Vulnerable hardcoded 'cookie' package version #43
Comments
sethidden
changed the title
|
hi @sethidden , We have always pinned our dependency versions in the package.json in order to prevent unwanted changes to be installed onto others systems as dependency versions are released, not everyone follows semver and humans sometimes make mistakes and vulnerabilities can creep into releases. So we prefer to check ourselves and release a new version after verifying and running our e2e tests. We will discuss if this restriction is still worth it in todays world. After all this is flagged as a security issue and we should update this asap, so the other way around is a valid argument too. We will fix this security issue (among others) and release a new version. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You are using a cookie package version vulnerable to GHSA-pxg6-pf52-xh8x
spa-sdk/packages/spa-sdk/package.json
Line 43 in e9da762
Because you've hardcoded the dep version to 0.4.1 I can't update in my lockfile to get this fixed on my side. I don't understand why did you do it - does spa-sdk work ONLY on 0.4.1 and no other version?
Please release a new version and don't hardcode package versions and use ^0.7.0 instead of 0.7.0
The text was updated successfully, but these errors were encountered: