Audit vulnerabilities in grant@5.4.23 (cookie@0.6.0, jwk-to-pem@2.0.6)

[globalexport]

❯ pnpm audit
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ cookie accepts cookie name, path, and domain with out  │
│                     │ of bounds characters                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cookie                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.7.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.7.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > grant@5.4.23 > cookie@0.6.0                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-pxg6-pf52-xh8x      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Valid ECDSA signatures erroneously rejected in         │
│                     │ Elliptic                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ elliptic                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.5.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > grant@5.4.23 > jwk-to-pem@2.0.6 > elliptic@6.5.7   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fc9h-whq2-v747      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 2 low

[simov]

Thanks for the report, I just checked that myself.

For the cookie package I do see that there is a new version not covered by the caret range on 0.x release obviously, but for the jwk-to-pem package I'm actually surprised that it is still being listed as vulnerable since that issue got fixed in elliptic v6.5.7 indutny/elliptic#317 and then updated in jwk-to-pem v2.0.6 Brightspace/node-jwk-to-pem#189

[globalexport]

Hi @simov!

I am confused, too. There was another approval 12 hours ago. Looks like it did not make it into the release? indutny/elliptic#317 (review)

[simov]

Oh there is another one indutny/elliptic#322, now it makes sense, though it's not patched yet.