feat: upgrade cookie dependency and cleanup imports#77
Conversation
|
Wdyt? Could this be merged? Then I could start to look at another issue with the latest next.js. EDIT: I fixed the lint. Forgot to run it. |
|
Fixed the lint problems. |
This issue is also happening to me with SvelteKit: |
|
@J0 Thank you for the review. Do I need to do anything additional for this to be merged and released? |
|
Could you regenerate the package-lock.json and package.json? Apologies I was slightly hesitant to bump the version to v1.0.1 as that's a jump in major version. I went ahead and bumped the minor version which resulted in some conflicts. The minor version bump to v0.7.0 should also resolve the warning for now I believe We'll still consider the v1.0.1 upgrade and changes but I need to check in with the team before I go ahead and merge. |
|
@J0 Thank you for the feedback. I regenerated the package-lock.json. The breaking changes are described here: |
|
@J0 The security fix has not been released as of now. It's just a RC version not a published version. I get that this needs some more validation but can you guys release the current RC version as V5.0.2? |
|
When will this be merged? Want to fix my audits :) |
|
Hey apologies for missing this. We are releasing v0.5.2 now. |
|
Thanks for your patience @siimsams AFAICT this shouldn't affect our API beyond the requirement for an increment in node version to v18 (current LTS is v20) I think it should be fine to merge this as a minor version bump so going to merge. Welcome dissenting opinions though. This should live in rc for a while, which will give us time to test. |
|
Thank you for releasing the fix. Not in a hurry with this PR. |
🤖 I have created a release *beep* *boop* --- ## [0.6.0](v0.5.2...v0.6.0) (2025-02-27) ### Features * improve cookie chunk handling via base64url+length encoding ([#90](#90)) ([6deb687](6deb687)) * upgrade cookie dependency and cleanup imports ([#77](#77)) ([9524528](9524528)) ### Bug Fixes * add `create*Client` string in `x-client-info` ([#85](#85)) ([f271acc](f271acc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.12.0](v0.11.0...v0.12.0) (2026-06-09) ### Features * adds `cookies.encode` option allowing minimal cookie sizes ([#126](#126)) ([cf38b22](cf38b22)) * bump `cookie` to 1.0.2 ([#113](#113)) ([b4a77b4](b4a77b4)) * **cookies:** add clearAuthCookiesAtScopes migration helper ([#240](#240)) ([4e47249](4e47249)) * full rewrite using `getAll` and `setAll` cookie methods ([#1](#1)) ([b6ae192](b6ae192)) * improve cookie chunk handling via base64url+length encoding ([#90](#90)) ([6deb687](6deb687)) * pass cache headers to setAll to prevent CDN caching of auth responses ([#176](#176)) ([14962d2](14962d2)) * publish SSR under deprecated auth-helpers package names ([#127](#127)) ([e8b6102](e8b6102)) * release workflow RC versioning and publish reliability ([#164](#164)) ([81e68f4](81e68f4)) * update CI so it runs on release as well ([#33](#33)) ([4517996](4517996)) * update supabase-js to latest ([#133](#133)) ([d65044d](d65044d)) * update supabase-js to latest ([#145](#145)) ([08bf7d6](08bf7d6)) * upgrade cookie dependency and cleanup imports ([#77](#77)) ([9524528](9524528)) ### Bug Fixes * add @types/cookies to dependencies ([#63](#63)) ([47e5f16](47e5f16)) * add `create*Client` string in `x-client-info` ([#85](#85)) ([f271acc](f271acc)) * allow cookies encode without getAll/setAll on browser client ([#213](#213)) ([89f3f28](89f3f28)), closes [#170](#170) * allow use of `createBrowserClient` without `window` present ([#20](#20)) ([27d868d](27d868d)) * **auth:** respect user-provided auth options in createBrowserClient ([#167](#167)) ([5f04837](5f04837)) * check chunkedCookie is string in server client ([#57](#57)) ([549fe62](549fe62)) * **ci:** remove packageManager field ([#197](#197)) ([6bf0226](6bf0226)) * cookies console warnings ([#136](#136)) ([64ff6b3](64ff6b3)) * deprecate `parse`, `serialize` exports for more useful functions ([#14](#14)) ([0b5f881](0b5f881)) * enable tree-shaking for browser bundles ([#216](#216)) ([f009d71](f009d71)) * fix `createBrowserClient` deprecation tsdoc ([#17](#17)) ([1df70ad](1df70ad)) * force release ([#98](#98)) ([66710e8](66710e8)) * re-apply update CI so it runs on release as well ([#49](#49)) ([51d5a43](51d5a43)) * **release:** pin npm to 11.5.2 so OIDC trusted publisher works ([#249](#249)) ([4af89f7](4af89f7)) * remove optional dependencies ([#41](#41)) ([a48fe6f](a48fe6f)) * remove usage of internal type params ([#123](#123)) ([8f3e89e](8f3e89e)) * revert "update CI so it runs on release as well" ([#44](#44)) ([9d0e859](9d0e859)) * **revert:** "feat: improve cookie chunk handling via base64url+length encoding ([#90](#90))" ([#100](#100)) ([2ea8e23](2ea8e23)) * set `max-age` default cookie option to 400 days ([#54](#54)) ([f4ed2e0](f4ed2e0)) * set cookies for password recovery event ([#32](#32)) ([7dc1837](7dc1837)) * set cookies when mfa challenge is verified ([#27](#27)) ([c217f53](c217f53)) * **tsconfig:** set explicit rootDir to silence TS6059 in consumer IDEs ([#211](#211)) ([a77ee8a](a77ee8a)), closes [#209](#209) * update conventional commits ci to use main instead of master ([#31](#31)) ([bebce89](bebce89)) * update README session docs ([#159](#159)) ([b859905](b859905)) * update type, remove unused imports, define AuthEvent type ([#47](#47)) ([4f4a375](4f4a375)) * use skipAutoInitialize to prevent SSR token refresh race condition ([#131](#131)) ([0b7be28](0b7be28)) * validate base64-prefixed chunked cookies decode to valid JSON ([#210](#210)) ([302cc0e](302cc0e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
What kind of change does this PR introduce?
cookiepackage to the latest version.cookiepackage.What is the current behavior?
It currently shows up as unfixable security issue in my project.
GHSA-pxg6-pf52-xh8x
Related issues:
#73
What is the new behavior?
The new version of this package does not have this security issue.
Additional context