-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build(deps): bump jshttp/cookie from 0.6.0 to 0.7.1 #1778
base: main
Are you sure you want to change the base?
Conversation
badfa9a
to
42dc9c3
Compare
The audit breaks in other projects I work on, however can be illustrated here when run in the project as well. There is more stuff, but that is only developer dependencies. It would be good to clean that up though just to make the audit report everything is clean. Can populate that in a different PR. $ npm audit
<outputs of dev deps truncated>
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cookie |
thanks @klobucar. Could we get this reviewed? |
Would it be possible to release this in version 3.5.1, as it addresses a security-related issue? https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060 Also, there are new versions of |
LGTM |
Some of these checks are failing in really interesting ways.
|
@tusharpandey13 some of these tests seem to be failing due to missing api keys or other infrastructural issues, can we get these looked at? |
yeah, that would be great. I also updated the branch from latest Thanks! |
please re-approve @tusharpandey13 |
Hi @klobucar, I have approved the file changes as they look fine. |
can we get this merged and released? doesn't feel safe to ignore |
📋 Changes
This bumps jshttp/cookie from 0.6.0 -> 0.7.1 due to low severity security issue
📎 References
🎯 Testing
Ran unit tests with
npm test
, and all passed