Skip to content

Update dependency passport to v0.6.0 [SECURITY]#177

Open
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-passport-vulnerability
Open

Update dependency passport to v0.6.0 [SECURITY]#177
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-passport-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
passport (source) 0.5.20.6.0 age confidence

Passport vulnerable to session regeneration when a users logs in or out

CVE-2022-25896 / GHSA-v923-w3x8-wh69

More information

Details

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

jaredhanson/passport (passport)

v0.6.0

Compare Source

Added
  • authenticate(), req#login, and req#logout accept a
    keepSessionInfo: true option to keep session information after regenerating
    the session.
Changed
  • req#login() and req#logout() regenerate the the session and clear session
    information by default.
  • req#logout() is now an asynchronous function and requires a callback
    function as the last argument.
Security
  • Improved robustness against session fixation attacks in cases where there is
    physical access to the same system or the application is susceptible to
    cross-site scripting (XSS).

v0.5.3

Compare Source

Fixed
  • initialize() middleware extends request with login(), logIn(),
    logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
    again, reverting change from 0.5.1.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Author

renovate Bot commented Aug 6, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: mongoose-auto-increment@5.0.1
npm ERR! Found: mongoose@5.13.13
npm ERR! node_modules/mongoose
npm ERR!   mongoose@"5.13.13" from the root project
npm ERR!   peer mongoose@"*" from mongoose-legacy-pluralize@1.0.2
npm ERR!   node_modules/mongoose-legacy-pluralize
npm ERR!     mongoose-legacy-pluralize@"1.0.2" from mongoose@5.13.13
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer mongoose@"^4.1.12" from mongoose-auto-increment@5.0.1
npm ERR! node_modules/mongoose-auto-increment
npm ERR!   mongoose-auto-increment@"5.0.1" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: mongoose@4.13.21
npm ERR! node_modules/mongoose
npm ERR!   peer mongoose@"^4.1.12" from mongoose-auto-increment@5.0.1
npm ERR!   node_modules/mongoose-auto-increment
npm ERR!     mongoose-auto-increment@"5.0.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-04-29T10_33_59_664Z-debug-0.log

@renovate renovate Bot changed the title Update dependency passport to v0.6.0 [SECURITY] Update dependency passport to v0.6.0 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-passport-vulnerability branch March 27, 2026 01:51
@renovate renovate Bot changed the title Update dependency passport to v0.6.0 [SECURITY] - autoclosed Update dependency passport to v0.6.0 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-passport-vulnerability branch 2 times, most recently from be67e51 to be16cd7 Compare March 30, 2026 17:55
@renovate renovate Bot changed the title Update dependency passport to v0.6.0 [SECURITY] Update dependency passport to v0.6.0 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency passport to v0.6.0 [SECURITY] - autoclosed Update dependency passport to v0.6.0 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-passport-vulnerability branch from be16cd7 to e955f24 Compare April 27, 2026 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants