Closed as not planned
Closed as not planned
Description
Describe the bug
Brand new sveltekit project depends on vulnable package (cookie) - but upgrade not possible.
Reproduction
npx sv create foobar
npm audit
Logs
# npm audit report
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @sveltejs/kit@0.0.30, which is a breaking change
node_modules/cookie
@sveltejs/kit >=1.0.0-next.0
Depends on vulnerable versions of cookie
node_modules/@sveltejs/kit
@sveltejs/adapter-auto >=1.0.0-next.0
Depends on vulnerable versions of @sveltejs/kit
node_modules/@sveltejs/adapter-auto
3 low severity vulnerabilities
To address all issues (including breaking changes), runSystem Info
System:
OS: macOS 14.4.1
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Memory: 80.32 MB / 16.00 GB
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 22.8.0 - ~/.asdf/installs/nodejs/22.8.0/bin/node
npm: 10.9.0 - ~/.asdf/plugins/nodejs/shims/npm
pnpm: 8.11.0 - ~/.homebrew/bin/pnpm
Browsers:
Chrome: 130.0.6723.70
Safari: 17.4.1
npmPackages:
@sveltejs/adapter-auto: ^3.0.0 => 3.3.1
@sveltejs/kit: ^2.0.0 => 2.7.3
@sveltejs/vite-plugin-svelte: ^4.0.0 => 4.0.0
svelte: ^5.0.0 => 5.1.3
vite: ^5.0.3 => 5.4.10Severity
annoyance
Additional Information
No response
Metadata
Metadata
Assignees
Labels
No labels