Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump cookie to v0.7.0 #2

Closed
ivasilov opened this issue Oct 7, 2024 · 4 comments · Fixed by #3
Closed

Bump cookie to v0.7.0 #2

ivasilov opened this issue Oct 7, 2024 · 4 comments · Fixed by #3

Comments

@ivasilov
Copy link

ivasilov commented Oct 7, 2024

There was a vulnerability which was fixed in v0.7.0. Since this library depends on cookie and has strict version range, it can't be updated to 0.7.0.
@djskinner djskinner mentioned this issue Oct 9, 2024
Merged
@Eric-Arellano
Copy link

Eric-Arellano commented Oct 11, 2024
edited
Loading

Thank you for fixing this! Any ETA on a release to NPM?

@kettanaito kettanaito mentioned this issue Oct 13, 2024
Open
2 tasks
@kettanaito
Copy link

@Eric-Arellano, I've opened a pull request to add release automation to this package (see #4). If we get it merged, I will see the release to NPM. All the following releases will be published automatically on merge to main.

@jpreynat
Copy link

@thepassle Any chance to get a new version of this module on npm that includes this fix? 🙏
Thanks in advance!

@RomeoDespres
Copy link

For anyone trying to fix the recent security issue - just found out you can add the following to package.json:

"overrides": {
    "@bundled-es-modules/cookie": {
      "cookie": ">=0.7.0"
    }
  }

which will force installation of the patched version of cookie - and likely won't break anything since this package does not depend on any feature of cookie.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump cookie dependency to ^0.7.1 djskinner/cookie
5 participants
@ivasilov @jpreynat @Eric-Arellano @kettanaito @RomeoDespres