Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump jshttp/cookie from 0.6.0 to 0.7.1 #1778

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

klobucar
Copy link

@klobucar klobucar commented Oct 5, 2024

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

📋 Changes

This bumps jshttp/cookie from 0.6.0 -> 0.7.1 due to low severity security issue

📎 References

🎯 Testing

Ran unit tests with npm test , and all passed

@klobucar klobucar requested a review from a team as a code owner October 5, 2024 04:09
@klobucar
Copy link
Author

klobucar commented Oct 5, 2024

The audit breaks in other projects I work on, however can be illustrated here when run in the project as well.

There is more stuff, but that is only developer dependencies. It would be good to clean that up though just to make the audit report everything is clean. Can populate that in a different PR.

$ npm audit
<outputs of dev deps truncated>
cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cookie

@uss-makenzie
Copy link

thanks @klobucar. Could we get this reviewed?

@nicoalonsop
Copy link

Would it be possible to release this in version 3.5.1, as it addresses a security-related issue?

https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060
https://www.cve.org/CVERecord?id=CVE-2024-47764

Also, there are new versions of cookie, 0.7.2, 1.0.0 and 1.0.1 happy to help by creating a PR with any of those versions.
https://github.com/jshttp/cookie/releases

@tusharpandey13
Copy link
Contributor

LGTM
@nicoalonsop sure, please go ahead and create a PR for later versions of cookie.
@klobucar thanks, a PR would be helpful 👍
Meanwhile, we will see if we can make a minor release of NextJS SDK for these.

@klobucar
Copy link
Author

Some of these checks are failing in really interesting ways.

Test Suites: 61 passed, 61 total
Tests:       704 passed, 704 total
Snapshots:   0 total
Time:        57.367 s
Ran all test suites matching /tests/i in 2 projects.
Error: Process completed with exit code 1.

@uss-makenzie
Copy link

@tusharpandey13 some of these tests seem to be failing due to missing api keys or other infrastructural issues, can we get these looked at?

@klobucar
Copy link
Author

yeah, that would be great. I also updated the branch from latest main.

Thanks!

@klobucar
Copy link
Author

klobucar commented Nov 13, 2024

please re-approve @tusharpandey13

@tusharpandey13
Copy link
Contributor

Hi @klobucar, I have approved the file changes as they look fine.

@pocesar
Copy link

pocesar commented Nov 22, 2024

can we get this merged and released? doesn't feel safe to ignore npm audit neither using overrides in package.json, is the API the same?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants