From 7e1f5d3563fae2cd332aa3b500234190e8cb23c9 Mon Sep 17 00:00:00 2001
From: Keith Oak <keith@oakai.au>
Date: Wed, 25 Jun 2025 09:34:48 +1000
Subject: [PATCH] fix: update cookie dependency to ^0.7.0 to address
 CVE-2024-47764

Updates the cookie package from ^0.5.0 to ^0.7.0 to fix a critical security vulnerability (CVE-2024-47764) that allows malicious cookie values to inject unexpected key-value pairs into JavaScript objects.

The vulnerability could allow attackers to inject special properties like __proto__, constructor, or prototype through malicious cookie values.

Cookie 0.7.0 includes proper validation to prevent these injection attacks while maintaining backward compatibility.
---
 package-lock.json | 15 ++++++++-------
 package.json      |  2 +-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 79484fa0a..847239455 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -19,7 +19,7 @@
         "cli-progress": "^3.12.0",
         "commander": "^9.5.0",
         "concurrently": "^7.6.0",
-        "cookie": "^0.5.0",
+        "cookie": "^0.7.0",
         "devcert": "^1.2.0",
         "dotenv": "^16.4.5",
         "finalhandler": "^1.2.0",
@@ -4510,9 +4510,10 @@
       }
     },
     "node_modules/cookie": {
-      "version": "0.5.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz",
-      "integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==",
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -17976,9 +17977,9 @@
       }
     },
     "cookie": {
-      "version": "0.5.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz",
-      "integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw=="
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="
     },
     "cookiejar": {
       "version": "2.1.4",
diff --git a/package.json b/package.json
index 3cd12070f..be78b7e62 100644
--- a/package.json
+++ b/package.json
@@ -39,7 +39,7 @@
     "cli-progress": "^3.12.0",
     "commander": "^9.5.0",
     "concurrently": "^7.6.0",
-    "cookie": "^0.5.0",
+    "cookie": "^0.7.0",
     "devcert": "^1.2.0",
     "dotenv": "^16.4.5",
     "finalhandler": "^1.2.0",