search

vvo / iron-session

🛠 Secure, stateless, and cookie-based session library for JavaScript
https://get-iron-session.vercel.app
MIT License
3.65k stars 251 forks source link

fix(deps): update dependency cookie to v0.7.0 [security] #856

Open renovate[bot] opened 3 weeks ago

renovate[bot] commented 3 weeks ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cookie 0.6.0 -> 0.7.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-47764

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

Release Notes

jshttp/cookie (cookie) ### [`v0.7.0`](https://redirect.github.com/jshttp/cookie/releases/tag/v0.7.0): 0.7.0 [Compare Source](https://redirect.github.com/jshttp/cookie/compare/v0.6.0...v0.7.0) - perf: parse cookies ~10% faster ([#​144](https://redirect.github.com/jshttp/cookie/issues/144) by [@​kurtextrem](https://redirect.github.com/kurtextrem) and [#​170](https://redirect.github.com/jshttp/cookie/issues/170)) - fix: narrow the validation of cookies to match RFC6265 ([#​167](https://redirect.github.com/jshttp/cookie/issues/167) by [@​bewinsnw](https://redirect.github.com/bewinsnw)) - fix: add `main` to `package.json` for rspack ([#​166](https://redirect.github.com/jshttp/cookie/issues/166) by [@​proudparrot2](https://redirect.github.com/proudparrot2))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

vercel[bot] commented 3 weeks ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
iron-session ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 27, 2024 3:39am
CesarIb commented 2 weeks ago

Hi, is possible to merge this?, Im using iron-session as dependency but Im getting security alerts for vulnerability in the current version of cookie