Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please update cookie dependency to >=0.7.1 and release a new version #637

Open
6 tasks done
sseide opened this issue Nov 15, 2024 · 1 comment
Open
6 tasks done
Labels
bug Something isn't working

Comments

@sseide
Copy link

sseide commented Nov 15, 2024

Checklist

Description

Remark: Its not really a bug by itself and not an direct security issue but might be one, depending on how the packages are installed and used within external programs. Threfore i am not sure how to properly classify...

Please update the direct "cookie" dependency.
Latest version release uses old "^0.5.0" and current master "^0.6.0". all other projects like "express" itself or "express-session" & Co are using 0.7.1 at least, therefor an update to this version should be done.

And as semver range is below 1 your current master version does not allow 0.7.0, only 0.6.x versions.

One reason for upgrade is the minor security warning about XSS parsiong in cookie data (GHSA-pxg6-pf52-xh8x)
As your library is probably most of the time used together with ExpressJS your old cookie version might be the default cookie for the project or the one (updated) from ExpressJS. Therefor people using your project together with the cookie library itself might be vulnerable or not. I have seen package-lock.json files booth way around either your old 0.5.0 or the newer 0.7.1 as default cookie package for app usage. Express itself is using secure version as its declared its own version...

And afterwards a release of a new bugfix version would be good.

Thanks in Advance

Reproduction

  1. create new project with latest "express-openid-connect" as dependency
  2. run "npm install"
  3. check version of "cookie" intalled - its old "0.5.0" due to semver range definition and not secured 0.7.x

Additional context

latest [email protected] uses [email protected]
latest [email protected] uses [email protected]
latest [email protected] uses [email protected]

express-openid-connect version

2.17.1

Express version

4.21.1

Node.js version

20.18.0

@sseide sseide added the bug Something isn't working label Nov 15, 2024
@mgagliardo91
Copy link

Can we prioritize this so that we can remove a security vulnerability from the usage?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants