You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Remark: Its not really a bug by itself and not an direct security issue but might be one, depending on how the packages are installed and used within external programs. Threfore i am not sure how to properly classify...
Please update the direct "cookie" dependency.
Latest version release uses old "^0.5.0" and current master "^0.6.0". all other projects like "express" itself or "express-session" & Co are using 0.7.1 at least, therefor an update to this version should be done.
And as semver range is below 1 your current master version does not allow 0.7.0, only 0.6.x versions.
One reason for upgrade is the minor security warning about XSS parsiong in cookie data (GHSA-pxg6-pf52-xh8x)
As your library is probably most of the time used together with ExpressJS your old cookie version might be the default cookie for the project or the one (updated) from ExpressJS. Therefor people using your project together with the cookie library itself might be vulnerable or not. I have seen package-lock.json files booth way around either your old 0.5.0 or the newer 0.7.1 as default cookie package for app usage. Express itself is using secure version as its declared its own version...
And afterwards a release of a new bugfix version would be good.
Thanks in Advance
Reproduction
create new project with latest "express-openid-connect" as dependency
run "npm install"
check version of "cookie" intalled - its old "0.5.0" due to semver range definition and not secured 0.7.x
Checklist
Description
Remark: Its not really a bug by itself and not an direct security issue but might be one, depending on how the packages are installed and used within external programs. Threfore i am not sure how to properly classify...
Please update the direct "cookie" dependency.
Latest version release uses old "^0.5.0" and current master "^0.6.0". all other projects like "express" itself or "express-session" & Co are using 0.7.1 at least, therefor an update to this version should be done.
And as semver range is below 1 your current master version does not allow 0.7.0, only 0.6.x versions.
One reason for upgrade is the minor security warning about XSS parsiong in cookie data (GHSA-pxg6-pf52-xh8x)
As your library is probably most of the time used together with ExpressJS your old cookie version might be the default cookie for the project or the one (updated) from ExpressJS. Therefor people using your project together with the cookie library itself might be vulnerable or not. I have seen package-lock.json files booth way around either your old 0.5.0 or the newer 0.7.1 as default cookie package for app usage. Express itself is using secure version as its declared its own version...
And afterwards a release of a new bugfix version would be good.
Thanks in Advance
Reproduction
Additional context
latest
[email protected]
uses[email protected]
latest
[email protected]
uses[email protected]
latest
[email protected]
uses[email protected]
express-openid-connect version
2.17.1
Express version
4.21.1
Node.js version
20.18.0
The text was updated successfully, but these errors were encountered: