fix(deps): update dependency cookie to v0.7.0 [security] (#11661)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [cookie](https://redirect.github.com/jshttp/cookie) | [`0.6.0` ->
`0.7.0`](https://renovatebot.com/diffs/npm/cookie/0.6.0/0.7.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/cookie/0.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/cookie/0.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/cookie/0.6.0/0.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/cookie/0.6.0/0.7.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-47764](https://redirect.github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x)

### Impact

The cookie name could be used to set other fields of the cookie,
resulting in an unexpected cookie value. For example,
`serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000;
a", value)` would result in `"userName=<script>alert('XSS3')</script>;
Max-Age=2592000; a=test"`, setting `userName` cookie to `<script>` and
ignoring `value`.

A similar escape can be used for `path` and `domain`, which could be
abused to alter other fields of the cookie.

### Patches

Upgrade to 0.7.0, which updates the validation for `name`, `path`, and
`domain`.

### Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure
they are set by the application instead of user input.

### References

*
[https://github.com/jshttp/cookie/pull/167](https://redirect.github.com/jshttp/cookie/pull/167)

---

### Release Notes

<details>
<summary>jshttp/cookie (cookie)</summary>

###
[`v0.7.0`](https://redirect.github.com/jshttp/cookie/releases/tag/v0.7.0):
0.7.0

[Compare
Source](https://redirect.github.com/jshttp/cookie/compare/v0.6.0...v0.7.0)

- perf: parse cookies ~10% faster
([#&#8203;144](https://redirect.github.com/jshttp/cookie/issues/144) by
[@&#8203;kurtextrem](https://redirect.github.com/kurtextrem) and
[#&#8203;170](https://redirect.github.com/jshttp/cookie/issues/170))
- fix: narrow the validation of cookies to match RFC6265
([#&#8203;167](https://redirect.github.com/jshttp/cookie/issues/167) by
[@&#8203;bewinsnw](https://redirect.github.com/bewinsnw))
- fix: add `main` to `package.json` for rspack
([#&#8203;166](https://redirect.github.com/jshttp/cookie/issues/166) by
[@&#8203;proudparrot2](https://redirect.github.com/proudparrot2))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/redwoodjs/redwood).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguOTcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

packages/api/package.json

@@ -52,7 +52,7 @@
   "dependencies": {
     "@prisma/client": "5.20.0",
     "@whatwg-node/fetch": "0.9.21",
-    "cookie": "0.6.0",
+    "cookie": "0.7.0",
     "humanize-string": "2.1.0",
     "jsonwebtoken": "9.0.2",
     "pascalcase": "1.0.0",

packages/cookie-jar/package.json

@@ -22,7 +22,7 @@
     "build:types": "tsc --build --verbose"
   },
   "dependencies": {
-    "cookie": "0.6.0",
+    "cookie": "0.7.0",
     "esbuild": "0.24.0",
     "fast-glob": "3.3.2",
     "fs-extra": "11.2.0"

packages/vite/package.json

@@ -73,7 +73,7 @@
     "acorn-loose": "8.4.0",
     "buffer": "6.0.3",
     "busboy": "^1.6.0",
-    "cookie": "0.6.0",
+    "cookie": "0.7.0",
     "core-js": "3.38.1",
     "dotenv-defaults": "5.0.2",
     "execa": "5.1.1",

yarn.lock

@@ -7446,7 +7446,7 @@ __metadata:
     "@types/split2": "npm:4.2.3"
     "@whatwg-node/fetch": "npm:0.9.21"
     concurrently: "npm:8.2.2"
-    cookie: "npm:0.6.0"
+    cookie: "npm:0.7.0"
     humanize-string: "npm:2.1.0"
     jsonwebtoken: "npm:9.0.2"
     memjs: "npm:1.3.2"
@@ -8240,7 +8240,7 @@ __metadata:
   dependencies:
     "@redwoodjs/framework-tools": "workspace:*"
     "@types/fs-extra": "npm:11.0.4"
-    cookie: "npm:0.6.0"
+    cookie: "npm:0.7.0"
     esbuild: "npm:0.24.0"
     fast-glob: "npm:3.3.2"
     fs-extra: "npm:11.2.0"
@@ -8933,7 +8933,7 @@ __metadata:
     buffer: "npm:6.0.3"
     busboy: "npm:^1.6.0"
     concurrently: "npm:8.2.2"
-    cookie: "npm:0.6.0"
+    cookie: "npm:0.7.0"
     core-js: "npm:3.38.1"
     dotenv-defaults: "npm:5.0.2"
     execa: "npm:5.1.1"
@@ -14706,6 +14706,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"cookie@npm:0.7.0":
+  version: 0.7.0
+  resolution: "cookie@npm:0.7.0"
+  checksum: 10c0/15c20c9b85431c8565b1750f9bccff0bd289b943d956e25fffce3b146e57934075965c8305a4e3a65a70622c9ed483e013daf9159d9c50f5c3f97f2e7c8117ac
+  languageName: node
+  linkType: hard
+
 "cookie@npm:^0.4.2":
   version: 0.4.2
   resolution: "cookie@npm:0.4.2"