Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency cookie to ^0.7.0 [SECURITY] #623

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency cookie to ^0.7.0 [SECURITY] #623

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 5, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cookie ^0.3.1 -> ^0.7.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-47764

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

Release Notes

jshttp/cookie (cookie)

v0.7.0: 0.7.0

Compare Source

v0.6.0

Compare Source

==================

  • Add partitioned option

v0.5.0

Compare Source

==================

  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse

v0.4.2

Compare Source

==================

  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

v0.4.1

Compare Source

==================

  • Fix maxAge option to reject invalid values

v0.4.0: 0.4.0

Compare Source

  • Add SameSite=None support

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 38211da to 846017d Compare November 11, 2024 10:26
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 846017d to 914cd56 Compare November 18, 2024 11:22
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 914cd56 to cba9f81 Compare November 19, 2024 17:15
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch 2 times, most recently from 61550b5 to 870b87e Compare November 20, 2024 16:15
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 870b87e to 7b8bf34 Compare December 2, 2024 12:54
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 7b8bf34 to 6877efc Compare December 2, 2024 13:37
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 6877efc to 52c07c0 Compare December 2, 2024 14:06
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 52c07c0 to 75e5a2e Compare December 2, 2024 16:20
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 75e5a2e to 6816e52 Compare December 6, 2024 11:01
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 6816e52 to 49d8771 Compare January 8, 2025 13:57
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 49d8771 to a6df402 Compare January 8, 2025 16:53
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from a6df402 to bd49c00 Compare January 16, 2025 12:07
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from bd49c00 to a4bfc89 Compare January 27, 2025 10:52
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from a4bfc89 to 6709455 Compare February 10, 2025 09:45
@renovate renovate bot force-pushed the renovate/npm-cookie-vulnerability branch from 6709455 to 211823f Compare February 10, 2025 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ns:ccd prd:ccd rel:ccd-admin-web-pr-623 Renovate All-minor-patch Renovate-dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants