Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New vulnerability reported from npm audit #1943

Closed
jamesryan-dev opened this issue Oct 7, 2024 · 2 comments
Closed

New vulnerability reported from npm audit #1943

jamesryan-dev opened this issue Oct 7, 2024 · 2 comments
Labels

Comments

@jamesryan-dev
Copy link

Describe the Bug

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisor
fix available via `npm audit fix --force`
Will install @sitecore-jss/[email protected], which is a breaking change
hange


node_modules/cookie
node_modules/next-auth/node_modules/cookie
  express  >=3.0.0-alpha1
  Depends on vulnerable versions of cookie
  node_modules/express
  next-auth  <=0.0.0-pr.11562.ed0fce23 || 4.0.0-beta.1 - 4.0.0-beta.7 || 4.0.1 - 4.24.8
  Depends on vulnerable versions of cookie
  node_modules/next-auth
  universal-cookie  *
  Depends on vulnerable versions of cookie
  node_modules/universal-cookie

I have checked the latest release notes and none of the recent work within v22 have addressed this

To Reproduce

Use v22

"@sitecore-jss/sitecore-jss": "^22.0.0",
"@sitecore-jss/sitecore-jss-cli": "^22.0.0",
"@sitecore-jss/sitecore-jss-dev-tools": "^22.0.0",

Run npm audit

Observe vulnerability logs

Expected Behavior

No vulnerabilities reported

Possible Fix

No response

Provide environment information

  • Sitecore Version: 22
  • JSS Version: 22
  • Browser Name and version: N/a
  • Operating System and version (desktop or mobile): N/a
  • Link to your project (if available): N/a
@yavorsk
Copy link
Contributor

yavorsk commented Oct 9, 2024

hey @jamesryan-dev thanks for submitting this :)
I tested with latest jss nextjs app and i got cookie v0.7.1 so i don't see the mentioned vulnerability.
Can you give me some more details on what kind of app and version are you seeing this? thanks!

@art-alexeyenko
Copy link
Contributor

@jamesryan-dev as my colleague mentioned, JSS nextjs app uses cookie dependency with version 0.7.1 out of the box.
It seems the lower numbered vulnerable version comes from the next-auth and universal-cookie dependencies, which are not present OOB.
This dependency has been recently updated in next-auth nextauthjs/next-auth@b3e4369 which should address your problem.

Please feel free to reach out and reopen this issue if you have more questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants