Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: revert cookie upgrade #12767

Merged
merged 2 commits into from
Oct 7, 2024
Merged

chore: revert cookie upgrade #12767

merged 2 commits into from
Oct 7, 2024

Conversation

eltigerchino
Copy link
Member

@eltigerchino eltigerchino commented Oct 7, 2024
edited by dummdidumm
Loading

reverts #12746 . The major contains a breaking change where : characters are no longer allowed in cookie names

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Oct 7, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 7fd5434

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dummdidumm dummdidumm merged commit 809983f into main Oct 7, 2024
13 checks passed
@dummdidumm dummdidumm deleted the revert-cookie branch October 7, 2024 16:03
@github-actions github-actions bot mentioned this pull request Oct 7, 2024
Merged
@hyunbinseo
Copy link
Contributor

For additional context, there is a CVE-2024-47764 regarding cookie@0.6.

To fix this, the cookie validation has been narrowed:

It is considered a fix: in the CHANGELOG, but it is probably a BREAKING one.

Hence the version bump from 0.6 to 0.7.

Question is, would we have to wait for SvelteKit v3 for cookie@0.7 bump?

People will be receiving GitHub security alert digest emails regarding this:

Known security vulnerabilities detected

  • Dependency: cookie
  • Version: < 0.7.0
  • Upgrade to ~> 0.7.0

@eltigerchino
Copy link
Member Author

Hi @hyunbinseo we're aware of this and looking into it. It's quite likely users will need to upgrade cookie themselves in the meantime and we can only upgrade cookie in kit v3

@notramo
Copy link

notramo commented Oct 9, 2024

@eltigerchino, how to update manually? I don't have any cookies with : names in my projects, so the newer version wouldn't break it.

@Conduitry
Copy link
Member

You can use the override feature of your package manager.

https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
https://pnpm.io/package_json#pnpmoverrides

@kyle-leonhard kyle-leonhard mentioned this pull request Oct 11, 2024
Merged
kyle-leonhard added a commit to kosolabs/koso that referenced this pull request Oct 11, 2024
@kyle-leonhard
Update cookie to ^0.7.0 (#335)
d2f6e91 
Svelte kit reverted the upgrade in
sveltejs/kit#12767
@Lucurious Lucurious mentioned this pull request Oct 29, 2024
Open
@hyunbinseo
Copy link
Contributor

It's quite likely users will need to upgrade cookie themselves in the meantime and we can only upgrade cookie in kit v3

This seems to be official:

Need to tell anyone who is setting invalid name to stop so that we can upgrade cookie library in Kit 3.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eltigerchino @hyunbinseo @notramo @Conduitry @dummdidumm