From 3ce72e9d4cf7675c282c9a73f340fb7677ffebee Mon Sep 17 00:00:00 2001
From: Josh Buker <git-commit@joshbuker.com>
Date: Fri, 4 Oct 2024 21:31:52 +0000
Subject: [PATCH 1/3] Update `cookie` semver lock to address CVE-2024-47764

Per CVE-2024-47764 (https://github.com/advisories/GHSA-pxg6-pf52-xh8x), versions `< 0.7.0` of `cookie` have a low severity vulnerability.

Because express uses a strict semver lock of `0.6.0` this will cause downstream projects to pull a vulnerable version of cookie unless they explicitly overwrite the resolution in their `package.json` with:

```json
"resolutions": {
  "cookie": ">= 0.7.0"
},
```

Updating the semver to `^0.7.1` to both resolve the vulnerability and allow backwards compatible updates in the future.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 3a10ae4dc5..653634cefa 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "body-parser": "^2.0.1",
     "content-disposition": "^1.0.0",
     "content-type": "~1.0.4",
-    "cookie": "0.6.0",
+    "cookie": "^0.7.1",
     "cookie-signature": "^1.2.1",
     "debug": "4.3.6",
     "depd": "2.0.0",

From 8c12fd7c1674e564e32cc8893e7da85cf729268e Mon Sep 17 00:00:00 2001
From: Josh Buker <crypto@joshbuker.com>
Date: Sat, 5 Oct 2024 10:46:01 -0700
Subject: [PATCH 2/3] Add entry to History.md per PR #6017 Feedback

https://github.com/expressjs/express/pull/6017#pullrequestreview-2349617020
---
 History.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/History.md b/History.md
index 2592c976bf..1bf1328200 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+* Update `cookie` semver lock to address CVE-2024-47764
+
 5.0.0 / 2024-09-10
 =========================
 * remove:

From 7a525c94ae4c90a994d6b0543ef019609b857b3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Tue, 8 Oct 2024 12:04:15 +0200
Subject: [PATCH 3/3] chore: remove caret

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 653634cefa..473f6a8612 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "body-parser": "^2.0.1",
     "content-disposition": "^1.0.0",
     "content-type": "~1.0.4",
-    "cookie": "^0.7.1",
+    "cookie": "0.7.1",
     "cookie-signature": "^1.2.1",
     "debug": "4.3.6",
     "depd": "2.0.0",