Skip to content

chore: revert cookie upgrade #12767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dummdidumm merged 2 commits into from
Oct 7, 2024
Merged

chore: revert cookie upgrade #12767

dummdidumm merged 2 commits into from
Oct 7, 2024

Conversation

@teemingc
Copy link
Member

@teemingc teemingc commented Oct 7, 2024
edited by dummdidumm
Loading

reverts #12746 . The major contains a breaking change where : characters are no longer allowed in cookie names

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot
Copy link

changeset-bot bot commented Oct 7, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 7fd5434

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dummdidumm dummdidumm merged commit 809983f into main Oct 7, 2024
@dummdidumm dummdidumm deleted the revert-cookie branch October 7, 2024 16:03
@github-actions github-actions bot mentioned this pull request Oct 7, 2024
Merged
@hyunbinseo
Copy link
Contributor

hyunbinseo commented Oct 8, 2024

For additional context, there is a CVE-2024-47764 regarding [email protected].

To fix this, the cookie validation has been narrowed:

It is considered a fix: in the CHANGELOG, but it is probably a BREAKING one.

Hence the version bump from 0.6 to 0.7.

Question is, would we have to wait for SvelteKit v3 for [email protected] bump?

People will be receiving GitHub security alert digest emails regarding this:

Known security vulnerabilities detected

  • Dependency: cookie
  • Version: < 0.7.0
  • Upgrade to ~> 0.7.0

@teemingc
Copy link
Member Author

teemingc commented Oct 8, 2024

Hi @hyunbinseo we're aware of this and looking into it. It's quite likely users will need to upgrade cookie themselves in the meantime and we can only upgrade cookie in kit v3

@notramo
Copy link

notramo commented Oct 9, 2024

@eltigerchino, how to update manually? I don't have any cookies with : names in my projects, so the newer version wouldn't break it.

@Conduitry
Copy link
Member

Conduitry commented Oct 9, 2024

You can use the override feature of your package manager.

https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
https://pnpm.io/package_json#pnpmoverrides

@kyle-leonhard kyle-leonhard mentioned this pull request Oct 11, 2024
Merged
kyle-leonhard added a commit to kosolabs/koso that referenced this pull request Oct 11, 2024
@kyle-leonhard
Update cookie to ^0.7.0 (#335)
d2f6e91 
Svelte kit reverted the upgrade in
sveltejs/kit#12767
@Lucurious Lucurious mentioned this pull request Oct 29, 2024
Closed
@hyunbinseo
Copy link
Contributor

hyunbinseo commented Nov 5, 2024

It's quite likely users will need to upgrade cookie themselves in the meantime and we can only upgrade cookie in kit v3

This seems to be official:

Need to tell anyone who is setting invalid name to stop so that we can upgrade cookie library in Kit 3.0

@brophdawg11 brophdawg11 mentioned this pull request Jan 3, 2025
Closed
dmoerner added a commit to dmoerner/pytorrent that referenced this pull request Mar 18, 2025
@dmoerner
[Security]: Update to cookie 0.7.0
62565e0 
Update to cookie 0.7.0. Since we were not using cookies, the security
risks should have been minimal. The upgrade is accomplished with a
manual override in package.json, see
sveltejs/kit#12767.

Fixes: https://github.com/dmoerner/pytorrent/security/dependabot/1
ggounot added a commit to gip-inclusion/dora that referenced this pull request Sep 4, 2025
@ggounot
fix: mise à jour forcée de cookie pour cause de vulnérabilité
921c605 
On doit la forcer (override) car il est impossibilité pour SvelteKit de mettre à jour cookie avant la v3. La version 0.7.0 contient un breaking change mais qui ne nous concerne pas.

Voir : sveltejs/kit#12767
@ggounot ggounot mentioned this pull request Sep 4, 2025
Merged
carl-underwood added a commit to carl-underwood/listen-later that referenced this pull request Nov 20, 2025
@carl-underwood
Add cookie override
42ca1b2 
- To resolve low severity vulnerability
- See sveltejs/kit#12767
carl-underwood added a commit to carl-underwood/listen-later that referenced this pull request Nov 20, 2025
@carl-underwood
Add cookie override
9dd7f11 
- To resolve low severity vulnerability (see sveltejs/kit#12767)
- Bump package versions
carl-underwood added a commit to carl-underwood/listen-later that referenced this pull request Nov 20, 2025
@carl-underwood
Add cookie override
bb1a674 
- To resolve low severity vulnerability (see sveltejs/kit#12767)
- Bump package versions
carl-underwood added a commit to carl-underwood/listen-later that referenced this pull request Nov 20, 2025
@carl-underwood
Add cookie override
13019c7 
- To resolve low severity vulnerability (see sveltejs/kit#12767)
- Bump package versions
@carl-underwood carl-underwood mentioned this pull request Nov 20, 2025
Merged
carl-underwood added a commit to carl-underwood/listen-later that referenced this pull request Nov 20, 2025
@carl-underwood
Add cookie override
d4545d1 
- To resolve low severity vulnerability (see sveltejs/kit#12767)
- Bump package versions
paolaklein added a commit to samply/eucaim-frontend that referenced this pull request Dec 10, 2025
@paolaklein
fix: use cookie ^1.1.1 for security issue
4816ef1 
SvelteKit 2.49.2 has cookie 0.6.0 wich has a security issue. The cookie inside the SvelteKit will probably be updated with version 3, then this workaround is no longer needed. see: sveltejs/kit#12767
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@teemingc @hyunbinseo @notramo @Conduitry @dummdidumm