chore(server-runtime): update `cookie` to v1

[shelldandy]

Fixes CVE-2024-47764

[changeset-bot[bot]]

🦋 Changeset detected

Latest commit: 97125846e3e44f6e5fa91861fa091b55aaf2815a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 19 packages

Name	Type
@remix-run/server-runtime	Patch
@remix-run/cloudflare	Patch
@remix-run/deno	Patch
@remix-run/dev	Patch
@remix-run/node	Patch
@remix-run/react	Patch
@remix-run/testing	Patch
@remix-run/cloudflare-pages	Patch
@remix-run/cloudflare-workers	Patch
@remix-run/fs-routes	Patch
@remix-run/route-config	Patch
@remix-run/routes-option-adapter	Patch
@remix-run/architect	Patch
@remix-run/express	Patch
@remix-run/serve	Patch
create-remix	Patch
remix	Patch
@remix-run/css-bundle	Patch
@remix-run/eslint-config	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[remix-cla-bot[bot]]

Hi @shelldandy,

Welcome, and thank you for contributing to Remix!

Before we consider your pull request, we ask that you sign our Contributor License Agreement (CLA). We require this only once.

You may review the CLA and sign it by adding your name to contributors.yml.

Once the CLA is signed, the CLA Signed label will be added to the pull request.

If you have already signed the CLA and received this response in error, or if you have any questions, please contact us at [email protected].

Thanks!

- The Remix team

[remix-cla-bot[bot]]

Thank you for signing the Contributor License Agreement. Let's get this merged! 🥳

[MichaelDeBoey]

@shelldandy Can you please rebase your branch onto latest dev & set target there as well?

This is a code change, so we need to target dev instead

[FKSI]

Hi 👋 . Any update on this one? 🤔

[VGerris]

hi, sorry to ask for an ETA, but is there one for this to be merged? thank you!

[brophdawg11]

I'm unsure if we can merge this in Remix v2 because it seems it might have a breaking change which would result in a breaking change for Remix v2 - see https://github.com/sveltejs/kit/pull/12767

We have updated to cookie@1 in React Router v7 so if this is a critical vulnerability I would suggest migrating to RR v7 to get to cookie v1

[VGerris]

I'm unsure if we can merge this in Remix v2 because it seems it might have a breaking change which would result in a breaking change for Remix v2 - see sveltejs/kit#12767

We have updated to cookie@1 in React Router v7 so if this is a critical vulnerability I would suggest migrating to RR v7 to get to cookie v1

can you explain what you mean ? A recent expo-router installation shows :

 npm why cookie                   
[email protected]
node_modules/cookie
  cookie@"^0.6.0" from @remix-run/[email protected]
  node_modules/@remix-run/server-runtime
    @remix-run/server-runtime@"2.15.2" from @remix-run/[email protected]
    node_modules/@remix-run/node
      @remix-run/node@"^2.12.0" from @expo/[email protected]
      node_modules/@expo/server
        @expo/server@"^0.5.0" from [email protected]
        node_modules/expo-router
          expo-router@"^4.0.16" from the root project

How would I go about applying what you suggest ? On track for this, how would we go about implementing the change ? Do we need : support in cookie lib ? I don't have the full picture, but I think it's important to upgrade.

[brophdawg11]

[email protected] contains a breaking change from [email protected]. If Remix v2 upgraded to [email protected] then we would need to do so in a major semver release - which we have already done in React Router v7. We cannot release a Remix 2.x release with this upgrade because it would break the rules of semver.

If you are unable to upgrade to React Router v7 you can override the cookie dependency using your package manager overrides feature as mentioned in the linked issue:

https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides https://pnpm.io/package_json#pnpmoverrides