Request to Publish a New Tag to Address Security Issue in Cookie Handling #678
Comments
|
Still unresolved |
❯ npm audit --omit dev
# npm audit report
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cookie
nestjs-i18n >=4.1.0
Depends on vulnerable versions of cookie
node_modules/nestjs-i18n
2 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --forceI guess I have this problem too |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I noticed that the current version of the cookie package used in this project contains a security vulnerability. Specifically, the cookie name could be exploited to set other fields of the cookie, resulting in unexpected cookie values.
I am aware that this issue has been resolved in a newer version of the cookie package and this project have updated the library version but not released a tag yet. I could upgrade manually so it would greatly benefit the community if a new tag were published with the updated dependency.
Reproduction
System Info
System: OS: Windows 11 10.0.22631 CPU: (8) x64 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz Memory: 1.24 GB / 15.74 GB Binaries: Node: 20.17.0 Yarn: 1.22.19 npm: 9.3.1 - Browsers: Edge: Chromium (130.0.2849.80) Internet Explorer: 11.0.22621.3527Used Package Manager
npm
Validations
The text was updated successfully, but these errors were encountered: