Use [email protected] on new projects

[hyunbinseo]

Every time I create a SvelteKit project, I get GitHub Dependabot alerts related to this:

• fix: narrow the validation of cookies to match RFC6265 jshttp/cookie#167

Could we use package.json overrides to use [email protected]+ on new projects?

It could be removed on SvelteKit v3 migration.

Reference:

• chore: upgrade to cookie 1.0.2 kit#13386
• refactor: use cookie-es for cookie utils kit#13512

[manuel3108]

We could, but I don't think we should. It would be better to solve the actual problem, as proposed by sveltejs/kit#13512

[pierrelegall]

The actual issue I saw as simple SvelteKit developer (with @sveltejs/adapter-static) is:

❯ npm audit
# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @sveltejs/[email protected], which is a breaking change
node_modules/cookie
  @sveltejs/kit  >=1.0.0-next.0
  Depends on vulnerable versions of cookie
  node_modules/@sveltejs/kit
    @sveltejs/adapter-static  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-static

3 low severity vulnerabilities