chore: update tough cookie (#27515)

* chore: update tough-cookie from 4.0.0 to 4.1.3. requires v8 snapshot update

* fix: tough-cookie as of 4.1 doesn't default sameSite undefined to none any longer. However, we want to set sameSite === undefined to lax as the default as this is the case in every standard browser, except firefox. We did this previously and this is behavior we want to continue to preserve, even for security reasons

* chore: update v8 snapshots

* fix issue with global toString

* chore: run ci

* chore: update @cypress/request to 2.88.22 and @cypress/request-promise to 4.2.7 [run ci]

* remove jsdom and start-server-and-test

* revert @cypress/request back to 2.88.12

* update changelog entry

* remove uneeded deps

---------

Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Ryan Manuel <ryanm@cypress.io>

cli/CHANGELOG.md

@@ -10,6 +10,7 @@ _Released 08/15/2023 (PENDING)_
 **Dependency Updates:**
 
 - Upgraded [`webpack`](https://www.npmjs.com/package/webpack) from `v4` to `v5`. This means that we are now bundling your `e2e` tests with webpack 5. We don't anticipate this causing any noticeable changes. However, if you'd like to keep bundling your `e2e` tests with wepback 4 you can use the same process as before by pinning [@cypress/webpack-batteries-included-preprocessor](https://www.npmjs.com/package/@cypress/webpack-batteries-included-preprocessor) to `v2.x.x` and hooking into the [file:preprocessor](https://docs.cypress.io/api/plugins/preprocessors-api#Usage) plugin event. This will restore the previous bundling process. Additionally, if you're using [@cypress/webpack-batteries-included-preprocessor](https://www.npmjs.com/package/@cypress/webpack-batteries-included-preprocessor) already, a new version has been published to support webpack `v5`.
+- Upgraded [`tough-cookie`](https://www.npmjs.com/package/tough-cookie) from `4.0` to `4.1.3`, [`@cypress/request`](https://www.npmjs.com/package/@cypress/request) from `2.88.11` to `2.88.12` and [`@cypress/request-promise`](https://www.npmjs.com/package/@cypress/request-promise) from `4.2.6` to `4.2.7` to address a [security vulnerability](https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873). Fixes [#27261](https://github.com/cypress-io/cypress/issues/27261).
 
 ## 12.17.3
 

cli/package.json

@@ -20,7 +20,7 @@
     "unit": "cross-env BLUEBIRD_DEBUG=1 NODE_ENV=test mocha --reporter mocha-multi-reporters --reporter-options configFile=../mocha-reporter-config.json"
   },
   "dependencies": {
-    "@cypress/request": "^2.88.11",
+    "@cypress/request": "2.88.12",
     "@cypress/xvfb": "^1.2.4",
     "@types/node": "^16.18.39",
     "@types/sinonjs__fake-timers": "8.1.1",

package.json

@@ -72,8 +72,8 @@
   "devDependencies": {
     "@aws-sdk/credential-providers": "3.53.0",
     "@cypress/questions-remain": "1.0.1",
-    "@cypress/request": "^2.88.11",
-    "@cypress/request-promise": "4.2.6",
+    "@cypress/request": "2.88.12",
+    "@cypress/request-promise": "4.2.7",
     "@electron/fuses": "1.6.1",
     "@electron/notarize": "^2.1.0",
     "@fellow/eslint-plugin-coffee": "0.4.13",
@@ -198,7 +198,6 @@
     "shelljs": "0.8.5",
     "sinon": "7.3.2",
     "snap-shot-it": "7.9.3",
-    "start-server-and-test": "1.10.8",
     "stop-only": "3.0.1",
     "strip-ansi": "6.0.0",
     "tar": "6.1.15",

packages/https-proxy/package.json

@@ -24,8 +24,8 @@
   },
   "devDependencies": {
     "@cypress/debugging-proxy": "2.0.1",
-    "@cypress/request": "^2.88.11",
-    "@cypress/request-promise": "4.2.6",
+    "@cypress/request": "2.88.12",
+    "@cypress/request-promise": "4.2.7",
     "@packages/network": "0.0.0-development",
     "@packages/ts": "0.0.0-development",
     "chai": "3.5.0",

packages/network/package.json

@@ -27,8 +27,8 @@
   },
   "devDependencies": {
     "@cypress/debugging-proxy": "2.0.1",
-    "@cypress/request": "^2.88.11",
-    "@cypress/request-promise": "4.2.6",
+    "@cypress/request": "2.88.12",
+    "@cypress/request-promise": "4.2.7",
     "@packages/https-proxy": "0.0.0-development",
     "@packages/socket": "0.0.0-development",
     "@packages/ts": "0.0.0-development",

packages/proxy/package.json

@@ -28,8 +28,8 @@
     "utf8-stream": "0.0.0"
   },
   "devDependencies": {
-    "@cypress/request": "^2.88.11",
-    "@cypress/request-promise": "4.2.6",
+    "@cypress/request": "2.88.12",
+    "@cypress/request-promise": "4.2.7",
     "@cypress/sinon-chai": "2.9.1",
     "@packages/resolve-dist": "0.0.0-development",
     "@packages/rewriter": "0.0.0-development",

packages/rewriter/package.json

@@ -23,7 +23,7 @@
     "recast": "0.20.4"
   },
   "devDependencies": {
-    "@cypress/request-promise": "4.2.6",
+    "@cypress/request-promise": "4.2.7",
     "@types/parse5-html-rewriting-stream": "5.1.1",
     "fs-extra": "9.1.0",
     "nock": "13.2.9",

packages/server/lib/util/cookies.ts

@@ -67,8 +67,6 @@ export const automationCookieToToughCookie = (automationCookie: SerializableAuto
   })
 }
 
-const sameSiteNoneRe = /; +samesite=(?:'none'|"none"|none)/i
-
 /**
  * An adapter for tough-cookie's CookieJar
  * Holds onto cookies captured via the proxy, so they can be applied to
@@ -82,13 +80,9 @@ export class CookieJar {
 
     if (!toughCookie) return
 
-    // fixes tough-cookie defaulting undefined/invalid SameSite to 'none'
-    // https://github.com/salesforce/tough-cookie/issues/191
-    const hasUnspecifiedSameSite = toughCookie.sameSite === 'none' && !sameSiteNoneRe.test(cookie)
-
     // not all browsers currently default to lax, but they're heading in that
     // direction since it's now the standard, so this is more future-proof
-    if (hasUnspecifiedSameSite) {
+    if (toughCookie.sameSite === undefined) {
       toughCookie.sameSite = 'lax'
     }
 

packages/server/package.json

@@ -25,8 +25,8 @@
     "@benmalka/foxdriver": "0.4.1",
     "@cypress/commit-info": "2.2.0",
     "@cypress/get-windows-proxy": "1.6.2",
-    "@cypress/request": "^2.88.11",
-    "@cypress/request-promise": "4.2.6",
+    "@cypress/request": "2.88.12",
+    "@cypress/request-promise": "4.2.7",
     "@cypress/vite-dev-server": "0.0.0-development",
     "@cypress/webpack-batteries-included-preprocessor": "0.0.0-development",
     "@cypress/webpack-dev-server": "0.0.0-development",
@@ -118,7 +118,7 @@
     "systeminformation": "5.16.9",
     "term-size": "2.1.0",
     "through": "2.3.8",
-    "tough-cookie": "4.0.0",
+    "tough-cookie": "4.1.3",
     "trash": "5.2.0",
     "tree-kill": "1.2.2",
     "ts-node": "^10.9.1",

packages/web-config/package.json

@@ -14,11 +14,8 @@
     "@babel/preset-typescript": "7.22.5",
     "@babel/register": "7.22.5",
     "@svgr/webpack": "8.0.1",
-    "@types/jsdom": "16.2.13",
-    "@types/mock-require": "2.0.0",
     "@types/webpack": "^5.28.1",
     "@types/webpack-dev-server": "^4.0.0",
-    "ansi-escapes": "4.3.1",
     "arraybuffer-loader": "1.0.8",
     "autoprefixer": "9.7.4",
     "babel-loader": "9.1.3",
@@ -31,9 +28,7 @@
     "css-loader": "6.8.1",
     "css-modules-typescript-loader": "4.0.1",
     "html-webpack-plugin": "5.5.3",
-    "jsdom": "13.2.0",
     "mini-css-extract-plugin": "2.7.6",
-    "mock-require": "3.0.3",
     "node-sass-glob-importer": "5.3.3",
     "os-browserify": "0.3.0",
     "path-browserify": "1.0.1",