supabase/ssr

cookie dependency to a patched version (>=0.7.0) ?

Closed this issue · 4 comments

Bug report

low │ cookie accepts cookie name, path, and domain with out │
│ │ of bounds characters │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ cookie │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.7.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=0.7.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > @supabase/ssr@0.5.1 > cookie@0.6.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ GHSA-pxg6-pf52-xh8x

  • [ x] I confirm this is a bug with Supabase, not with my own application.
  • [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Go to '…'
  2. Click on '…'
  3. Scroll down to '…'
  4. See error

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: [e.g. macOS, Windows]
  • Browser (if applies) [e.g. chrome, safari]
  • Version of supabase-js: [e.g. 6.0.2]
  • Version of Node.js: [e.g. 10.10.0]

Additional context

Add any other context about the problem here.

Hello, I was going to create an isue to report the same thing but then I comment here, I have NPM that tells me there is a vulnerability in @supabase/ssr

# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @nuxtjs/supabase@1.2.2, which is a breaking change
node_modules/cookie
  @supabase/ssr  *
  Depends on vulnerable versions of cookie
  node_modules/@supabase/ssr
    @nuxtjs/supabase  >=1.3.1
    Depends on vulnerable versions of @supabase/ssr
    node_modules/@nuxtjs/supabase

Thanks for your work!

@J0 This is still issue. Can you release the current release candidate?

J0 commented

Merged the Release. Going to close for now but feel free to re-open if still an issue

Thank you!