static-web-apps-cli icon indicating copy to clipboard operation
static-web-apps-cli copied to clipboard
verified publisher icon Azure

Vulnerable dependency `cookie < 0.7.0`

Open Peter-Juhasz opened this issue 10 months ago • 1 comments

Version: 2.0.4

Describe the bug Breaks build pipelines on vulnerable dependency cookie.

# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
No fix available
node_modules/cookie
  @azure/static-web-apps-cli  *
  Depends on vulnerable versions of cookie
  node_modules/@azure/static-web-apps-cli

2 low severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

To Reproduce Steps to reproduce the behavior:

{
	"name": "build",
	"version": "1.0.0",
	"dependencies": {
		"@azure/static-web-apps-cli": "latest"
	}
}

npm audit

Expected behavior Doesn't reference any vulnerable packages.

Additional context Running on GitHub Actions.

Peter-Juhasz avatar Feb 22 '25 09:02 Peter-Juhasz

I've submitted two PRs to address this vulnerability:

  • PR #960: A minimal fix updating just the cookie dependency
  • PR #962: A comprehensive security update that includes the cookie fix plus other security vulnerabilities

Both PRs fix the CVE-2024-47764 vulnerability. The maintainers can choose which approach they prefer.

keith-oak avatar Jun 25 '25 00:06 keith-oak