Sitecore
New vulnerability reported from npm audit
Describe the Bug
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisor
fix available via `npm audit fix --force`
Will install @sitecore-jss/[email protected], which is a breaking change
hange
node_modules/cookie
node_modules/next-auth/node_modules/cookie
express >=3.0.0-alpha1
Depends on vulnerable versions of cookie
node_modules/express
next-auth <=0.0.0-pr.11562.ed0fce23 || 4.0.0-beta.1 - 4.0.0-beta.7 || 4.0.1 - 4.24.8
Depends on vulnerable versions of cookie
node_modules/next-auth
universal-cookie *
Depends on vulnerable versions of cookie
node_modules/universal-cookie
I have checked the latest release notes and none of the recent work within v22 have addressed this
To Reproduce
Use v22
"@sitecore-jss/sitecore-jss": "^22.0.0", "@sitecore-jss/sitecore-jss-cli": "^22.0.0", "@sitecore-jss/sitecore-jss-dev-tools": "^22.0.0",
Run npm audit
Observe vulnerability logs
Expected Behavior
No vulnerabilities reported
Possible Fix
No response
Provide environment information
- Sitecore Version: 22
- JSS Version: 22
- Browser Name and version: N/a
- Operating System and version (desktop or mobile): N/a
- Link to your project (if available): N/a
hey @jamesryan-dev thanks for submitting this :) I tested with latest jss nextjs app and i got cookie v0.7.1 so i don't see the mentioned vulnerability. Can you give me some more details on what kind of app and version are you seeing this? thanks!
@jamesryan-dev as my colleague mentioned, JSS nextjs app uses cookie dependency with version 0.7.1 out of the box.
It seems the lower numbered vulnerable version comes from the next-auth and universal-cookie dependencies, which are not present OOB.
This dependency has been recently updated in next-auth https://github.com/nextauthjs/next-auth/commit/b3e4369cff3e584b3254cc2689b7c9076d51c6d0 which should address your problem.
Please feel free to reach out and reopen this issue if you have more questions.
