search

saurabharch / rollout

Rollout Server is complete Marketing Automation Tools with Enrich XBOSS (Experience Business Operating Software System)
https://saurabharch.github.io/rollout/
MIT License
3 stars 3 forks source link

Update dependency passport to ^0.6.0 [SECURITY] #424

Closed renovate[bot] closed 9 months ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
passport (source) ^0.4.1 -> ^0.6.0 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Release Notes

jaredhanson/passport (passport) ### [`v0.6.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#060---2022-05-20) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0) ##### Added - `authenticate()`, `req#login`, and `req#logout` accept a `keepSessionInfo: true` option to keep session information after regenerating the session. ##### Changed - `req#login()` and `req#logout()` regenerate the the session and clear session information by default. - `req#logout()` is now an asynchronous function and requires a callback function as the last argument. ##### Security - Improved robustness against session fixation attacks in cases where there is physical access to the same system or the application is susceptible to cross-site scripting (XSS). ### [`v0.5.3`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#053---2022-05-16) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.2...v0.5.3) ##### Fixed - `initialize()` middleware extends request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions again, reverting change from 0.5.1. ### [`v0.5.2`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#052---2021-12-16) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.1...v0.5.2) ##### Fixed - Introduced a compatibility layer for strategies that depend directly on `passport@0.4.x` or earlier (such as `passport-azure-ad`), which were broken by the removal of private variables in `passport@0.5.1`. ### [`v0.5.1`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#051---2021-12-15) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.0...v0.5.1) ##### Added - Informative error message in session strategy if session support is not available. ##### Changed - `authenticate()` middleware, rather than `initialize()` middleware, extends request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions. ### [`v0.5.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#050---2021-09-23) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.4.1...v0.5.0) ##### Changed - `initialize()` middleware extends request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions. ##### Removed - `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions no longer added to `http.IncomingMessage.prototype`. ##### Fixed - `userProperty` option to `initialize()` middleware only affects the current request, rather than all requests processed via singleton Passport instance, eliminating a race condition in situations where `initialize()` middleware is used multiple times in an application with `userProperty` set to different values. [Unreleased]: https://togithub.com/jaredhanson/passport/compare/v0.6.0...HEAD [0.6.0]: https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0 [0.5.3]: https://togithub.com/jaredhanson/passport/compare/v0.5.2...v0.5.3 [0.5.2]: https://togithub.com/jaredhanson/passport/compare/v0.5.1...v0.5.2 [0.5.1]: https://togithub.com/jaredhanson/passport/compare/v0.5.0...v0.5.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

vercel[bot] commented 1 year ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
rollout ❌ Failed (Inspect) Oct 30, 2023 10:20am
github-actions[bot] commented 9 months ago

Stale pull request message

renovate[bot] commented 9 months ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^0.6.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.