session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon expressjs

Dependency on cookie version 0.6.0 triggers an npm audit failure

Open hello-alf opened this issue 1 year ago • 5 comments

According to Github https://github.com/advisories/GHSA-pxg6-pf52-xh8x accepts cookie name, path, and domain with out of bounds characters

The solution to resolve the npm audit failure is to upgrade the cookie dependency from version 0.6.0 to version 0.7.0. This update addresses the security vulnerabilities identified in the audit.

hello-alf avatar Oct 07 '24 15:10 hello-alf

@hello-alf if you are using Express... we are going to release a new version soon with the updated version included. See: https://github.com/expressjs/express/pull/6017

UlisesGascon avatar Oct 07 '24 16:10 UlisesGascon

@UlisesGascon can you clarify if doing the express release will also cause this repo to have its dependency updated and released?

We depend on both express and express-session - which both currently depend on cookie 0.6.0. Having a new release of express will be great, but we need express-session updating as well.

knolleary avatar Oct 08 '24 14:10 knolleary

My fault, you are right @knolleary. We need to update cookie version in this repo too. Are willing to create the PR, @knolleary ? :+1:

UlisesGascon avatar Oct 08 '24 15:10 UlisesGascon

@UlisesGascon https://github.com/expressjs/session/pull/997 - hope I've follow the right conventions for the HISTORY file update.

knolleary avatar Oct 08 '24 15:10 knolleary

This will be solve once 1.1.18 is released https://github.com/expressjs/session/pull/998

UlisesGascon avatar Oct 08 '24 18:10 UlisesGascon