This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
Release Notes
jaredhanson/passport (passport)
### [`v0.6.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#060---2022-05-20)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0)
##### Added
- `authenticate()`, `req#login`, and `req#logout` accept a
`keepSessionInfo: true` option to keep session information after regenerating
the session.
##### Changed
- `req#login()` and `req#logout()` regenerate the the session and clear session
information by default.
- `req#logout()` is now an asynchronous function and requires a callback
function as the last argument.
##### Security
- Improved robustness against session fixation attacks in cases where there is
physical access to the same system or the application is susceptible to
cross-site scripting (XSS).
### [`v0.5.3`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#053---2022-05-16)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.2...v0.5.3)
##### Fixed
- `initialize()` middleware extends request with `login()`, `logIn()`,
`logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions
again, reverting change from 0.5.1.
### [`v0.5.2`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#052---2021-12-16)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.1...v0.5.2)
##### Fixed
- Introduced a compatibility layer for strategies that depend directly on
`passport@0.4.x` or earlier (such as `passport-azure-ad`), which were
broken by the removal of private variables in `passport@0.5.1`.
### [`v0.5.1`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#051---2021-12-15)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.0...v0.5.1)
##### Added
- Informative error message in session strategy if session support is not
available.
##### Changed
- `authenticate()` middleware, rather than `initialize()` middleware, extends
request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`,
and `isUnauthenticated()` functions.
### [`v0.5.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#050---2021-09-23)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.4.1...v0.5.0)
##### Changed
- `initialize()` middleware extends request with `login()`, `logIn()`,
`logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()`
functions.
##### Removed
- `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and
`isUnauthenticated()` functions no longer added to `http.IncomingMessage.prototype`.
##### Fixed
- `userProperty` option to `initialize()` middleware only affects the current
request, rather than all requests processed via singleton Passport instance,
eliminating a race condition in situations where `initialize()` middleware is
used multiple times in an application with `userProperty` set to different
values.
[Unreleased]: https://togithub.com/jaredhanson/passport/compare/v0.6.0...HEAD
[0.6.0]: https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0
[0.5.3]: https://togithub.com/jaredhanson/passport/compare/v0.5.2...v0.5.3
[0.5.2]: https://togithub.com/jaredhanson/passport/compare/v0.5.1...v0.5.2
[0.5.1]: https://togithub.com/jaredhanson/passport/compare/v0.5.0...v0.5.1
### [`v0.4.1`](https://togithub.com/jaredhanson/passport/compare/v0.4.0...v0.4.1)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.4.0...v0.4.1)
### [`v0.4.0`](https://togithub.com/jaredhanson/passport/compare/v0.3.2...v0.4.0)
[Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.3.2...v0.4.0)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
^0.3.2
->^0.6.0
GitHub Vulnerability Alerts
CVE-2022-25896
This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
Release Notes
jaredhanson/passport (passport)
### [`v0.6.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#060---2022-05-20) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0) ##### Added - `authenticate()`, `req#login`, and `req#logout` accept a `keepSessionInfo: true` option to keep session information after regenerating the session. ##### Changed - `req#login()` and `req#logout()` regenerate the the session and clear session information by default. - `req#logout()` is now an asynchronous function and requires a callback function as the last argument. ##### Security - Improved robustness against session fixation attacks in cases where there is physical access to the same system or the application is susceptible to cross-site scripting (XSS). ### [`v0.5.3`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#053---2022-05-16) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.2...v0.5.3) ##### Fixed - `initialize()` middleware extends request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions again, reverting change from 0.5.1. ### [`v0.5.2`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#052---2021-12-16) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.1...v0.5.2) ##### Fixed - Introduced a compatibility layer for strategies that depend directly on `passport@0.4.x` or earlier (such as `passport-azure-ad`), which were broken by the removal of private variables in `passport@0.5.1`. ### [`v0.5.1`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#051---2021-12-15) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.5.0...v0.5.1) ##### Added - Informative error message in session strategy if session support is not available. ##### Changed - `authenticate()` middleware, rather than `initialize()` middleware, extends request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions. ### [`v0.5.0`](https://togithub.com/jaredhanson/passport/blob/HEAD/CHANGELOG.md#050---2021-09-23) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.4.1...v0.5.0) ##### Changed - `initialize()` middleware extends request with `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions. ##### Removed - `login()`, `logIn()`, `logout()`, `logOut()`, `isAuthenticated()`, and `isUnauthenticated()` functions no longer added to `http.IncomingMessage.prototype`. ##### Fixed - `userProperty` option to `initialize()` middleware only affects the current request, rather than all requests processed via singleton Passport instance, eliminating a race condition in situations where `initialize()` middleware is used multiple times in an application with `userProperty` set to different values. [Unreleased]: https://togithub.com/jaredhanson/passport/compare/v0.6.0...HEAD [0.6.0]: https://togithub.com/jaredhanson/passport/compare/v0.5.3...v0.6.0 [0.5.3]: https://togithub.com/jaredhanson/passport/compare/v0.5.2...v0.5.3 [0.5.2]: https://togithub.com/jaredhanson/passport/compare/v0.5.1...v0.5.2 [0.5.1]: https://togithub.com/jaredhanson/passport/compare/v0.5.0...v0.5.1 ### [`v0.4.1`](https://togithub.com/jaredhanson/passport/compare/v0.4.0...v0.4.1) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.4.0...v0.4.1) ### [`v0.4.0`](https://togithub.com/jaredhanson/passport/compare/v0.3.2...v0.4.0) [Compare Source](https://togithub.com/jaredhanson/passport/compare/v0.3.2...v0.4.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.