This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
Release Notes
jaredhanson/passport (passport)
### [`v0.7.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#070---2023-11-27)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.6.0...v0.7.0)
##### Changed
- Set `req.authInfo` by default when using the `assignProperty` option to
`authenticate()` middleware. This makes the behavior the same as when not using
the option, and can be disabled by setting `authInfo` option to `false`.
### [`v0.6.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#060---2022-05-20)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0)
##### Added
- `authenticate()`, `req#login`, and `req#logout` accept a
`keepSessionInfo: true` option to keep session information after regenerating
the session.
##### Changed
- `req#login()` and `req#logout()` regenerate the the session and clear session
information by default.
- `req#logout()` is now an asynchronous function and requires a callback
function as the last argument.
##### Security
- Improved robustness against session fixation attacks in cases where there is
physical access to the same system or the application is susceptible to
cross-site scripting (XSS).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
^0.5.3->^0.7.0GitHub Vulnerability Alerts
CVE-2022-25896
This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
Release Notes
jaredhanson/passport (passport)
### [`v0.7.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#070---2023-11-27) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.6.0...v0.7.0) ##### Changed - Set `req.authInfo` by default when using the `assignProperty` option to `authenticate()` middleware. This makes the behavior the same as when not using the option, and can be disabled by setting `authInfo` option to `false`. ### [`v0.6.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#060---2022-05-20) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0) ##### Added - `authenticate()`, `req#login`, and `req#logout` accept a `keepSessionInfo: true` option to keep session information after regenerating the session. ##### Changed - `req#login()` and `req#logout()` regenerate the the session and clear session information by default. - `req#logout()` is now an asynchronous function and requires a callback function as the last argument. ##### Security - Improved robustness against session fixation attacks in cases where there is physical access to the same system or the application is susceptible to cross-site scripting (XSS).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.