Skip to content

fix: update js-cookie to resolve CVE-2026-46625#134

Open
dannyneira wants to merge 1 commit into
mainfrom
independabot/js-cookie-CVE-2026-46625
Open

fix: update js-cookie to resolve CVE-2026-46625#134
dannyneira wants to merge 1 commit into
mainfrom
independabot/js-cookie-CVE-2026-46625

Conversation

@dannyneira
Copy link
Copy Markdown
Member

@dannyneira dannyneira commented May 22, 2026

Summary

Updates the transitive js-cookie dependency in package-lock.json from 3.0.5 to 3.0.7 to resolve CVE-2026-46625.

Vulnerability details

  • Advisory: GHSA-qjx8-664m-686j
  • Dependabot alert: https://github.com/warpdotdev/docs/security/dependabot/14
  • Package: js-cookie
  • Ecosystem: npm
  • Severity: high
  • Vulnerable range: <= 3.0.5
  • Patched version: 3.0.7
  • Relationship: transitive runtime dependency through @kapaai/react-sdk
  • Summary: JavaScript Cookie per-instance prototype hijack in assign() enables cookie-attribute injection.

Changes

  • Updated the node_modules/js-cookie lockfile entry to 3.0.7.
  • Did not add js-cookie as a direct dependency or apply overrides.

Verification

  • npx --yes npm@10.9.4 --prefix /workspace/docs audit --json no longer reports js-cookie.
  • npx --yes npm@10.9.4 --prefix /workspace/docs run build completed successfully.

Co-Authored-By: Oz oz-agent@warp.dev

Conversation: https://staging.warp.dev/conversation/b4dcb29c-d5e9-4f9f-8c05-f0501e719963
Run: https://oz.staging.warp.dev/runs/019e506a-428f-793e-96c9-dfee0dcad0f9
This PR was generated with Oz.

@oz-agent
fix: update js-cookie to resolve CVE-2026-46625
b20d1a6 
Co-Authored-By: Oz <oz-agent@warp.dev>
@dannyneira dannyneira requested a review from hongyi-chen May 22, 2026 16:06
@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment May 22, 2026 4:08pm

Request Review

@cla-bot cla-bot Bot added the cla-signed label May 22, 2026
@oz-for-oss
Copy link
Copy Markdown
Contributor

oz-for-oss Bot commented May 22, 2026
edited
Loading

@dannyneira

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

Updates the transitive js-cookie lockfile entry from 3.0.5 to 3.0.7 to address the reported high-severity advisory through @kapaai/react-sdk. The patched version remains within the existing ^3.0.5 dependency range, and its Node >=20 engine is compatible with this repo's declared Node 20/22/24 support and CI Node 22 setup.

Concerns

  • No blocking concerns found. No approved spec context was available for this PR.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments

@hongyi-chen hongyi-chen Awaiting requested review from hongyi-chen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dannyneira @oz-agent