Skip to content

Bump express-session and @types/express-session#138

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-c1f06d0cde
Open

Bump express-session and @types/express-session#138
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-c1f06d0cde

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 4, 2026
edited
Loading

Bumps express-session and @types/express-session. These dependencies needed to be updated together.
Updates express-session from 1.17.3 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes

  • Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

    var app = express()
app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: true,
  cookie: function (req) {
    var match = req.url.match(/^\/([^/]+)/);
    return {
      path: match ? '/' + match[1] : '/',
      httpOnly: true,
      secure: req.secure || false,
      maxAge: 60000
    }
  }
}))

  • Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

  • deps: use tilde notation for dependencies

PRs

New Contributors

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

  • Add dynamic cookie options support
  • Add sameSite 'auto' support for automatic SameSite attribute configuration
  • deps: use tilde notation for dependencies

1.18.2 / 2025-07-17

1.18.1 / 2024-10-08

  • deps: cookie@0.7.2
    • Fix object assignment of hasOwnProperty
  • deps: cookie@0.7.1
    • Allow leading dot for domain
      • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
    • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
  • deps: cookie@0.7.0
    • perf: parse cookies ~10% faster
    • fix: narrow the validation of cookies to match RFC6265
    • fix: add main to package.json for rspack

1.18.0 / 2024-01-28

  • Add debug log for pathname mismatch
  • Add partitioned to cookie options
  • Add priority to cookie options
  • Fix handling errors from setting cookie
  • Support any type in secret that crypto.createHmac supports
  • deps: cookie@0.6.0
    • Fix expires option to reject invalid dates
    • perf: improve default decode speed
    • perf: remove slow string split in parse
  • deps: cookie-signature@1.0.7
Commits
  • c10b2a3 1.19.0 (#1107)
  • 2673736 feat: add support to dynamic cookie options (#1027)
  • 73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
  • 264b6a0 deps: use tilde notation for dependencies (#1096)
  • 6d69f09 chore: remove history.md from being packaged on publish (#1097)
  • 00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
  • 2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
  • 1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
  • 0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
  • a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express-session since your current version.


Updates @types/express-session from 1.17.7 to 1.18.2

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 4, 2026
@dependabot dependabot bot requested a review from ts-ron as a code owner February 4, 2026 08:16
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 4, 2026
@dependabot dependabot bot added the javascript Pull requests that update javascript code label Feb 4, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-c1f06d0cde branch from a10f816 to 8475d9a Compare February 6, 2026 13:24
@dependabot
Bump express-session and @types/express-session
52ba4e3 
Bumps [express-session](https://github.com/expressjs/session) and [@types/express-session](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express-session). These dependencies needed to be updated together.

Updates `express-session` from 1.17.3 to 1.19.0
- [Release notes](https://github.com/expressjs/session/releases)
- [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md)
- [Commits](expressjs/session@v1.17.3...v1.19.0)

Updates `@types/express-session` from 1.17.7 to 1.18.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express-session)

---
updated-dependencies:
- dependency-name: express-session
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: "@types/express-session"
  dependency-version: 1.18.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-c1f06d0cde branch from 8475d9a to 52ba4e3 Compare February 6, 2026 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ts-ron ts-ron Awaiting requested review from ts-ron ts-ron is a code owner

@buenonadav buenonadav Awaiting requested review from buenonadav buenonadav is a code owner

@Idan-Berman Idan-Berman Awaiting requested review from Idan-Berman Idan-Berman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants