[Security] Bump cookie and express

Bumps cookie to 0.7.1 and updates ancestor dependency express. These dependencies need to be updated together.

Updates cookie from 0.6.0 to 0.7.1 This update includes a security fix.

Vulnerabilities fixed

cookie accepts cookie name, path, and domain with out of bounds characters

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

• jshttp/cookie#167

Patched versions: 0.7.0 Affected versions: < 0.7.0

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1

0.7.0

• perf: parse cookies dependencies% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

https://github.com/jshttp/cookie/compare/v0.6.0...v0.7.0

Commits

• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• d6f39b0 Fix tests for old node
• 6bb701f Remove failing scorecard
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates express from 5.0.0 to 5.0.1

Release notes

Sourced from express's releases.

5.0.1

What's Changed

• remove --bail from test script by @​jonchurch in expressjs/express#5962
• Nominate @​bjohansebas to the triage team by @​UlisesGascon in expressjs/express#6009
• Link and update captains by @​blakeembrey in expressjs/express#6013
• Update cookie semver lock to address CVE-2024-47764 by @​joshbuker in expressjs/express#6017
• Release: 5.0.1 by @​UlisesGascon in expressjs/express#6032

Full Changelog: https://github.com/expressjs/express/compare/v5.0.0...5.0.1

Changelog

Sourced from express's changelog.

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

Commits

• d14b2de 5.0.1
• 2027b87 fix(deps): cookie@0.7.0
• 2cbf227 Link and update captains (#6013)
• 3e1a1ce Add @​bjohansebas to the triage team (#6009)
• 6340d15 remove --bail from test script (#5962)
• See full diff in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts