cookie dep dependabot vulnerability

[abhiaiyer91]

Hi! We're required to clear all vulnerabilities on our repo. I noticed we got flagged for the cookie module and traced to

auth/workos → @workos-inc/node@7.69.1 → iron-session@6.3.1 → cookie@0.5.0

I'll pnpm override it in Mastra but just wanted to let ya'll know!

[geoffsoftledger]

+1 - same vuln showing for us as well

[nicknisi]

Hey! This is something we're working on. To drop support for iron-session@6, we'll need to drop support for Node 16 (which is way past EOL), but it will require a major version change on our side. We're working on getting this out and will have updates soon. Thanks!