Update "cookie" npm dependency from v0.6.0 to fix CVE-2024-47764

[leonklingele]

Describe the bug

Saw this come up in our osv-scanner CI job:

+-------------------------------------+------+-----------+---------+---------+-------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE            |
+-------------------------------------+------+-----------+---------+---------+-------------------+
| https://osv.dev/GHSA-pxg6-pf52-xh8x |      | npm       | cookie  | 0.6.0   | package-lock.json |
+-------------------------------------+------+-----------+---------+---------+-------------------+

Probably caused by

kit/pnpm-lock.yaml

Lines 348 to 350 in 09296d0

	cookie:
	specifier: ^0.6.0
	version: 0.6.0

but saw some other references to the cookie package.

Even if SvelteKit might be unaffected by the issue, it still seems worth to update the package.

Also see https://osv.dev/vulnerability/GHSA-pxg6-pf52-xh8x and jshttp/cookie#167

Reproduction

Run nix-shell --pure -p osv-scanner go --run 'osv-scanner --no-ignore .' in a SvelteKit project.

Logs

System Info

Irrelevant.

Severity

annoyance

Additional Information

No response

[stephenlrandall]

#13386

The issue is that upgrading cookie comes with breaking changes. But you can separately fix a version of cookie in your package.json file: #13089 (comment)

[leonklingele]

Thanks, that clears things up.