Release: 1.19.0

[UlisesGascon]

Milestone details: https://github.com/expressjs/session/milestone/3
cc: @expressjs/express-tc

What's included in the HISTORY.md

1.19.0 / 2026-01-22
==========

  * Add dynamic cookie options support
  * Add sameSite 'auto' support for automatic SameSite attribute configuration
  * deps: use tilde notation for dependencies

What's Changed

This will be included in the release details

Main Changes

• Add dynamic cookie options support
  Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

  var app = express()
  app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: function (req) {
      var match = req.url.match(/^\/([^/]+)/);
      return {
        path: match ? '/' + match[1] : '/',
        httpOnly: true,
        secure: req.secure || false,
        maxAge: 60000
      }
    }
  }))

• Add sameSite 'auto' support for automatic SameSite attribute configuration
  Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

• deps: use tilde notation for dependencies

PRs

• chore: add funding to package.json by @bjohansebas in chore: add funding to package.json #1071
• build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @dependabot[bot] in build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 #1086
• build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @dependabot[bot] in build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 #1085
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 #1091
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 #1090
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 #1089
• build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @dependabot[bot] in build(deps): bump actions/checkout from 4.2.2 to 6.0.0 #1088
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @dependabot[bot] in build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 #1082
• refactor: remove unused sess parameter from generateSessionId fun… by @Ayoub-Mabrouk in refactor: remove unused sess parameter from generateSessionId fun… #1001
• chore: remove history.md from being packaged on publish by @bjohansebas in chore: remove history.md from being packaged on publish #1097
• deps: use tilde notation for dependencies by @bjohansebas in deps: use tilde notation for dependencies #1096
• Add sameSite 'auto' support to match secure 'auto' pattern by @djunehor in Add sameSite 'auto' support to match secure 'auto' pattern #1087
• feat: add support to dynamic cookie options by @lincond in feat: add support to dynamic cookie options #1027

New Contributors

• @Ayoub-Mabrouk made their first contribution in refactor: remove unused sess parameter from generateSessionId fun… #1001
• @djunehor made their first contribution in Add sameSite 'auto' support to match secure 'auto' pattern #1087
• @lincond made their first contribution in feat: add support to dynamic cookie options #1027

Full Changelog: v1.18.2...master