HISTORY.md
1 1.18.2 / 2025-07-17 2 ========== 3 * deps: mocha@10.8.2 4 * deps: on-headers@~1.1.0 5 - Fix [CVE-2025-7339](https://www.cve.org/CVERecord?id=CVE-2025-7339) ([GHSA-76c9-3jph-rj3q](https://github.com/expressjs/on-headers/security/advisories/GHSA-76c9-3jph-rj3q)) 6 7 1.18.1 / 2024-10-08 8 ========== 9 10 * deps: cookie@0.7.2 11 - Fix object assignment of `hasOwnProperty` 12 * deps: cookie@0.7.1 13 - Allow leading dot for domain 14 - Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec 15 - Add fast path for `serialize` without options, use `obj.hasOwnProperty` when parsing 16 * deps: cookie@0.7.0 17 - perf: parse cookies ~10% faster 18 - fix: narrow the validation of cookies to match RFC6265 19 - fix: add `main` to `package.json` for rspack 20 21 1.18.0 / 2024-01-28 22 =================== 23 24 * Add debug log for pathname mismatch 25 * Add `partitioned` to `cookie` options 26 * Add `priority` to `cookie` options 27 * Fix handling errors from setting cookie 28 * Support any type in `secret` that `crypto.createHmac` supports 29 * deps: cookie@0.6.0 30 - Fix `expires` option to reject invalid dates 31 - perf: improve default decode speed 32 - perf: remove slow string split in parse 33 * deps: cookie-signature@1.0.7 34 35 1.17.3 / 2022-05-11 36 =================== 37 38 * Fix resaving already-saved new session at end of request 39 * deps: cookie@0.4.2 40 41 1.17.2 / 2021-05-19 42 =================== 43 44 * Fix `res.end` patch to always commit headers 45 * deps: cookie@0.4.1 46 * deps: safe-buffer@5.2.1 47 48 1.17.1 / 2020-04-16 49 =================== 50 51 * Fix internal method wrapping error on failed reloads 52 53 1.17.0 / 2019-10-10 54 =================== 55 56 * deps: cookie@0.4.0 57 - Add `SameSite=None` support 58 * deps: safe-buffer@5.2.0 59 60 1.16.2 / 2019-06-12 61 =================== 62 63 * Fix restoring `cookie.originalMaxAge` when store returns `Date` 64 * deps: parseurl@~1.3.3 65 66 1.16.1 / 2019-04-11 67 =================== 68 69 * Fix error passing `data` option to `Cookie` constructor 70 * Fix uncaught error from bad session data 71 72 1.16.0 / 2019-04-10 73 =================== 74 75 * Catch invalid `cookie.maxAge` value earlier 76 * Deprecate setting `cookie.maxAge` to a `Date` object 77 * Fix issue where `resave: false` may not save altered sessions 78 * Remove `utils-merge` dependency 79 * Use `safe-buffer` for improved Buffer API 80 * Use `Set-Cookie` as cookie header name for compatibility 81 * deps: depd@~2.0.0 82 - Replace internal `eval` usage with `Function` constructor 83 - Use instance methods on `process` to check for listeners 84 - perf: remove argument reassignment 85 * deps: on-headers@~1.0.2 86 - Fix `res.writeHead` patch missing return value 87 88 1.15.6 / 2017-09-26 89 =================== 90 91 * deps: debug@2.6.9 92 * deps: parseurl@~1.3.2 93 - perf: reduce overhead for full URLs 94 - perf: unroll the "fast-path" `RegExp` 95 * deps: uid-safe@~2.1.5 96 - perf: remove only trailing `=` 97 * deps: utils-merge@1.0.1 98 99 1.15.5 / 2017-08-02 100 =================== 101 102 * Fix `TypeError` when `req.url` is an empty string 103 * deps: depd@~1.1.1 104 - Remove unnecessary `Buffer` loading 105 106 1.15.4 / 2017-07-18 107 =================== 108 109 * deps: debug@2.6.8 110 111 1.15.3 / 2017-05-17 112 =================== 113 114 * deps: debug@2.6.7 115 - deps: ms@2.0.0 116 117 1.15.2 / 2017-03-26 118 =================== 119 120 * deps: debug@2.6.3 121 - Fix `DEBUG_MAX_ARRAY_LENGTH` 122 * deps: uid-safe@~2.1.4 123 - Remove `base64-url` dependency 124 125 1.15.1 / 2017-02-10 126 =================== 127 128 * deps: debug@2.6.1 129 - Fix deprecation messages in WebStorm and other editors 130 - Undeprecate `DEBUG_FD` set to `1` or `2` 131 132 1.15.0 / 2017-01-22 133 =================== 134 135 * Fix detecting modified session when session contains "cookie" property 136 * Fix resaving already-saved reloaded session at end of request 137 * deps: crc@3.4.4 138 - perf: use `Buffer.from` when available 139 * deps: debug@2.6.0 140 - Allow colors in workers 141 - Deprecated `DEBUG_FD` environment variable 142 - Use same color for same namespace 143 - Fix error when running under React Native 144 - deps: ms@0.7.2 145 * perf: remove unreachable branch in set-cookie method 146 147 1.14.2 / 2016-10-30 148 =================== 149 150 * deps: crc@3.4.1 151 - Fix deprecation warning in Node.js 7.x 152 * deps: uid-safe@~2.1.3 153 - deps: base64-url@1.3.3 154 155 1.14.1 / 2016-08-24 156 =================== 157 158 * Fix not always resetting session max age before session save 159 * Fix the cookie `sameSite` option to actually alter the `Set-Cookie` 160 * deps: uid-safe@~2.1.2 161 - deps: base64-url@1.3.2 162 163 1.14.0 / 2016-07-01 164 =================== 165 166 * Correctly inherit from `EventEmitter` class in `Store` base class 167 * Fix issue where `Set-Cookie` `Expires` was not always updated 168 * Methods are no longer enumerable on `req.session` object 169 * deps: cookie@0.3.1 170 - Add `sameSite` option 171 - Improve error message when `encode` is not a function 172 - Improve error message when `expires` is not a `Date` 173 - perf: enable strict mode 174 - perf: use for loop in parse 175 - perf: use string concatenation for serialization 176 * deps: parseurl@~1.3.1 177 - perf: enable strict mode 178 * deps: uid-safe@~2.1.1 179 - Use `random-bytes` for byte source 180 - deps: base64-url@1.2.2 181 * perf: enable strict mode 182 * perf: remove argument reassignment 183 184 1.13.0 / 2016-01-10 185 =================== 186 187 * Fix `rolling: true` to not set cookie when no session exists 188 - Better `saveUninitialized: false` + `rolling: true` behavior 189 * deps: crc@3.4.0 190 191 1.12.1 / 2015-10-29 192 =================== 193 194 * deps: cookie@0.2.3 195 - Fix cookie `Max-Age` to never be a floating point number 196 197 1.12.0 / 2015-10-25 198 =================== 199 200 * Support the value `'auto'` in the `cookie.secure` option 201 * deps: cookie@0.2.2 202 - Throw on invalid values provided to `serialize` 203 * deps: depd@~1.1.0 204 - Enable strict mode in more places 205 - Support web browser loading 206 * deps: on-headers@~1.0.1 207 - perf: enable strict mode 208 209 1.11.3 / 2015-05-22 210 =================== 211 212 * deps: cookie@0.1.3 213 - Slight optimizations 214 * deps: crc@3.3.0 215 216 1.11.2 / 2015-05-10 217 =================== 218 219 * deps: debug@~2.2.0 220 - deps: ms@0.7.1 221 * deps: uid-safe@~2.0.0 222 223 1.11.1 / 2015-04-08 224 =================== 225 226 * Fix mutating `options.secret` value 227 228 1.11.0 / 2015-04-07 229 =================== 230 231 * Support an array in `secret` option for key rotation 232 * deps: depd@~1.0.1 233 234 1.10.4 / 2015-03-15 235 =================== 236 237 * deps: debug@~2.1.3 238 - Fix high intensity foreground color for bold 239 - deps: ms@0.7.0 240 241 1.10.3 / 2015-02-16 242 =================== 243 244 * deps: cookie-signature@1.0.6 245 * deps: uid-safe@1.1.0 246 - Use `crypto.randomBytes`, if available 247 - deps: base64-url@1.2.1 248 249 1.10.2 / 2015-01-31 250 =================== 251 252 * deps: uid-safe@1.0.3 253 - Fix error branch that would throw 254 - deps: base64-url@1.2.0 255 256 1.10.1 / 2015-01-08 257 =================== 258 259 * deps: uid-safe@1.0.2 260 - Remove dependency on `mz` 261 262 1.10.0 / 2015-01-05 263 =================== 264 265 * Add `store.touch` interface for session stores 266 * Fix `MemoryStore` expiration with `resave: false` 267 * deps: debug@~2.1.1 268 269 1.9.3 / 2014-12-02 270 ================== 271 272 * Fix error when `req.sessionID` contains a non-string value 273 274 1.9.2 / 2014-11-22 275 ================== 276 277 * deps: crc@3.2.1 278 - Minor fixes 279 280 1.9.1 / 2014-10-22 281 ================== 282 283 * Remove unnecessary empty write call 284 - Fixes Node.js 0.11.14 behavior change 285 - Helps work-around Node.js 0.10.1 zlib bug 286 287 1.9.0 / 2014-09-16 288 ================== 289 290 * deps: debug@~2.1.0 291 - Implement `DEBUG_FD` env variable support 292 * deps: depd@~1.0.0 293 294 1.8.2 / 2014-09-15 295 ================== 296 297 * Use `crc` instead of `buffer-crc32` for speed 298 * deps: depd@0.4.5 299 300 1.8.1 / 2014-09-08 301 ================== 302 303 * Keep `req.session.save` non-enumerable 304 * Prevent session prototype methods from being overwritten 305 306 1.8.0 / 2014-09-07 307 ================== 308 309 * Do not resave already-saved session at end of request 310 * deps: cookie-signature@1.0.5 311 * deps: debug@~2.0.0 312 313 1.7.6 / 2014-08-18 314 ================== 315 316 * Fix exception on `res.end(null)` calls 317 318 1.7.5 / 2014-08-10 319 ================== 320 321 * Fix parsing original URL 322 * deps: on-headers@~1.0.0 323 * deps: parseurl@~1.3.0 324 325 1.7.4 / 2014-08-05 326 ================== 327 328 * Fix response end delay for non-chunked responses 329 330 1.7.3 / 2014-08-05 331 ================== 332 333 * Fix `res.end` patch to call correct upstream `res.write` 334 335 1.7.2 / 2014-07-27 336 ================== 337 338 * deps: depd@0.4.4 339 - Work-around v8 generating empty stack traces 340 341 1.7.1 / 2014-07-26 342 ================== 343 344 * deps: depd@0.4.3 345 - Fix exception when global `Error.stackTraceLimit` is too low 346 347 1.7.0 / 2014-07-22 348 ================== 349 350 * Improve session-ending error handling 351 - Errors are passed to `next(err)` instead of `console.error` 352 * deps: debug@1.0.4 353 * deps: depd@0.4.2 354 - Add `TRACE_DEPRECATION` environment variable 355 - Remove non-standard grey color from color output 356 - Support `--no-deprecation` argument 357 - Support `--trace-deprecation` argument 358 359 1.6.5 / 2014-07-11 360 ================== 361 362 * Do not require `req.originalUrl` 363 * deps: debug@1.0.3 364 - Add support for multiple wildcards in namespaces 365 366 1.6.4 / 2014-07-07 367 ================== 368 369 * Fix blank responses for stores with synchronous operations 370 371 1.6.3 / 2014-07-04 372 ================== 373 374 * Fix resave deprecation message 375 376 1.6.2 / 2014-07-04 377 ================== 378 379 * Fix confusing option deprecation messages 380 381 1.6.1 / 2014-06-28 382 ================== 383 384 * Fix saveUninitialized deprecation message 385 386 1.6.0 / 2014-06-28 387 ================== 388 389 * Add deprecation message to undefined `resave` option 390 * Add deprecation message to undefined `saveUninitialized` option 391 * Fix `res.end` patch to return correct value 392 * Fix `res.end` patch to handle multiple `res.end` calls 393 * Reject cookies with missing signatures 394 395 1.5.2 / 2014-06-26 396 ================== 397 398 * deps: cookie-signature@1.0.4 399 - fix for timing attacks 400 401 1.5.1 / 2014-06-21 402 ================== 403 404 * Move hard-to-track-down `req.secret` deprecation message 405 406 1.5.0 / 2014-06-19 407 ================== 408 409 * Debug name is now "express-session" 410 * Deprecate integration with `cookie-parser` middleware 411 * Deprecate looking for secret in `req.secret` 412 * Directly read cookies; `cookie-parser` no longer required 413 * Directly set cookies; `res.cookie` no longer required 414 * Generate session IDs with `uid-safe`, faster and even less collisions 415 416 1.4.0 / 2014-06-17 417 ================== 418 419 * Add `genid` option to generate custom session IDs 420 * Add `saveUninitialized` option to control saving uninitialized sessions 421 * Add `unset` option to control unsetting `req.session` 422 * Generate session IDs with `rand-token` by default; reduce collisions 423 * deps: buffer-crc32@0.2.3 424 425 1.3.1 / 2014-06-14 426 ================== 427 428 * Add description in package for npmjs.org listing 429 430 1.3.0 / 2014-06-14 431 ================== 432 433 * Integrate with express "trust proxy" by default 434 * deps: debug@1.0.2 435 436 1.2.1 / 2014-05-27 437 ================== 438 439 * Fix `resave` such that `resave: true` works 440 441 1.2.0 / 2014-05-19 442 ================== 443 444 * Add `resave` option to control saving unmodified sessions 445 446 1.1.0 / 2014-05-12 447 ================== 448 449 * Add `name` option; replacement for `key` option 450 * Use `setImmediate` in MemoryStore for node.js >= 0.10 451 452 1.0.4 / 2014-04-27 453 ================== 454 455 * deps: debug@0.8.1 456 457 1.0.3 / 2014-04-19 458 ================== 459 460 * Use `res.cookie()` instead of `res.setHeader()` 461 * deps: cookie@0.1.2 462 463 1.0.2 / 2014-02-23 464 ================== 465 466 * Add missing dependency to `package.json` 467 468 1.0.1 / 2014-02-15 469 ================== 470 471 * Add missing dependencies to `package.json` 472 473 1.0.0 / 2014-02-15 474 ================== 475 476 * Genesis from `connect`