Version 0.14.0 Vulnerabilities

[Elte156]

Describe the bug

Currently, @lhci/cli 0.14.0 has a number of vulnerabilities

Here is one we identified:

https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060

Issues with no direct upgrade or patch:
  ✗ Cross-site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060] in cookie@0.4.2
    introduced by @lhci/cli@0.14.0 > express@4.20.0 > cookie@0.6.0 and 7 other path(s)
  This issue was fixed in versions: 0.7.0

[hamirmahal]

I think I came across something similar in a few of my repositories.

@lhci/cli@0.14.0 requires cookie@^0.4.1 via a transitive dependency on @sentry/node@6.19.7
@lhci/cli@0.14.0 requires cookie@0.6.0 via a transitive dependency on express@4.21.0

[hamirmahal]

For what it's worth, it looks like express fixed this with expressjs/express#6029.

[sdavids]

Related: #1058