[Security] Bump cookie and express
Bumps cookie to 0.7.1 and updates ancestor dependency express. These dependencies need to be updated together.
Updates cookie
from 0.6.0 to 0.7.1 This update includes a security fix.
Vulnerabilities fixed
cookie accepts cookie name, path, and domain with out of bounds characters
Impact
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example,
serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value)
would result in"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test"
, settinguserName
cookie to<script>
and ignoringvalue
.A similar escape can be used for
path
anddomain
, which could be abused to alter other fields of the cookie.Patches
Upgrade to 0.7.0, which updates the validation for
name
,path
, anddomain
.Workarounds
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
References
Patched versions: 0.7.0 Affected versions: < 0.7.0
Release notes
Sourced from cookie's releases.
0.7.1
Fixed
- Allow leading dot for domain (#174)
- Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
- Add fast path for
serialize
without options, useobj.hasOwnProperty
when parsing (#172)https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1
0.7.0
- perf: parse cookies ~10% faster (#144 by
@kurtextrem
and #170)- fix: narrow the validation of cookies to match RFC6265 (#167 by
@bewinsnw
)- fix: add
main
topackage.json
for rspack (#166 by@proudparrot2
)
Commits
-
cf4658f
0.7.1 -
6a8b8f5
Allow leading dot for domain (#174) -
58015c0
Remove more code and perf wins (#172) -
ab057d6
0.7.0 -
5f02ca8
Migrate history to GitHub releases -
a5d591c
Migrate history to GitHub releases -
51968f9
Skip isNaN -
9e7ca51
perf(parse): cache length, return early (#144) -
d6f39b0
Fix tests for old node -
6bb701f
Remove failing scorecard - Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.
Updates express
from 5.0.0 to 5.0.1
Release notes
Sourced from express's releases.
5.0.1
What's Changed
- remove --bail from test script by
@jonchurch
in expressjs/express#5962- Nominate
@bjohansebas
to the triage team by@UlisesGascon
in expressjs/express#6009- Link and update captains by
@blakeembrey
in expressjs/express#6013- Update
cookie
semver lock to address CVE-2024-47764 by@joshbuker
in expressjs/express#6017- Release: 5.0.1 by
@UlisesGascon
in expressjs/express#6032Full Changelog: https://github.com/expressjs/express/compare/v5.0.0...5.0.1
Changelog
Sourced from express's changelog.
5.0.1 / 2024-10-08
- Update
cookie
semver lock to address CVE-2024-47764
Commits
-
d14b2de
5.0.1 -
2027b87
fix(deps): cookie@0.7.0 -
2cbf227
Link and update captains (#6013) -
3e1a1ce
Add@bjohansebas
to the triage team (#6009) -
6340d15
remove --bail from test script (#5962) - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts