5 in the near future. Once we do that, we will will only backport security fixes for v4. We will guarantee backports for at least one year. After that we will decide on a case by case basis, depending on the severity of the issue and the number of users impacted.