salesforce/tough-cookie
Last release: 2 months ago
tough-cookie is a Node.js implementation of RFC6265 for parsing, storing, and retrieving HTTP cookies (including Cookie and CookieJar helpers). It is useful for cookie handling in Node-based web clients and tests, and it also includes work-in-progress support for RFC6265bis features like SameSite context handling and cookie prefix security checks.
Project status
- The repository appears actively maintained, with a recent upstream push on 2026-06-04 and multiple version updates since 2025.
- Apparent update cadence is roughly every 5 to 8 months based on the observed version bumps (v6.0.0 on 2025-08-14, v6.0.1 on 2026-03-12), following an earlier patch (v5.1.2 on 2025-02-28).
AI summary generated Today
Recent updates
v6.0.1
2 months agov6.0.1 is primarily a dependency and tooling update release, alongside documentation generation and CI workflow adjustments. The most substantial code-level change is a rewrite of the cookie date parsing logic (RFC6265 Section 5.1.1) plus a large expansion of date parsing test coverage.
v6.0.0
9 months agov6.0.0 introduces RFC 6761 compliant localhost loopback handling so that Secure cookies work over http localhost-style origins, with a new option to control that behavior. The release also switches the project to publish both ESM and CJS entrypoints, and there are major dependency and tooling changes to support the new module strategy.
BreakingFeaturesv5.1.2
2/28/2025v5.1.2 is a small patch release that primarily addresses a regression in the `domainMatch` logic. It also updates the published version strings across the package and generated API docs from 5.1.1 to 5.1.2.
v5.1.1
2/7/2025v5.1.1 mainly updates dev tooling and some internal build settings. The only code changes surfaced in the diff are type declaration/export adjustments (mostly making exports explicitly type-only) plus minor test changes and a small constants typing tweak.
v5.1.0
1/9/2025v5.1.0 finalizes the version bump from the v5.1.0-rc.0 release candidate to 5.1.0 and updates the generated API docs accordingly. The only substantive code change shown in the provided diff is a switch to a runtime-agnostic domainToASCII implementation used by canonical domain handling.
v5.1.0-rc.0
1/8/2025This release adds a previously missing Cookie.expiryDate(now?) API (with generated API docs), fixes cookie expiration when Expires is the Unix epoch (time value 0), and improves path matching to avoid interpreting cookie paths as regular expressions. It also introduces a jsdom-based scheduled integration test setup and streamlines CI and publishing workflows, alongside dependency bumps (notably tldts).
Featuresv5.0.0
9/9/2024v5.0.0 is a major release of tough-cookie that introduces TypeScript-first development artifacts and formal API documentation generation. The release also includes runtime and API contract changes around null/undefined handling, URL parameter support, and an updated logging/inspect approach, aligned with a minimum supported Node.js version.
BreakingFeaturesv4.1.4
4/29/2024tough-cookie v4.1.4 makes a targeted change around URL validation in CookieJar, and includes a small internal cleanup related to string conversion. It also updates tests to cover timestamping and cookie retrieval when passing a URL object.
v4.1.3
6/5/2023v4.1.3 is a minor release focused on a security fix for prototype pollution (Issue #282). The change hardens the in-memory cookie store against malicious domains like __proto__, and it also adjusts how the store’s data is shown by the `inspect` utility.
Securityv4.1.2
8/25/2022v4.1.2 is a patch release focused on fixing how the library handles special-use domains when setting cookies. The change specifically adjusts public suffix handling so that localhost domains can be accepted rather than rejected.