search

Sitecore / jss

Software development kit for JavaScript developers building web applications with Sitecore Experience Platform
https://jss.sitecore.com
Apache License 2.0
263 stars 275 forks source link

New vulnerability reported from npm audit #1943

Closed jamesryan-dev closed 1 month ago

jamesryan-dev commented 1 month ago

Describe the Bug

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisor
fix available via `npm audit fix --force`
Will install @sitecore-jss/sitecore-jss-cli@15.0.3, which is a breaking change
hange

node_modules/cookie
node_modules/next-auth/node_modules/cookie
  express  >=3.0.0-alpha1
  Depends on vulnerable versions of cookie
  node_modules/express
  next-auth  <=0.0.0-pr.11562.ed0fce23 || 4.0.0-beta.1 - 4.0.0-beta.7 || 4.0.1 - 4.24.8
  Depends on vulnerable versions of cookie
  node_modules/next-auth
  universal-cookie  *
  Depends on vulnerable versions of cookie
  node_modules/universal-cookie

I have checked the latest release notes and none of the recent work within v22 have addressed this

To Reproduce

Use v22

"@sitecore-jss/sitecore-jss": "^22.0.0", "@sitecore-jss/sitecore-jss-cli": "^22.0.0", "@sitecore-jss/sitecore-jss-dev-tools": "^22.0.0",

Run npm audit

Observe vulnerability logs

Expected Behavior

No vulnerabilities reported

Possible Fix

No response

Provide environment information

yavorsk commented 1 month ago

hey @jamesryan-dev thanks for submitting this :) I tested with latest jss nextjs app and i got cookie v0.7.1 so i don't see the mentioned vulnerability. Can you give me some more details on what kind of app and version are you seeing this? thanks!

art-alexeyenko commented 1 month ago

@jamesryan-dev as my colleague mentioned, JSS nextjs app uses cookie dependency with version 0.7.1 out of the box. It seems the lower numbered vulnerable version comes from the next-auth and universal-cookie dependencies, which are not present OOB. This dependency has been recently updated in next-auth https://github.com/nextauthjs/next-auth/commit/b3e4369cff3e584b3254cc2689b7c9076d51c6d0 which should address your problem.

Please feel free to reach out and reopen this issue if you have more questions.