Advisories for Npm/@Vendure/Core package

Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, does not need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the foreign currency. See SS, CZK is not in the channel. I've tested with Mollie and Stripe it both works. Further notes …

Impact Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one (originates from the cookie-session npm package’s default settings). Patches In progress Workarounds Manually set the authOptions.cookieOptions.sameSite configuration option to 'strict', 'lax' or true. References Are there any links users can visit to find out …