fix: bump cookie to ^0.7.0 for CVE-2024-47764 (#932)

[LongOddCode]

Problem

Issue #932 — cookie@^0.5.0 is vulnerable to CVE-2024-47764 (CVSS 9.1, Critical). Maliciously crafted cookie values can inject unexpected object keys such as __proto__, constructor, or prototype, enabling prototype pollution.

Two prior attempts — #960 (minimal) and #962 (combined) — were closed without explanation. The issue is still open and package.json on main still pins cookie: ^0.5.0. This PR revives the minimal fix in the spirit of #960.

Root Cause

Direct dependency on a vulnerable range.

Fix

File	Change
package.json	cookie ^0.5.0 → ^0.7.0
package-lock.json	cookie resolved to 0.7.2; incidental peer-marker drift from lockfile regeneration (no other package versions changed — verified by git diff grep on "version":).

Compatibility

The only runtime consumer is src/core/utils/cookie.ts, which calls cookie.serialize(name, value, options) and cookie.parse(str). Both signatures are unchanged in 0.7.x, so this is a drop-in replacement. See the cookie 0.7.0 changelog for details.

Testing

• ✅ npm install succeeds; package-lock.json regenerates cleanly.
• ✅ git diff confirms only cookie version changed materially (only two "version": diff lines).
• ✅ Call sites in src/core/utils/cookie.ts use APIs preserved in 0.7.x.

References

• Fixes Vulnerable dependency cookie < 0.7.0 #932
• CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-47764
• Prior attempts: fix: update cookie dependency to ^0.7.0 to address CVE-2024-47764 #960, fix: resolve critical security vulnerabilities (21→9 vulnerabilities) #962 (both closed)
• Changelog: https://github.com/jshttp/cookie/releases/tag/v0.7.0