You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisor
fix available via `npm audit fix --force`
Will install @sitecore-jss/[email protected], which is a breaking change
hange
node_modules/cookie
node_modules/next-auth/node_modules/cookie
express >=3.0.0-alpha1
Depends on vulnerable versions of cookie
node_modules/express
next-auth <=0.0.0-pr.11562.ed0fce23 || 4.0.0-beta.1 - 4.0.0-beta.7 || 4.0.1 - 4.24.8
Depends on vulnerable versions of cookie
node_modules/next-auth
universal-cookie *
Depends on vulnerable versions of cookie
node_modules/universal-cookie
I have checked the latest release notes and none of the recent work within v22 have addressed this
hey @jamesryan-dev thanks for submitting this :)
I tested with latest jss nextjs app and i got cookie v0.7.1 so i don't see the mentioned vulnerability.
Can you give me some more details on what kind of app and version are you seeing this? thanks!
@jamesryan-dev as my colleague mentioned, JSS nextjs app uses cookie dependency with version 0.7.1 out of the box.
It seems the lower numbered vulnerable version comes from the next-auth and universal-cookie dependencies, which are not present OOB.
This dependency has been recently updated in next-authnextauthjs/next-auth@b3e4369 which should address your problem.
Please feel free to reach out and reopen this issue if you have more questions.
Describe the Bug
I have checked the latest release notes and none of the recent work within v22 have addressed this
To Reproduce
Use v22
"@sitecore-jss/sitecore-jss": "^22.0.0",
"@sitecore-jss/sitecore-jss-cli": "^22.0.0",
"@sitecore-jss/sitecore-jss-dev-tools": "^22.0.0",
Run
npm audit
Observe vulnerability logs
Expected Behavior
No vulnerabilities reported
Possible Fix
No response
Provide environment information
The text was updated successfully, but these errors were encountered: