Skip to content
This repository was archived by the owner on Mar 20, 2023. It is now read-only.

chore(deps): update dependency passport to v0.6.0 [security] #413

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency passport to v0.6.0 [security] #413

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 31, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
passport (source) 0.5.0 -> 0.6.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Release Notes

jaredhanson/passport

v0.6.0

Compare Source

Added
  • authenticate(), req#login, and req#logout accept a
    keepSessionInfo: true option to keep session information after regenerating
    the session.
Changed
  • req#login() and req#logout() regenerate the the session and clear session
    information by default.
  • req#logout() is now an asynchronous function and requires a callback
    function as the last argument.
Security
  • Improved robustness against session fixation attacks in cases where there is
    physical access to the same system or the application is susceptible to
    cross-site scripting (XSS).

v0.5.3

Compare Source

Fixed
  • initialize() middleware extends request with login(), logIn(),
    logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
    again, reverting change from 0.5.1.

v0.5.2

Compare Source

Fixed
  • Introduced a compatibility layer for strategies that depend directly on
    passport@0.4.x or earlier (such as passport-azure-ad), which were
    broken by the removal of private variables in passport@0.5.1.

v0.5.1

Compare Source

Added
  • Informative error message in session strategy if session support is not
    available.
Changed
  • authenticate() middleware, rather than initialize() middleware, extends
    request with login(), logIn(), logout(), logOut(), isAuthenticated(),
    and isUnauthenticated() functions.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency files label Aug 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@KonradSzwarc KonradSzwarc Awaiting requested review from KonradSzwarc KonradSzwarc is a code owner

@MateuszNaKodach MateuszNaKodach Awaiting requested review from MateuszNaKodach

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant