fix: bump js-cookie from 3.0.1 to 3.0.7 (CVE-2026-46625)#1368
Conversation
Bumps js-cookie from 3.0.1 to 3.0.7 to fix a per-instance prototype hijack in assign() that enables cookie-attribute injection. See: GHSA-qjx8-664m-686j Fixes: segmentio#1367
🦋 Changeset detectedLatest commit: 5140f2e The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Is there a reason to fix this dependency to a fixed version rather than just allowing updates within the same major version? |
Per reviewer feedback, use ^3.0.7 instead of exact 3.0.7 to match the caret convention used by other deps in this package and to allow automatic pickup of future patch releases.
|
@ruriarte-zaelot Good call on the caret — updated to Regarding backporting to v1: |
|
When do we expect to merge this bump? |
6 participants
Summary
Bumps the
js-cookiedependency from3.0.1to3.0.7inpackages/browserto address CVE-2026-46625 / GHSA-qjx8-664m-686j.Vulnerability Details
The internal
assign()helper in js-cookie copies properties withfor...in+ plain assignment. When the source object is produced byJSON.parse, a"__proto__"member is enumerable and triggers theObject.prototype.__proto__setter, resulting in a per-instance prototype hijack. An attacker can inject cookie attributes likedomain,secure,samesite,expires, andpathinto cookies whose attributes the developer thought were locked down.Changes
packages/browser/package.json:js-cookie3.0.1→3.0.7yarn.lock: updated accordinglyReferences