v1.19.0

What's Changed

Main Changes

• Add dynamic cookie options support
  Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

  var app = express()
  app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: function (req) {
      var match = req.url.match(/^\/([^/]+)/);
      return {
        path: match ? '/' + match[1] : '/',
        httpOnly: true,
        secure: req.secure || false,
        maxAge: 60000
      }
    }
  }))

• Add sameSite 'auto' support for automatic SameSite attribute configuration
  Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

• deps: use tilde notation for dependencies

PRs

• chore: add funding to package.json by @bjohansebas in #1071
• build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @dependabot[bot] in #1086
• build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @dependabot[bot] in #1085
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in #1091
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #1090
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in #1089
• build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @dependabot[bot] in #1088
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @dependabot[bot] in #1082
• refactor: remove unused sess parameter from generateSessionId fun… by @Ayoub-Mabrouk in #1001
• chore: remove history.md from being packaged on publish by @bjohansebas in #1097
• deps: use tilde notation for dependencies by @bjohansebas in #1096
• Add sameSite 'auto' support to match secure 'auto' pattern by @djunehor in #1087
• feat: add support to dynamic cookie options by @lincond in #1027
• Release: 1.19.0 by @UlisesGascon in #1107

New Contributors

• @Ayoub-Mabrouk made their first contribution in #1001
• @djunehor made their first contribution in #1087
• @lincond made their first contribution in #1027

Full Changelog: v1.18.2...v1.19.0

v1.18.2

What's Changed

• fix: Resolve test failure - Refresh server.crt with existing key extending expiry to Nov 21 03:28:10 2034 GMT by @BaileyFirman in #1003
• feat: gencert script to regenerate the test ssl certs by @wesleytodd in #1015
• chore: upgrade scorecard workflow pinned action versions by @carpasse in #1008
• ci: add CodeQL (SAST) by @bjohansebas in #1005
• [StepSecurity] Apply security best practices by @step-security-bot in #1047
• build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @dependabot[bot] in #1061
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot[bot] in #1048
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 by @dependabot[bot] in #1050
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in #1049
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in #1052
• build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in #1051
• chore: fix typos by @noritaka1166 in #1066
• deps: on-headers@1.1.0 by @UlisesGascon in #1069
• 🔖 v1.18.2 by @ctcpip in #1070

New Contributors

• @BaileyFirman made their first contribution in #1003
• @wesleytodd made their first contribution in #1015
• @carpasse made their first contribution in #1008
• @step-security-bot made their first contribution in #1047
• @dependabot[bot] made their first contribution in #1061
• @noritaka1166 made their first contribution in #1066
• @ctcpip made their first contribution in #1070

Full Changelog: v1.18.1...v1.18.2

1.18.1

What's Changed

• chore: add support for OSSF scorecard reporting by @inigomarquinez in #984
• dep: cookie@0.7.2 by @knolleary in #997
• Release: 1.18.1 by @UlisesGascon in #998

New Contributors

• @inigomarquinez made their first contribution in #984
• @knolleary made their first contribution in #997
• @UlisesGascon made their first contribution in #998

Full Changelog: v1.18.0...v1.18.1

1.18.0

• Add debug log for pathname mismatch
• Add partitioned to cookie options
• Add priority to cookie options
• Fix handling errors from setting cookie
• Support any type in secret that crypto.createHmac supports
• deps: cookie@0.6.0
  • Fix expires option to reject invalid dates
  • perf: improve default decode speed
  • perf: remove slow string split in parse
• deps: cookie-signature@1.0.7

1.17.3

• Fix resaving already-saved new session at end of request
• deps: cookie@0.4.2

1.17.2

• Fix res.end patch to always commit headers
• deps: cookie@0.4.1
• deps: safe-buffer@5.2.1

1.17.1

• Fix internal method wrapping error on failed reloads

1.17.0

• deps: cookie@0.4.0
  • Add SameSite=None support
• deps: safe-buffer@5.2.0

1.16.2

• Fix restoring cookie.originalMaxAge when store returns Date
• deps: parseurl@~1.3.3

1.16.1

• Fix error passing data option to Cookie constructor
• Fix uncaught error from bad session data