cookie dependency to a patched version (>=0.7.0) ?
Closed this issue · 4 comments
Bug report
low │ cookie accepts cookie name, path, and domain with out │
│ │ of bounds characters │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ cookie │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.7.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=0.7.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > @supabase/ssr@0.5.1 > cookie@0.6.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ GHSA-pxg6-pf52-xh8x
- [ x] I confirm this is a bug with Supabase, not with my own application.
- [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
- Go to '…'
- Click on '…'
- Scroll down to '…'
- See error
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
- OS: [e.g. macOS, Windows]
- Browser (if applies) [e.g. chrome, safari]
- Version of supabase-js: [e.g. 6.0.2]
- Version of Node.js: [e.g. 10.10.0]
Additional context
Add any other context about the problem here.
Hello, I was going to create an isue to report the same thing but then I comment here, I have NPM that tells me there is a vulnerability in @supabase/ssr
# npm audit report
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @nuxtjs/supabase@1.2.2, which is a breaking change
node_modules/cookie
@supabase/ssr *
Depends on vulnerable versions of cookie
node_modules/@supabase/ssr
@nuxtjs/supabase >=1.3.1
Depends on vulnerable versions of @supabase/ssr
node_modules/@nuxtjs/supabase
Thanks for your work!
Merged the Release. Going to close for now but feel free to re-open if still an issue
Thank you!