New vulnerability reported from npm audit

[jamesryan-dev]

Describe the Bug

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisor
fix available via `npm audit fix --force`
Will install @sitecore-jss/sitecore-jss-cli@15.0.3, which is a breaking change
hange

node_modules/cookie
node_modules/next-auth/node_modules/cookie
  express  >=3.0.0-alpha1
  Depends on vulnerable versions of cookie
  node_modules/express
  next-auth  <=0.0.0-pr.11562.ed0fce23 || 4.0.0-beta.1 - 4.0.0-beta.7 || 4.0.1 - 4.24.8
  Depends on vulnerable versions of cookie
  node_modules/next-auth
  universal-cookie  *
  Depends on vulnerable versions of cookie
  node_modules/universal-cookie

I have checked the latest release notes and none of the recent work within v22 have addressed this

To Reproduce

Use v22

"@sitecore-jss/sitecore-jss": "^22.0.0", "@sitecore-jss/sitecore-jss-cli": "^22.0.0", "@sitecore-jss/sitecore-jss-dev-tools": "^22.0.0",

Run npm audit

Observe vulnerability logs

Expected Behavior

No vulnerabilities reported

Possible Fix

No response

Provide environment information

• Sitecore Version: 22
• JSS Version: 22
• Browser Name and version: N/a
• Operating System and version (desktop or mobile): N/a
• Link to your project (if available): N/a

[yavorsk]

hey @jamesryan-dev thanks for submitting this :) I tested with latest jss nextjs app and i got cookie v0.7.1 so i don't see the mentioned vulnerability. Can you give me some more details on what kind of app and version are you seeing this? thanks!