tough-cookie is a Node.js implementation of RFC6265 for parsing, storing, and retrieving HTTP cookies (including Cookie and CookieJar helpers). It is useful for cookie handling in Node-based web clients and tests, and it also includes work-in-progress support for RFC6265bis features like SameSite context handling and cookie prefix security checks.
Project status
- Actively maintained: The repository has very recent updates (last upstream push on 2026-07-07, and a package update v6.0.2 dated 2026-07-07), with more changes in 2026 as well (v6.0.1 on 2026-03-12), indicating ongoing maintenance rather than dormancy.
- Update cadence: In 2026, updates came about 4 months apart (v6.0.1 in March, v6.0.2 in early July), suggesting a reasonably active cadence currently.
AI summary generated
Recent updates
v6.0.2
v6.0.2 includes a domain matching review aligned with RFC 6265 Section 5.1.3, plus a fix to avoid decoding the URL authority portion. The release also updates dependencies (not enumerated in full) and expands test coverage around the cookie authority decoding behavior.
v6.0.1
v6.0.1 is primarily a dependency and tooling update release, alongside documentation generation and CI workflow adjustments. The most substantial code-level change is a rewrite of the cookie date parsing logic (RFC6265 Section 5.1.1) plus a large expansion of date parsing test coverage.
v6.0.0
v6.0.0 introduces RFC 6761 compliant localhost loopback handling so that Secure cookies work over http localhost-style origins, with a new option to control that behavior. The release also switches the project to publish both ESM and CJS entrypoints, and there are major dependency and tooling changes to support the new module strategy.
BreakingFeaturesv5.1.2
v5.1.2 is a small patch release that primarily addresses a regression in the `domainMatch` logic. It also updates the published version strings across the package and generated API docs from 5.1.1 to 5.1.2.
v5.1.1
v5.1.1 mainly updates dev tooling and some internal build settings. The only code changes surfaced in the diff are type declaration/export adjustments (mostly making exports explicitly type-only) plus minor test changes and a small constants typing tweak.
v5.1.0
v5.1.0 finalizes the version bump from the v5.1.0-rc.0 release candidate to 5.1.0 and updates the generated API docs accordingly. The only substantive code change shown in the provided diff is a switch to a runtime-agnostic domainToASCII implementation used by canonical domain handling.
v5.1.0-rc.0
This release adds a previously missing Cookie.expiryDate(now?) API (with generated API docs), fixes cookie expiration when Expires is the Unix epoch (time value 0), and improves path matching to avoid interpreting cookie paths as regular expressions. It also introduces a jsdom-based scheduled integration test setup and streamlines CI and publishing workflows, alongside dependency bumps (notably tldts).
Featuresv5.0.0
v5.0.0 is a major release of tough-cookie that introduces TypeScript-first development artifacts and formal API documentation generation. The release also includes runtime and API contract changes around null/undefined handling, URL parameter support, and an updated logging/inspect approach, aligned with a minimum supported Node.js version.
BreakingFeaturesv4.1.4
tough-cookie v4.1.4 makes a targeted change around URL validation in CookieJar, and includes a small internal cleanup related to string conversion. It also updates tests to cover timestamping and cookie retrieval when passing a URL object.
v4.1.3
v4.1.3 is a minor release focused on a security fix for prototype pollution (Issue #282). The change hardens the in-memory cookie store against malicious domains like __proto__, and it also adjusts how the store’s data is shown by the `inspect` utility.
Securityv4.1.2
v4.1.2 is a patch release focused on fixing how the library handles special-use domains when setting cookies. The change specifically adjusts public suffix handling so that localhost domains can be accepted rather than rejected.