passport-unique-token icon indicating copy to clipboard operation
passport-unique-token copied to clipboard

Published 20 hours ago verified publisher icon lughino

chore(deps): update dependency passport to ^0.6.0 [security]

Open renovate[bot] opened this issue 3 years ago • 0 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
passport (source) ^0.4.1 -> ^0.6.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Release Notes

jaredhanson/passport (passport)

v0.6.0

Compare Source

Added
  • authenticate(), req#login, and req#logout accept a keepSessionInfo: true option to keep session information after regenerating the session.
Changed
  • req#login() and req#logout() regenerate the the session and clear session information by default.
  • req#logout() is now an asynchronous function and requires a callback function as the last argument.
Security
  • Improved robustness against session fixation attacks in cases where there is physical access to the same system or the application is susceptible to cross-site scripting (XSS).

v0.5.3

Compare Source

Fixed
  • initialize() middleware extends request with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions again, reverting change from 0.5.1.

v0.5.2

Compare Source

Fixed
  • Introduced a compatibility layer for strategies that depend directly on [email protected] or earlier (such as passport-azure-ad), which were broken by the removal of private variables in [email protected].

v0.5.1

Compare Source

Added
  • Informative error message in session strategy if session support is not available.
Changed
  • authenticate() middleware, rather than initialize() middleware, extends request with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions.

v0.5.0

Compare Source

Changed
  • initialize() middleware extends request with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions.
Removed
  • login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions no longer added to http.IncomingMessage.prototype.
Fixed
  • userProperty option to initialize() middleware only affects the current request, rather than all requests processed via singleton Passport instance, eliminating a race condition in situations where initialize() middleware is used multiple times in an application with userProperty set to different values.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Sep 25 '22 17:09 renovate[bot]