expressjs
fix(res): handle null maxAge gracefully in res.cookie() and updated the dependency "cookie" to the 1.0.2 latest version
This pull request fixes an edge case in res.cookie() where specifying maxAge: null caused the function to produce incorrect cookie headers or throw an internal error when updated to 1.0.2
Previously, maxAge: null was not normalized and led to unintended conversion to 0, causing an undesired Expires header (Max-Age=0). This behavior conflicted with Express’s intended semantics, where null should mean “no expiration — session cookie”.
Updated Behavior
When maxAge is explicitly null, it is now normalized to undefined. The cookie is serialized without Expires or Max-Age fields (consistent with session cookies). Existing logic for finite and numeric maxAge values remains unchanged. All test cases, including res.cookie(name, string, options) maxAge should not throw on null, now pass successfully.
Implementation Summary
In lib/response.js, the logic under res.cookie() was updated:
if (opts.maxAge === null) {
opts.maxAge = undefined;
}
This ensures that null values are excluded from expiration logic.
Test Results
- In cookie 1.0.2 Test:
1238 passing (11s)
0 failing
Version :
npm list cookie
[email protected] C:\Coding Project\Git\express
├─┬ [email protected]
│ └── [email protected]
├── [email protected]
└─┬ [email protected]
└── [email protected]
- In cookie 0.7.2 Test:
1238 passing (11s)
Version:
npm list cookie
[email protected] C:\Coding Project\Git\express
├─┬ [email protected]
│ └── [email protected] deduped
├── [email protected]
└─┬ [email protected]
└── [email protected] deduped
Motivation
This change improves compatibility with earlier Express 4.x behavior, aligns with the HTTP cookie specification for session cookies, and maintains backward compatibility with existing user code.
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
| Diff | Package | Supply Chain Security |
Vulnerability | Quality | Maintenance | License |
|---|---|---|---|---|---|---|
 | cookie@1.0.2 |  | | |  | |
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for the PR!
This PR feels a bit off, as far as I can see maxAge: null already works fine. I think you are self introducing a regression by updating cookie to 1.0.2. If updating cookie is the goal, IMO that should be a separate PR with its own discussion and tests.
Thanks for the PR!
This PR feels a bit off, as far as I can see
maxAge: nullalready works fine. I think you are self introducing a regression by updatingcookieto1.0.2. If updatingcookieis the goal, IMO that should be a separate PR with its own discussion and tests.
yes, you are right i am trying to update the cookie to 1.0.2 but in the new cookie module, null values are not ignored and it throws a error if normally updated so i also updated the test to convert the null to undefined so now it ignores and this approach is backward compatible so that's the reason why i made this PR it updates and handles tests and modules
the bigger question now is why we need separate discussion for updating cookie if it is handled here is there any kind of security threats in cookie module or do you feel it is a unnecessary update
Hi @SaisakthiM, I'd say I've made my points already about the PR. Let's wait for others to chime in. Let's not tag them directly, though, because the team is really busy.
Keep in mind this doesn't mean that your PR is bad or anything. We just need more opinions before making a final decision.
Hi @SaisakthiM, I'd say I've made my points already about the PR. Let's wait for others to chime in. Let's not tag them directly, though, because the team is really busy.
Keep in mind this doesn't mean that your PR is bad or anything. We just need more opinions before making a final decision.
sorry for that i did not know that you guys are busy take your time i don't want to rush things