Fix dependency on vulnerable `cookie<0.7.0` #1803

spolu · 2024-11-13T10:34:00Z

The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Current version 3.5.0 depends on cookie 0.6.0 which is has a low severity vulnerability.

This is triggers Github Dependabot as well as any node library vulnerability scanning tooling. It should be an easy step

mkdir test && cd test
npm i @auth0/nextjs-auth0
npm audit fix

No response

3.5.0

N/A

v20.13.0

The text was updated successfully, but these errors were encountered:

dvdokkum · 2024-12-03T16:42:56Z

We have an SLA coming up on this... any input from the Auth0 team?

aelithron · 2024-12-03T22:35:51Z

This is also appearing for us. Auth0 team, please fix this ASAP.

zachelrath · 2024-12-11T11:40:27Z

Looks like this was addressed in this commit last week: 8fe35b4

Could the Auth0 team do a 3.x patch release to get this out ahead of the 4.x releases?

dvdokkum · 2024-12-13T20:46:37Z

@tusharpandey13 any update on the minor release referenced in this PR: #1778 (comment)

Provide feedback