Skip to content

[Security] Bump cookie and express

Dependabot requested to merge dependabot-npm_and_yarn-multi-744919c008 into master

Bumps cookie to 0.7.1 and updates ancestor dependency express. These dependencies need to be updated together.

Updates cookie from 0.6.0 to 0.7.1 This update includes a security fix.

Vulnerabilities fixed

cookie accepts cookie name, path, and domain with out of bounds characters

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

Patched versions: 0.7.0 Affected versions: < 0.7.0

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1

0.7.0

https://github.com/jshttp/cookie/compare/v0.6.0...v0.7.0

Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates express from 5.0.0 to 5.0.1

Release notes

Sourced from express's releases.

5.0.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0...5.0.1

Changelog

Sourced from express's changelog.

5.0.1 / 2024-10-08

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading