workos-node icon indicating copy to clipboard operation
workos-node copied to clipboard
verified publisher icon workos

Nested dependency 'cookie' is flagged as a vulnerability

Open troy-surepath opened this issue 10 months ago • 4 comments

node_modules/iron-session/node_modules/cookie iron-session <=8.0.3 Depends on vulnerable versions of cookie node_modules/iron-session @workos-inc/node >=7.15.0 Depends on vulnerable versions of iron-session

troy-surepath avatar Feb 05 '25 16:02 troy-surepath

As a follow-up on this, I understand that this issue arises because the package is still using iron-session v7, as v8 no longer supports Node v16. Are there any plans to drop support for Node v16, considering that other platforms (e.g., Vercel, AWS) are starting to phase it out?

josh-respectx avatar Feb 26 '25 09:02 josh-respectx

Any updates on this?

anuhyabs avatar Mar 26 '25 19:03 anuhyabs

Adding the vulnerability tracker ids to make this more searchable

CVE-2024-47764

GHSA-pxg6-pf52-xh8x

wmurphyrd avatar Apr 15 '25 21:04 wmurphyrd

Anyone who comes across this, we ended up using overrides to use a new version of cookie. This seems to work without issue in the v7.46.0 of this package

// package.json
 "overrides": {
        "cookie": "0.7.2"
    }

zkrzyzanowski avatar Apr 18 '25 03:04 zkrzyzanowski