fix(deps): update dependency cookie to ^0.7.0 [security]

[matticbot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cookie	^0.4.1 -> ^0.7.0

GitHub Vulnerability Alerts

CVE-2024-47764

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

• https://github.com/jshttp/cookie/pull/167

---

Release Notes

jshttp/cookie (cookie)

v0.7.0: 0.7.0

Compare Source

• perf: parse cookies ~10% faster (#​144 by @​kurtextrem and #​170)
  • fix: narrow the validation of cookies to match RFC6265 (#​167 by @​bewinsnw)
  • fix: add main to package.json for rspack (#​166 by @​proudparrot2)

v0.6.0: 0.6.0

Compare Source

• Add partitioned option

v0.5.0: 0.5.0

Compare Source

• Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Calypso Live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-123872

Jetpack Cloud live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-123872&env=jetpack

Automattic for Agencies live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-123872&env=a8c-for-agencies

[matticbot]

This PR modifies the release build for the following Calypso Apps:

For info about this notification, see here: PCYsg-OT6-p2

• blaze-dashboard
• command-palette-wp-admin
• happy-blocks
• help-center
• notifications
• odyssey-stats
• whats-new
• wpcom-block-editor

To test WordPress.com changes, run install-plugin.sh $pluginSlug renovate/npm-cookie-vulnerability on your sandbox.

[matticbot]

Here is how your PR affects size of JS and CSS bundles shipped to the user's browser:

App Entrypoints (~367 bytes added 📈 [gzipped])

name                   parsed_size           gzip_size
entry-subscriptions         +917 B  (+0.1%)     +367 B  (+0.1%)
entry-stepper               +917 B  (+0.0%)     +367 B  (+0.1%)
entry-main                  +917 B  (+0.0%)     +367 B  (+0.1%)
entry-login                 +917 B  (+0.0%)     +367 B  (+0.1%)
entry-domains-landing       +917 B  (+0.1%)     +367 B  (+0.2%)

Common code that is always downloaded and parsed every time the app is loaded, no matter which route is used.

Legend

What is parsed and gzip size?

Parsed Size: Uncompressed size of the JS and CSS files. This much code needs to be parsed and stored in memory.
Gzip Size: Compressed size of the JS and CSS files. This much data needs to be downloaded over network.

Generated by performance advisor bot at iscalypsofastyet.com.