-
Notifications
You must be signed in to change notification settings - Fork 15k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cookie-signature dependency has timing vulnerability #3583
Comments
We cannot upgrade because Node.js 6 is required to upgrade. |
See discussion and my rejected PR in tj/node-cookie-signature#25 |
The author of cookie-signature asserts that Snyk is wrong and prior versions are not vulunerable. We are kinda stuck... |
I created tj/node-cookie-signature#27 to determine more from that upstream dependency. Security issues need to be reported per our policy in https://github.com/expressjs/express/blob/master/Security.md in the future. |
FYI the author of |
The Snyk report was incorrect and has been removed. |
See https://snyk.io/vuln/npm:cookie-signature:20180111 for details.
To resolve, upgrade the cookie-parser dependency to 1.1.0 or above
The text was updated successfully, but these errors were encountered: