-
-
Notifications
You must be signed in to change notification settings - Fork 534
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-47764 vulnerability from the cookie
package
#2308
Comments
Hi, @jamescrowley. Thanks for raising this. So the issue is that
Does it finally ship as proper ESM? I will have to take a look, it would be great to drop the wrapper if that's the case. |
@kettanaito they've decided to remain CJS only, but it appears to work fine with your set up. I just did a quick PoC here, removing the bundled es module. Appears to lint & build fine (but haven't checked further than that) I only upgraded to 0.7.2 as 1.0.0 has a breaking signature change. |
Thanks! I gave it a try in #2321, and it looks good so far. Will wait for the CI results and then proceed with publishing it. |
Yeah, so The effort already exists: bundled-es-modules/cookie#3 |
Hi, 👋 Thanks for the hard work on the fix! 🙏 Will the I couldn't find any information on the backporting policy. Apologies if this is not the right place to ask. Thanks again! |
Hi, @domon-envato. This is absolutely the right place to ask. We support the backports for security vulnerabilities based on the time availability. We are also welcoming contributors to open pull requests to ship those backports, if the matter is time-pressing. MSW v1 doesn't depend on Backports also release automatically to NPM as soon as they are merged under the I need to add a decision document about backports 👍 Would you be interesting in seeing this one through? I will share a more detailed instruction in the decision document later today, hopefully. |
Hello, what is the status of this? thank you |
@TannerS, you can find the latest status on the PR, always: #2312 (comment). Looks like we are blocked by the dependency where the fix has been merged but wasn't yet released. I tried moving this in-house but don't have the capacity right now (and that's likely not a good idea anyway). The sad reality of not publishing ESM in 2024. |
Thanks for the update, i am still learning but interested in understanding what you mean by :D |
Could it make sense to consider swapping from |
At this point, its what like 5 functions and maybe 100 lines of code? I would just make it native to msw and cut the dependency. The updation lag time of this with a CVE is not good. Node itself is moving faster. |
2.0.1 of |
@curtdept, I wouldn't replicate packages, especially those that are getting CVE reports. The issue is not in I've got some good feedback from the Node.js folks behind |
cookie
package
Released: v2.6.2 🎉This has been released in v2.6.2! Make sure to always update to the latest version ( Predictable release automation by @ossjs/release. |
Would you consider dropping it for a different package? https://github.com/unjs/cookie-es This is a fork that has been maintained for several years, has ~1 million weekly downloads vs the wrappers ~2 million. Unfortunately the jshttp/cookie seems to be in a committed exclusive relationship with cjs. |
@kettanaito As a rebuttal, in a way, the issue is cookie because it requires this heavily lagged, generated wrapper due to lack of esm support. The above seems to be a worthy maintained alternative. |
Sounds good to me. Pull requests are welcome! |
Prerequisites
Environment check
msw
versionBrowsers
No response
Reproduction repository
https://github.com/boxwise/boxtribute
Reproduction steps
The latest msw release (<= 2.4.9) has a transient dependency on several versions of the cookie library that are < 7.0.0, which has a vulnerability (GHSA-pxg6-pf52-xh8x).
Current behavior
You are referencing it via
@bundled-es-modules/cookie@2.0.0
which has not been updated (wrapper appears stale - may be possible to just referencecookie
directly now?)engine.io@6.5.4
, which has an open PR to fix: chore(deps): update cookie to 0.7.2 socketio/socket.io#5205While it's unlikely to impact msw given your use-case, it will force the dependency to a lower version for others that use it in production-facing code.
Expected behavior
No security warnings
The text was updated successfully, but these errors were encountered: