fix(deps): update dependency passport to ^0.6.0 [security] #615

renovate · 2022-07-07T04:59:18Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
passport (source)	`^0.4.1` -> `^0.6.0`

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Release Notes

jaredhanson/passport

`v0.6.0`

Compare Source

Added

authenticate(), req#login, and req#logout accept a
keepSessionInfo: true option to keep session information after regenerating
the session.

Changed

req#login() and req#logout() regenerate the the session and clear session
information by default.
req#logout() is now an asynchronous function and requires a callback
function as the last argument.

Security

Improved robustness against session fixation attacks in cases where there is
physical access to the same system or the application is susceptible to
cross-site scripting (XSS).

`v0.5.3`

Compare Source

Fixed

initialize() middleware extends request with login(), logIn(),
logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
again, reverting change from 0.5.1.

`v0.5.2`

Compare Source

Fixed

Introduced a compatibility layer for strategies that depend directly on
[email protected] or earlier (such as passport-azure-ad), which were
broken by the removal of private variables in [email protected].

`v0.5.1`

Compare Source

Added

Informative error message in session strategy if session support is not
available.

Changed

authenticate() middleware, rather than initialize() middleware, extends
request with login(), logIn(), logout(), logOut(), isAuthenticated(),
and isUnauthenticated() functions.

`v0.5.0`

Compare Source

Changed

initialize() middleware extends request with login(), logIn(),
logout(), logOut(), isAuthenticated(), and isUnauthenticated()
functions.

Removed

login(), logIn(), logout(), logOut(), isAuthenticated(), and
isUnauthenticated() functions no longer added to http.IncomingMessage.prototype.

Fixed

userProperty option to initialize() middleware only affects the current
request, rather than all requests processed via singleton Passport instance,
eliminating a race condition in situations where initialize() middleware is
used multiple times in an application with userProperty set to different
values.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot added the dependencies Pull requests that update a dependency file label Jul 7, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 3055aff to 7a86e58 Compare July 7, 2022 09:51

renovate bot changed the title ~~fix(deps): pin dependency passport to v [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Jul 7, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 7a86e58 to 2f98aa3 Compare July 16, 2022 12:04

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v [security] Jul 16, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 2f98aa3 to f3439f0 Compare July 16, 2022 13:41

renovate bot changed the title ~~fix(deps): pin dependency passport to v [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Jul 16, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from f3439f0 to f78eab7 Compare July 16, 2022 21:30

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v [security] Jul 16, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from f78eab7 to b4e7261 Compare July 16, 2022 21:34

renovate bot changed the title ~~fix(deps): pin dependency passport to v [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Jul 16, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from b4e7261 to e5e0a9c Compare July 21, 2022 05:37

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v [security] Jul 21, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from e5e0a9c to 79a8320 Compare July 21, 2022 13:39

renovate bot changed the title ~~fix(deps): pin dependency passport to v [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Jul 21, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 79a8320 to 2f1985e Compare July 24, 2022 10:36

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v [security] Jul 24, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 2f1985e to 0a5457f Compare July 24, 2022 12:49

renovate bot changed the title ~~fix(deps): pin dependency passport to v [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Jul 24, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 0a5457f to b4d6e75 Compare August 1, 2022 15:11

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v [security] Aug 1, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from b4d6e75 to 2cc0054 Compare August 1, 2022 19:56

renovate bot changed the title ~~fix(deps): pin dependency passport to v [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Aug 1, 2022

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to [security] Aug 9, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch 2 times, most recently from f4a94c7 to 877f695 Compare August 9, 2022 17:52

renovate bot changed the title ~~fix(deps): pin dependency passport to [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Aug 9, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 877f695 to 8d9347f Compare August 20, 2022 16:45

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Aug 20, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 8d9347f to 85e55a2 Compare August 20, 2022 19:28

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Aug 20, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 85e55a2 to 6e35f0d Compare August 22, 2022 13:50

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Aug 22, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 6e35f0d to a2530c2 Compare August 22, 2022 17:39

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Aug 22, 2022

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Aug 30, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from a2530c2 to 29d1ff6 Compare August 30, 2022 13:31

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Aug 30, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 29d1ff6 to 645a04a Compare August 30, 2022 18:02

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Sep 2, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch 2 times, most recently from 0ec5d2d to ed6e5f4 Compare September 2, 2022 12:58

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Sep 2, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from ed6e5f4 to dc69853 Compare September 6, 2022 12:51

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Sep 6, 2022

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Sep 6, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from dc69853 to af7f827 Compare September 6, 2022 16:30

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Sep 7, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch 2 times, most recently from 807bda0 to 7e617d6 Compare September 7, 2022 21:17

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Sep 7, 2022

renovate bot changed the title ~~fix(deps): update dependency passport to ^0.6.0 [security]~~ fix(deps): pin dependency passport to v0.4.1 [security] Sep 14, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch 2 times, most recently from 4c5ad48 to 8516194 Compare September 14, 2022 23:29

renovate bot changed the title ~~fix(deps): pin dependency passport to v0.4.1 [security]~~ fix(deps): update dependency passport to ^0.6.0 [security] Sep 14, 2022

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from 8516194 to d461748 Compare March 17, 2023 05:35

fix(deps): update dependency passport to ^0.6.0 [security]

67c80bc

renovate bot force-pushed the renovate/npm-passport-vulnerability branch from d461748 to 67c80bc Compare April 27, 2023 20:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency passport to ^0.6.0 [security] #615

fix(deps): update dependency passport to ^0.6.0 [security] #615

renovate bot commented Jul 7, 2022 •

edited

Loading

fix(deps): update dependency passport to ^0.6.0 [security] #615

Are you sure you want to change the base?

fix(deps): update dependency passport to ^0.6.0 [security] #615

Conversation

renovate bot commented Jul 7, 2022 • edited Loading

GitHub Vulnerability Alerts

CVE-2022-25896

Release Notes

v0.6.0

Added

Changed

Security

v0.5.3

Fixed

v0.5.2

Fixed

v0.5.1

Added

Changed

v0.5.0

Changed

Removed

Fixed

Configuration

renovate bot commented Jul 7, 2022 •

edited

Loading

`v0.6.0`

`v0.5.3`

`v0.5.2`

`v0.5.1`

`v0.5.0`