How to handle cookie vulnerability in @supabase/ssr (cookie <0.7.0)?

Question

I'm using the @supabase/ssr package in my Next.js project, and I've encountered a security vulnerability due to a dependency on the cookie package (<0.7.0). The vulnerability is related to accepting cookie names, paths, and domains with out-of-bounds characters, as described in this GitHub advisory.

The @supabase/ssr package depends on the vulnerable version of cookie, and there's currently no fix available for this issue.

Here’s the output from npm audit:

cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
No fix available
node_modules/cookie
  @supabase/ssr  *
  Depends on vulnerable versions of cookie
  node_modules/@supabase/ssr

I ran npm outdated, but there is no newer version of @supabase/ssr that resolves the issue. I haven't found an alternative package to @supabase/ssr that doesn't depend on cookie.

Is there a recommended workaround to handle this vulnerability in the absence of an official fix? Would it be safe to manually override or patch the dependency for now? Are there any alternatives to @supabase/ssr that do not rely on vulnerable versions of cookie?

Answer 1

Try to use overrides (see docs :https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) for overriding this and any other problematic devDependency.

For example in your package.json add overrides prop with updated fixed version of your package :

"devDependencies": {
    "@types/cors": "^2.8.13",
    "ts-node": "^10.9.1",
    "typescript": "^4.9.5",
    "supabase/ssr": "0.5.1",
  },
"overrides": {
    "cookie": "^0.7.2"
  }