UlisesGascon
commented
1 week ago @hello-alf if you are using Express... we are going to release a new version soon with the updated version included. See: https://github.com/expressjs/express/pull/6017
Open hello-alf opened 1 week ago
UlisesGascon
commented
1 week ago @hello-alf if you are using Express... we are going to release a new version soon with the updated version included. See: https://github.com/expressjs/express/pull/6017
knolleary
commented
1 week ago @UlisesGascon can you clarify if doing the express release will also cause this repo to have its dependency updated and released?
We depend on both express and express-session - which both currently depend on cookie 0.6.0. Having a new release of express will be great, but we need express-session updating as well.
UlisesGascon
commented
1 week ago My fault, you are right @knolleary. We need to update cookie version in this repo too. Are willing to create the PR, @knolleary ? :+1:
knolleary
commented
1 week ago @UlisesGascon https://github.com/expressjs/session/pull/997 - hope I've follow the right conventions for the HISTORY file update.
UlisesGascon
commented
1 week ago This will be solve once 1.1.18 is released https://github.com/expressjs/session/pull/998
According to Github https://github.com/advisories/GHSA-pxg6-pf52-xh8x accepts cookie name, path, and domain with out of bounds characters
The solution to resolve the npm audit failure is to upgrade the cookie dependency from version 0.6.0 to version 0.7.0. This update addresses the security vulnerabilities identified in the audit.