lucianidev
commented
4 months ago i created a fix, I will create a pr
Open andiclone opened 4 months ago
lucianidev
commented
4 months ago i created a fix, I will create a pr
Vulnerability
express-session, even in the latest v1.18.0, is still using cookie-signature v1.0.7 which is over a year old and it has a 'sha1' vulnerability: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
Problem
In my project I have this reported since over 5 months ago with the latest change in this package, but still no newer version has come out to fix this vulnerability
Solution
Upgrade the dependency on cookie-signature to a newer version, ideally 1.2.1 where it changes the old sha1 standard to a much more secure and updated sha256
Notes
This is my first time posting an issue here so if I'm missing something please let me know :)