Hello,
We are the vendor of two marketplace apps for Confluence Cloud based on the atlassian-connect-express library (latest 11.5.3 version). Our vulnerabilities scanners reported a security risk rated as high in the outdated version of tough-cookie v2.5.0 library, which is used in the atlassian-connect-express (CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes).
My question is if it is planned to fix that (updating that package for example) and when we can expect a new atlassian-connect-express version providing no high security risks.
Thank you in advance for your quick response!
Best regards,
Bartłomiej