Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookie@0.5.0 triggers npm audit #4361

Closed
y-nk opened this issue Dec 12, 2024 · 1 comment
Closed

cookie@0.5.0 triggers npm audit #4361

y-nk opened this issue Dec 12, 2024 · 1 comment
Labels
community triage

Comments

@y-nk
Copy link

y-nk commented Dec 12, 2024

when running pnpm audit on a codebase which has this package installed:

telemetry(main): pnpm why cookie
Legend: production dependency, optional only, dev only

telemetry@2.6.0 /{REDACTED}

dependencies:
elastic-apm-node 3.52.2
└── cookie 0.5.0

telemetry(main): pnpm audit

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ cookie accepts cookie name, path, and domain with out  │
│                     │ of bounds characters                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cookie                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.7.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.7.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > elastic-apm-node@3.52.2 > cookie@0.5.0             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-pxg6-pf52-xh8x      │
└─────────────────────┴────────────────────────────────────────────────────────┘

It's a low vulnerability, so priority is low, but that'd be nice if it could be updated.

Thank you for reading
@y-nk
Copy link
Author

y-nk commented Dec 12, 2024
edited
Loading

will close in favor of upgrading to v4

@y-nk y-nk closed this as completed Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@y-nk