Skip to content

chore: update dependency passport to ^0.7.0 [security]#11124

Closed
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-passport-vulnerability
Closed

chore: update dependency passport to ^0.7.0 [security]#11124
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-passport-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 10, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
passport (source) ^0.5.3 -> ^0.7.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Release Notes

jaredhanson/passport (passport)

v0.7.0

Compare Source

Changed
  • Set req.authInfo by default when using the assignProperty option to
    authenticate() middleware. This makes the behavior the same as when not using
    the option, and can be disabled by setting authInfo option to false.

v0.6.0

Compare Source

Added
  • authenticate(), req#login, and req#logout accept a
    keepSessionInfo: true option to keep session information after regenerating
    the session.
Changed
  • req#login() and req#logout() regenerate the the session and clear session
    information by default.
  • req#logout() is now an asynchronous function and requires a callback
    function as the last argument.
Security
  • Improved robustness against session fixation attacks in cases where there is
    physical access to the same system or the application is susceptible to
    cross-site scripting (XSS).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from raymondfeng as a code owner August 10, 2025 15:12
@renovate renovate bot added dependencies Pull requests that update a dependency file SECURITY labels Aug 10, 2025
@renovate
chore: update dependency passport to ^0.6.0 [security]
227828e 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title chore: update dependency passport to ^0.7.0 [security] chore: update dependency passport to ^0.6.0 [security] Aug 10, 2025
@renovate renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 325e0be to 227828e Compare August 10, 2025 17:41
@dhmlau dhmlau closed this Aug 10, 2025
@renovate renovate bot changed the title chore: update dependency passport to ^0.6.0 [security] chore: update dependency passport to ^0.7.0 [security] Aug 10, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Aug 10, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^0.7.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raymondfeng raymondfeng Awaiting requested review from raymondfeng raymondfeng is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file SECURITY

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dhmlau