Merge branch 'master' of github.com:expressjs/session into chore/generateSessionId

bjohansebas · bjohansebas · commit e687fd14e28f · 2025-12-17T20:49:10.000-05:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: monthly
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ on:
 - pull_request
 - push
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -79,33 +82,34 @@ jobs:
 
         - name: Node.js 8.x
           node-version: "8.17"
-          npm-i: mocha@7.2.0 nyc@14.1.1
+          npm-i: mocha@7.2.0 nyc@14.1.1 supertest@6.1.6
 
         - name: Node.js 9.x
           node-version: "9.11"
-          npm-i: mocha@7.2.0 nyc@14.1.1
+          npm-i: mocha@7.2.0 nyc@14.1.1 supertest@6.1.6
 
         - name: Node.js 10.x
           node-version: "10.24"
-          npm-i: mocha@8.4.0
+          npm-i: mocha@8.4.0 supertest@6.1.6
 
         - name: Node.js 11.x
           node-version: "11.15"
-          npm-i: mocha@8.4.0
+          npm-i: mocha@8.4.0 supertest@6.1.6
 
         - name: Node.js 12.x
           node-version: "12.22"
-          npm-i: mocha@9.2.2
+          npm-i: mocha@9.2.2 supertest@6.1.6
 
         - name: Node.js 13.x
           node-version: "13.14"
-          npm-i: mocha@9.2.2
+          npm-i: mocha@9.2.2 supertest@6.1.6
 
         - name: Node.js 14.x
           node-version: "14.21"
 
         - name: Node.js 15.x
-          node-version: "15.14"
+          node-version: "15.14" 
+          npm-i: supertest@6.1.6
 
         - name: Node.js 16.x
           node-version: "16.20"
@@ -126,7 +130,7 @@ jobs:
           node-version: "21.6"
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Install Node.js ${{ matrix.node-version }}
       shell: bash -eo pipefail -l {0}
@@ -185,7 +189,7 @@ jobs:
       run: |
         if npm -ps ls nyc | grep -q nyc; then
           npm run test-ci
-          cp coverage/lcov.info "coverage/${{ matrix.name }}.lcov"
+          cp coverage/lcov.info "coverage/${{ matrix.node-version }}.lcov"
         else
           npm test
         fi
@@ -198,40 +202,42 @@ jobs:
       if: steps.list_env.outputs.nyc != ''
       run: |
         if [[ -d ./coverage ]]; then
-          mv ./coverage "./${{ matrix.name }}"
+          mv ./coverage "./${{ matrix.node-version }}"
           mkdir ./coverage
-          mv "./${{ matrix.name }}" "./coverage/${{ matrix.name }}"
+          mv "./${{ matrix.node-version }}" "./coverage/${{ matrix.node-version }}"
         fi
 
     - name: Upload code coverage
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       if: steps.list_env.outputs.nyc != ''
       with:
-        name: coverage
-        path: ./coverage
+        name: coverage-${{ matrix.node-version }}
+        path: "./coverage/${{ matrix.node-version }}"
         retention-days: 1
 
   coverage:
+    permissions:
+      checks: write  # for coverallsapp/github-action to create new checks
+      contents: read  # for actions/checkout to fetch code
     needs: test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Install lcov
       shell: bash
       run: sudo apt-get -y install lcov
 
     - name: Collect coverage reports
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
-        name: coverage
         path: ./coverage
 
     - name: Merge coverage reports
       shell: bash
       run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./coverage/lcov.info
 
     - name: Upload coverage report
-      uses: coverallsapp/github-action@master
+      uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # master
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,66 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+        with:
+          languages: javascript
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      # - name: Autobuild
+      #   uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+        with:
+          category: "/language:javascript"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -33,12 +33,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -60,14 +60,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2
+        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,5 @@ coverage
 node_modules
 npm-debug.log
 package-lock.json
+/test/fixtures/server.crt
+/test/fixtures/server.key
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,9 @@
+1.18.2 / 2025-07-17
+==========
+  * deps: mocha@10.8.2
+  * deps: on-headers@~1.1.0
+    - Fix [CVE-2025-7339](https://www.cve.org/CVERecord?id=CVE-2025-7339) ([GHSA-76c9-3jph-rj3q](https://github.com/expressjs/on-headers/security/advisories/GHSA-76c9-3jph-rj3q))
+
 1.18.1 / 2024-10-08
 ==========
 
@@ -166,7 +172,7 @@
     - Improve error message when `expires` is not a `Date`
     - perf: enable strict mode
     - perf: use for loop in parse
-    - perf: use string concatination for serialization
+    - perf: use string concatenation for serialization
   * deps: parseurl@~1.3.1
     - perf: enable strict mode
   * deps: uid-safe@~2.1.1
diff --git a/README.md b/README.md
@@ -269,7 +269,7 @@ With this enabled, the session identifier cookie will expire in
 [`maxAge`](#cookiemaxage) since the last response was sent instead of in
 [`maxAge`](#cookiemaxage) since the session was last modified by the server.
 
-This is typically used in conjuction with short, non-session-length
+This is typically used in conjunction with short, non-session-length
 [`maxAge`](#cookiemaxage) values to provide a quick timeout of the session data
 with reduced potential of it occurring during on going server interactions.
 
@@ -773,7 +773,7 @@ a [variety of storage types](https://www.npmjs.com/package/cache-manager#store-e
 [express-session-level-url]: https://www.npmjs.com/package/express-session-level
 [express-session-level-image]: https://badgen.net/github/stars/tgohn/express-session-level?label=%E2%98%85
 
-[![★][express-session-rsdb-image] express-session-rsdb][express-session-rsdb-url] Session store based on Rocket-Store: A very simple, super fast and yet powerfull, flat file database.
+[![★][express-session-rsdb-image] express-session-rsdb][express-session-rsdb-url] Session store based on Rocket-Store: A very simple, super fast and yet powerful, flat file database.
 
 [express-session-rsdb-url]: https://www.npmjs.com/package/express-session-rsdb
 [express-session-rsdb-image]: https://badgen.net/github/stars/paragi/express-session-rsdb?label=%E2%98%85
diff --git a/package.json b/package.json
@@ -1,20 +1,24 @@
 {
   "name": "express-session",
-  "version": "1.18.1",
+  "version": "1.18.2",
   "description": "Simple session middleware for Express",
   "author": "TJ Holowaychuk <tj@vision-media.ca> (http://tjholowaychuk.com)",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>",
     "Joe Wagner <njwjs722@gmail.com>"
   ],
   "repository": "expressjs/session",
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/express"
+  },
   "license": "MIT",
   "dependencies": {
     "cookie": "0.7.2",
     "cookie-signature": "1.0.7",
     "debug": "2.6.9",
     "depd": "~2.0.0",
-    "on-headers": "~1.0.2",
+    "on-headers": "~1.1.0",
     "parseurl": "~1.3.3",
     "safe-buffer": "5.2.1",
     "uid-safe": "~2.1.5"
@@ -25,7 +29,7 @@
     "eslint": "8.56.0",
     "eslint-plugin-markdown": "3.0.1",
     "express": "4.17.3",
-    "mocha": "10.2.0",
+    "mocha": "10.8.2",
     "nyc": "15.1.0",
     "supertest": "6.3.4"
   },
@@ -39,7 +43,7 @@
   },
   "scripts": {
     "lint": "eslint . && node ./scripts/lint-readme.js",
-    "test": "mocha --require test/support/env --check-leaks --bail --no-exit --reporter spec test/",
+    "test": "./test/support/gencert.sh && mocha --require test/support/env --check-leaks --bail --no-exit --reporter spec test/",
     "test-ci": "nyc --reporter=lcov --reporter=text npm test",
     "test-cov": "nyc npm test",
     "version": "node scripts/version-history.js && git add HISTORY.md"
diff --git a/scripts/version-history.js b/scripts/version-history.js
@@ -16,7 +16,7 @@ if (!MD_HEADER_REGEXP.test(historyFileLines[1])) {
 }
 
 if (!VERSION_PLACEHOLDER_REGEXP.test(historyFileLines[0])) {
-  console.error('Missing placegolder version in HISTORY.md')
+  console.error('Missing placeholder version in HISTORY.md')
   process.exit(1)
 }
 
diff --git a/test/fixtures/.gitkeep b/test/fixtures/.gitkeep
diff --git a/test/fixtures/server.crt b/test/fixtures/server.crt
diff --git a/test/fixtures/server.key b/test/fixtures/server.key
diff --git a/test/session.js b/test/session.js
@@ -1710,7 +1710,7 @@ describe('session()', function(){
         })
       })
 
-      it('should not override an overriden `reload` in case of errors',  function (done) {
+      it('should not override an overridden `reload` in case of errors',  function (done) {
         var store = new session.MemoryStore()
         var server = createServer({ store: store, resave: false }, function (req, res) {
           if (req.url === '/') {
diff --git a/test/support/gencert.sh b/test/support/gencert.sh
@@ -0,0 +1,5 @@
+#! /bin/sh
+set -ex
+
+openssl req -x509 -nodes -newkey rsa:2048 -keyout ./test/fixtures/server.key -out ./test/fixtures/server.crt -days 3650 \
+-subj "/C=US/ST=Illinois/L=Chicago/O=node-express-session/CN=express-session.local"

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ if (!MD_HEADER_REGEXP.test(historyFileLines[1])) {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`if (!VERSION_PLACEHOLDER_REGEXP.test(historyFileLines[0])) {`
`19`		`- console.error('Missing placegolder version in HISTORY.md')`
	`19`	`+ console.error('Missing placeholder version in HISTORY.md')`
`20`	`20`	`process.exit(1)`
`21`	`21`	`}`
`22`	`22`