[Snyk] Upgrade express-session from 1.17.3 to 1.19.0

[LeoMuchuki]

Snyk has created this PR to upgrade express-session from 1.17.3 to 1.19.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 4 versions ahead of your current version.

• The recommended version was released 23 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	624	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	624	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	624	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	624	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	624	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	624	No Known Exploit
	Improper Handling of Unexpected Data Type SNYK-JS-ONHEADERS-10773729	624	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	624	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	624	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	624	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	624	No Known Exploit

Release notes

Package name: express-session

• 1.19.0 - 2026-01-22
  

  What's Changed

  Main Changes

  • Add dynamic cookie options support
    Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

    var app = express()
    app.use(session({
      secret: 'keyboard cat',
      resave: false,
      saveUninitialized: true,
      cookie: function (req) {
        var match = req.url.match(/^\/([^/]+)/);
        return {
          path: match ? '/' + match[1] : '/',
          httpOnly: true,
          secure: req.secure || false,
          maxAge: 60000
        }
      }
    }))

  • Add sameSite 'auto' support for automatic SameSite attribute configuration
    Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

  • deps: use tilde notation for dependencies

  PRs

  • chore: add funding to package.json by @ bjohansebas in #1071
  • build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @ dependabot[bot] in #1086
  • build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @ dependabot[bot] in #1085
  • build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @ dependabot[bot] in #1091
  • build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @ dependabot[bot] in #1090
  • build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @ dependabot[bot] in #1089
  • build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @ dependabot[bot] in #1088
  • build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @ dependabot[bot] in #1082
  • refactor: remove unused sess parameter from generateSessionId fun… by @ Ayoub-Mabrouk in #1001
  • chore: remove history.md from being packaged on publish by @ bjohansebas in #1097
  • deps: use tilde notation for dependencies by @ bjohansebas in #1096
  • Add sameSite 'auto' support to match secure 'auto' pattern by @ djunehor in #1087
  • feat: add support to dynamic cookie options by @ lincond in #1027
  • Release: 1.19.0 by @ UlisesGascon in #1107

  New Contributors

  • @ Ayoub-Mabrouk made their first contribution in #1001
  • @ djunehor made their first contribution in #1087
  • @ lincond made their first contribution in #1027

  Full Changelog: v1.18.2...v1.19.0

• 1.18.2 - 2025-07-17
  

  What's Changed

  • fix: Resolve test failure - Refresh server.crt with existing key extending expiry to Nov 21 03:28:10 2034 GMT by @ BaileyFirman in #1003
  • feat: gencert script to regenerate the test ssl certs by @ wesleytodd in #1015
  • chore: upgrade scorecard workflow pinned action versions by @ carpasse in #1008
  • ci: add CodeQL (SAST) by @ bjohansebas in #1005
  • [StepSecurity] Apply security best practices by @ step-security-bot in #1047
  • build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @ dependabot[bot] in #1061
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @ dependabot[bot] in #1048
  • build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 by @ dependabot[bot] in #1050
  • build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @ dependabot[bot] in #1049
  • build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @ dependabot[bot] in #1052
  • build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @ dependabot[bot] in #1051
  • chore: fix typos by @ noritaka1166 in #1066
  • deps: on-headers@1.1.0 by @ UlisesGascon in #1069
  • 🔖 v1.18.2 by @ ctcpip in #1070

  New Contributors

  • @ BaileyFirman made their first contribution in #1003
  • @ wesleytodd made their first contribution in #1015
  • @ carpasse made their first contribution in #1008
  • @ step-security-bot made their first contribution in #1047
  • @ dependabot[bot] made their first contribution in #1061
  • @ noritaka1166 made their first contribution in #1066
  • @ ctcpip made their first contribution in #1070

  Full Changelog: v1.18.1...v1.18.2

• 1.18.1 - 2024-10-08
  

  What's Changed

  • chore: add support for OSSF scorecard reporting by @ inigomarquinez in #984
  • dep: cookie@0.7.2 by @ knolleary in #997
  • Release: 1.18.1 by @ UlisesGascon in #998

  New Contributors

  • @ inigomarquinez made their first contribution in #984
  • @ knolleary made their first contribution in #997
  • @ UlisesGascon made their first contribution in #998

  Full Changelog: v1.18.0...v1.18.1

• 1.18.0 - 2024-01-28
  
  • Add debug log for pathname mismatch
  • Add partitioned to cookie options
  • Add priority to cookie options
  • Fix handling errors from setting cookie
  • Support any type in secret that crypto.createHmac supports
  • deps: cookie@0.6.0
    • Fix expires option to reject invalid dates
    • perf: improve default decode speed
    • perf: remove slow string split in parse
  • deps: cookie-signature@1.0.7
• 1.17.3 - 2022-05-11
  
  • Fix resaving already-saved new session at end of request
  • deps: cookie@0.4.2

from express-session GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs