Skip to content

Update dependency express-session to ^1.18.2#36

Open
dev-mend-for-github-com[bot] wants to merge 1 commit into
masterfrom
whitesource-remediate/express-session-1.x
Open

Update dependency express-session to ^1.18.2#36
dev-mend-for-github-com[bot] wants to merge 1 commit into
masterfrom
whitesource-remediate/express-session-1.x

Conversation

@dev-mend-for-github-com

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
express-session dependencies minor ^1.13.0^1.18.2

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability Reachability
Low Low 3.4 CVE-2025-7339

Release Notes

expressjs/session (express-session)

v1.18.2

Compare Source

==========

v1.18.1

Compare Source

==========

  • deps: cookie@​0.7.2
    • Fix object assignment of hasOwnProperty
  • deps: cookie@​0.7.1
    • Allow leading dot for domain
      • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
    • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
  • deps: cookie@​0.7.0
    • perf: parse cookies ~10% faster
    • fix: narrow the validation of cookies to match RFC6265
    • fix: add main to package.json for rspack

v1.18.0

Compare Source

===================

  • Add debug log for pathname mismatch
  • Add partitioned to cookie options
  • Add priority to cookie options
  • Fix handling errors from setting cookie
  • Support any type in secret that crypto.createHmac supports
  • deps: cookie@​0.6.0
    • Fix expires option to reject invalid dates
    • perf: improve default decode speed
    • perf: remove slow string split in parse
  • deps: cookie-signature@​1.0.7

v1.17.3

Compare Source

===================

  • Fix resaving already-saved new session at end of request
  • deps: cookie@​0.4.2

v1.17.2

Compare Source

===================

  • Fix res.end patch to always commit headers
  • deps: cookie@​0.4.1
  • deps: safe-buffer@​5.2.1

v1.17.1

Compare Source

===================

  • Fix internal method wrapping error on failed reloads

v1.17.0

Compare Source

===================

  • deps: cookie@​0.4.0
    • Add SameSite=None support
  • deps: safe-buffer@​5.2.0

v1.16.2

Compare Source

===================

  • Fix restoring cookie.originalMaxAge when store returns Date
  • deps: parseurl@~1.3.3

v1.16.1

Compare Source

===================

  • Fix error passing data option to Cookie constructor
  • Fix uncaught error from bad session data

v1.16.0

Compare Source

===================

  • Catch invalid cookie.maxAge value earlier
  • Deprecate setting cookie.maxAge to a Date object
  • Fix issue where resave: false may not save altered sessions
  • Remove utils-merge dependency
  • Use safe-buffer for improved Buffer API
  • Use Set-Cookie as cookie header name for compatibility
  • deps: depd@~2.0.0
    • Replace internal eval usage with Function constructor
    • Use instance methods on process to check for listeners
    • perf: remove argument reassignment
  • deps: on-headers@~1.0.2
    • Fix res.writeHead patch missing return value

v1.15.6

Compare Source

===================

  • deps: debug@​2.6.9
  • deps: parseurl@~1.3.2
    • perf: reduce overhead for full URLs
    • perf: unroll the "fast-path" RegExp
  • deps: uid-safe@~2.1.5
    • perf: remove only trailing =
  • deps: utils-merge@​1.0.1

v1.15.5

Compare Source

===================

  • Fix TypeError when req.url is an empty string
  • deps: depd@~1.1.1
    • Remove unnecessary Buffer loading

v1.15.4

Compare Source

===================

  • deps: debug@​2.6.8

v1.15.3

Compare Source

===================

  • deps: debug@​2.6.7
    • deps: ms@​2.0.0

v1.15.2

Compare Source

===================

  • deps: debug@​2.6.3
    • Fix DEBUG_MAX_ARRAY_LENGTH
  • deps: uid-safe@~2.1.4
    • Remove base64-url dependency

v1.15.1

Compare Source

===================

  • deps: debug@​2.6.1
    • Fix deprecation messages in WebStorm and other editors
    • Undeprecate DEBUG_FD set to 1 or 2

v1.15.0

Compare Source

===================

  • Fix detecting modified session when session contains "cookie" property
  • Fix resaving already-saved reloaded session at end of request
  • deps: crc@​3.4.4
    • perf: use Buffer.from when available
  • deps: debug@​2.6.0
    • Allow colors in workers
    • Deprecated DEBUG_FD environment variable
    • Use same color for same namespace
    • Fix error when running under React Native
    • deps: ms@​0.7.2
  • perf: remove unreachable branch in set-cookie method

v1.14.2

Compare Source

===================

  • deps: crc@​3.4.1
    • Fix deprecation warning in Node.js 7.x
  • deps: uid-safe@~2.1.3
    • deps: base64-url@​1.3.3

v1.14.1

Compare Source

===================

  • Fix not always resetting session max age before session save
  • Fix the cookie sameSite option to actually alter the Set-Cookie
  • deps: uid-safe@~2.1.2
    • deps: base64-url@​1.3.2

v1.14.0

Compare Source

===================

  • Correctly inherit from EventEmitter class in Store base class
  • Fix issue where Set-Cookie Expires was not always updated
  • Methods are no longer enumerable on req.session object
  • deps: cookie@​0.3.1
    • Add sameSite option
    • Improve error message when encode is not a function
    • Improve error message when expires is not a Date
    • perf: enable strict mode
    • perf: use for loop in parse
    • perf: use string concatenation for serialization
  • deps: parseurl@~1.3.1
    • perf: enable strict mode
  • deps: uid-safe@~2.1.1
    • Use random-bytes for byte source
    • deps: base64-url@​1.2.2
  • perf: enable strict mode
  • perf: remove argument reassignment

  • If you want to rebase/retry this PR, check this box

@dev-mend-for-github-com dev-mend-for-github-com Bot added the security fix Security fix generated by Mend label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

security fix Security fix generated by Mend

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants