Update cookie semver lock to address CVE-2024-47764
#6017
Conversation
Per CVE-2024-47764 (GHSA-pxg6-pf52-xh8x), versions `< 0.7.0` of `cookie` have a low severity vulnerability. Because express uses a strict semver lock of `0.6.0` this will cause downstream projects to pull a vulnerable version of cookie unless they explicitly overwrite the resolution in their `package.json` with: ```json "resolutions": { "cookie": ">= 0.7.0" }, ``` Updating the semver to `^0.7.1` to both resolve the vulnerability and allow backwards compatible updates in the future.
We can remove the resolutions thing from package.json once my PR to express gets merged: expressjs/express#6017
|
This PR fixes #6019 |
|
Should be no breaking changes https://github.com/jshttp/cookie/releases @wesleytodd , please review |
|
@bjohansebas Updated the history file. If it doesn't look quite right, or you'd like to make other changes, maintainer edits on the PR are enabled. Thanks! |
|
I'm conscious that this is against the v5 branch which isn't actually released and even if it was I have the bandwidth for doing a PR to the v4 branch if that is the process |
|
This PR targets |
|
sorry I meant released as the latest version - I thought it was still in the final beta period which is why it's not tagged as
Either way I think it's going to be a long time until the rest of the ecosystem has caught up given that v5 requires a min. of Node v18 and how widespread its usage is, so it'd still be very useful to have it backported to v4. |
I agree. No doubt. |
|
I will prepare a release today/tomorrow that includes this PR and other things. @joshbuker are you willing to create another PR targeting branch |
|
Will this also update express-session's version of cookie that is used? |
Please when a new patch will be realeased in v4.21 ? |
|
Would love to see it landed to 4.x branch too (and released). |
|
Sure, I can create a PR for the 4.x branch as well. Thanks for the ping @UlisesGascon, @kurt-apple. Edit: Created #6029 |
For details, see: expressjs#6017 (comment)
|
@UlisesGascon @blakeembrey I think we should use I can provide a PR! if you agree? |
|
@shivam-sharma7 thanks for the proposition, feel free to create a PR for this 👍 |
|
Upgrading to 1.0.0 would have breaking changes and would be better for an Express 6 release, since 5 is already released. |
|
@blakeembrey and @UlisesGascon Thanks for suggetion. Let's keep track in issue or ... ? |
|
My take:
The breaking change of 1.0.0 is because it only supports node.js 18+ like express 5 only supports node.js 18+. My two cents. |
I also did't understand this. |
|
It's definitely not just the node version, the release notes are here: https://github.com/jshttp/cookie/releases/tag/v1.0.0 Please don't just bump things without checking release notes for breaking changes. |
Probably an issue or PR that we should tag with "express 6", I don't think there's a dev branch for it yet to target. |
It would be easier if you could mark some of those changes as breaking, @blakeembrey
|
|
Understandable, the entire section called "Changed" is breaking changes, is there a preferred title you use? Usually a major version implies breaking changes, so I haven't had this be an issue before. |
Yeah, I think we should have a branch for |
Per CVE-2024-47764 (GHSA-pxg6-pf52-xh8x), versions
< 0.7.0ofcookiehave a low severity vulnerability.Because express uses a strict semver lock of
0.6.0this will cause downstream projects to pull a vulnerable version of cookie unless they explicitly overwrite the resolution in theirpackage.jsonwith:Updating the semver to
^0.7.1to both resolve the vulnerability and allow backwards compatible updates in the future.Fixes #6019