nextjs-auth0 build(deps): bump jshttp/cookie from 0.6.0 to 0.7.1

[x] All new/changed/fixed functionality is covered by tests (or N/A)
[x] I have added documentation for all new/changed functionality (or N/A)

📋 Changes

This bumps jshttp/cookie from 0.6.0 -> 0.7.1 due to low severity security issue

📎 References

https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
https://github.com/jshttp/cookie/pull/167

🎯 Testing

Ran unit tests with npm test , and all passed

Oct 05 '24 04:10 klobucar

The audit breaks in other projects I work on, however can be illustrated here when run in the project as well.

There is more stuff, but that is only developer dependencies. It would be good to clean that up though just to make the audit report everything is clean. Can populate that in a different PR.

$ npm audit
<outputs of dev deps truncated>
cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cookie

Oct 05 '24 04:10 klobucar

thanks @klobucar. Could we get this reviewed?

Oct 11 '24 13:10 uss-makenzie

Would it be possible to release this in version 3.5.1, as it addresses a security-related issue?

https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060 https://www.cve.org/CVERecord?id=CVE-2024-47764

Also, there are new versions of cookie, 0.7.2, 1.0.0 and 1.0.1 happy to help by creating a PR with any of those versions. https://github.com/jshttp/cookie/releases

Oct 23 '24 22:10 nicoalonsop

LGTM @nicoalonsop sure, please go ahead and create a PR for later versions of cookie. @klobucar thanks, a PR would be helpful 👍 Meanwhile, we will see if we can make a minor release of NextJS SDK for these.

Oct 28 '24 14:10 tusharpandey13

Some of these checks are failing in really interesting ways.

Test Suites: 61 passed, 61 total
Tests:       704 passed, 704 total
Snapshots:   0 total
Time:        57.367 s
Ran all test suites matching /tests/i in 2 projects.
Error: Process completed with exit code 1.

Oct 29 '24 00:10 klobucar

@tusharpandey13 some of these tests seem to be failing due to missing api keys or other infrastructural issues, can we get these looked at?

Nov 13 '24 14:11 uss-makenzie

yeah, that would be great. I also updated the branch from latest main.

Thanks!

Nov 13 '24 21:11 klobucar

please re-approve @tusharpandey13

Nov 13 '24 21:11 klobucar

Hi @klobucar, I have approved the file changes as they look fine.

Nov 19 '24 10:11 tusharpandey13

can we get this merged and released? doesn't feel safe to ignore npm audit neither using overrides in package.json, is the API the same?

Nov 22 '24 22:11 pocesar

Hi @klobucar, I see one of your commits are still not signed, can you fix that so we can go ahead? Thanks

Regarding the failing snyk and browserstack checks, they are not required for now and are under maintainence. We can go ahead with merging the PR once the commits have been signed.

Nov 27 '24 09:11 tusharpandey13

All signed. Please approve and merge @tusharpandey13

Dec 01 '24 07:12 klobucar

This has been merged, we will make a minor release of nextjs-auth0 v3 shortly. Thank you @klobucar

Dec 02 '24 08:12 tusharpandey13

This has been merged, we will make a minor release of nextjs-auth0 v3 shortly. Thank you @klobucar

Hi, any word on when this release will be created? Thanks

Dec 10 '24 09:12 DownChapel

This PR has been released as part of Next.js Auth0 (v3.6.0) version. Thanks for your patience and contribution to the project!

Jan 31 '25 17:01 arpit-jn