Update dependency js-cookie to v3.0.7 [SECURITY]#1446
Conversation
|
92ef2c6 to
9d26f99
Compare
85b7953 to
1fefcc4
Compare
389765c to
821a421
Compare
03db5c7 to
944fe77
Compare
944fe77 to
eb50843
Compare
There was a problem hiding this comment.
💬 MOA Review: COMMENT
Summary: Two reviewers approved the security update outright, and two reviewers raised the same minor concern about the absence of a lockfile change in the displayed diff. There were no conflicting substantive findings about the dependency bump itself, which appears correct and safe. Consolidating the feedback, this PR looks acceptable overall, with one medium-confidence advisory to verify the lockfile is updated if the repository uses one.
Issues Summary
🟡 1 warning(s) (see inline comments)
Mixture of Agents review — 4 models reviewed in parallel, aggregated by openai/gpt-5.4:
- ✓
google/gemini-3.5-flash— approve, 0 issue(s), 1.8s, $0.0061 - ✗
x-ai/grok-4.5— comment, 0 issue(s), 0.0s, $0.0000 - ✓
minimax/minimax-m3— approve, 1 issue(s), 13.4s, $0.0021 - ✓
moonshotai/kimi-k2.7-code— comment, 1 issue(s), 15.9s, $0.0055
| "classnames": "2.5.1", | ||
| "html-to-text": "9.0.5", | ||
| "js-cookie": "3.0.5", | ||
| "js-cookie": "3.0.7", |
There was a problem hiding this comment.
🟡 [WARNING] The diff shows only the package.json version bump for js-cookie to 3.0.7. If this project uses a lockfile, ensure the corresponding lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml) is also updated so installs actually resolve the patched version.
Confidence: 🟡 medium | Raised by: minimax/minimax-m3, moonshotai/kimi-k2.7-code
This PR contains the following updates:
3.0.5→3.0.7JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
CVE-2026-46625 / GHSA-qjx8-664m-686j
More information
Details
Summary
js-cookie's internalassign()helper copies properties withfor...in+ plain assignment. When the source object is produced byJSON.parse, the JSON object's"__proto__"member is an own enumerable property, so thefor…inenumerates it and thetarget[key] = source[key]write triggers theObject.prototype.__proto__setter on the freshtarget({}). The result is a per-instance prototype hijack:Object.prototypeitself is untouched, but the mergedattributesobject now inherits attacker-controlled keys.Because the consuming
set()function then enumerates the merged object with anotherfor...in, every key the attacker placed on the polluted prototype lands in the resultingSet-Cookiestring as an attribute pair. The attacker can setdomain=,secure=,samesite=,expires=, andpath=on cookies whose attributes the developer thought were locked down.Impact
Any application that forwards a JSON-derived object as the
attributesargument toCookies.set,Cookies.remove,Cookies.withAttributes, orCookies.withConverteris vulnerable. This is the standard pattern when cookie configuration comes from a backend:A payload of
{"__proto__":{"domain":"evil.example","secure":"false","samesite":"None"}}causes js-cookie to emit:Affected code
Proof of concept
Node 22.11.0, no third-party deps:
Environment setup
PoC
Execution:

Suggested patch
Equivalent one-liner alternative - iterate own names only and filter:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
js-cookie/js-cookie (js-cookie)
v3.0.7Compare Source
eb3c40e)Partitionedattribute to readme (b994768)4dc71be)get('name')+get()(1953d30)v3.0.6Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.