expressjs/session

Dependency on cookie version 0.6.0 triggers an npm audit failure

Closed this issue ยท 5 comments

According to Github GHSA-pxg6-pf52-xh8x
accepts cookie name, path, and domain with out of bounds characters

The solution to resolve the npm audit failure is to upgrade the cookie dependency from version 0.6.0 to version 0.7.0. This update addresses the security vulnerabilities identified in the audit.

@hello-alf if you are using Express... we are going to release a new version soon with the updated version included. See: expressjs/express#6017

@UlisesGascon can you clarify if doing the express release will also cause this repo to have its dependency updated and released?

We depend on both express and express-session - which both currently depend on cookie 0.6.0. Having a new release of express will be great, but we need express-session updating as well.

My fault, you are right @knolleary. We need to update cookie version in this repo too. Are willing to create the PR, @knolleary ? ๐Ÿ‘

@UlisesGascon #997 - hope I've follow the right conventions for the HISTORY file update.

This will be solve once 1.1.18 is released #998