chore(deps): Bump the minor-updates group with 3 updates by dependabot[bot] · Pull Request #16 · credebl/webauthn-server

dependabot · 2026-05-22T08:08:08Z

Bumps the minor-updates group with 3 updates: express-session, @types/express-session and winston.

Updates express-session from 1.18.0 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes
Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.
var app = express()
app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: true,
  cookie: function (req) {
    var match = req.url.match(/^\/([^/]+)/);
    return {
      path: match ? '/' + match[1] : '/',
      httpOnly: true,
      secure: req.secure || false,
      maxAge: 60000
    }
  }
}))
Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

deps: use tilde notation for dependencies
PRs

chore: add funding to package.json by @bjohansebas in expressjs/session#1071

build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @dependabot[bot] in expressjs/session#1086

build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @dependabot[bot] in expressjs/session#1085

build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in expressjs/session#1091

build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in expressjs/session#1090

build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in expressjs/session#1089

build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @dependabot[bot] in expressjs/session#1088

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @dependabot[bot] in expressjs/session#1082

refactor: remove unused sess parameter from generateSessionId fun… by @Ayoub-Mabrouk in expressjs/session#1001

chore: remove history.md from being packaged on publish by @bjohansebas in expressjs/session#1097

deps: use tilde notation for dependencies by @bjohansebas in expressjs/session#1096

Add sameSite 'auto' support to match secure 'auto' pattern by @djunehor in expressjs/session#1087

feat: add support to dynamic cookie options by @lincond in expressjs/session#1027

Release: 1.19.0 by @UlisesGascon in expressjs/session#1107

New Contributors

@Ayoub-Mabrouk made their first contribution in expressjs/session#1001

@djunehor made their first contribution in expressjs/session#1087

@lincond made their first contribution in expressjs/session#1027

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

Add dynamic cookie options support

Add sameSite 'auto' support for automatic SameSite attribute configuration

deps: use tilde notation for dependencies

1.18.2 / 2025-07-17

deps: mocha@10.8.2

deps: on-headers@~1.1.0

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

1.18.1 / 2024-10-08

deps: cookie@0.7.2

Fix object assignment of hasOwnProperty

deps: cookie@0.7.1

Allow leading dot for domain

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing

deps: cookie@0.7.0

perf: parse cookies ~10% faster

fix: narrow the validation of cookies to match RFC6265

fix: add main to package.json for rspack

Commits

c10b2a3 1.19.0 (#1107)
2673736 feat: add support to dynamic cookie options (#1027)
73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
264b6a0 deps: use tilde notation for dependencies (#1096)
6d69f09 chore: remove history.md from being packaged on publish (#1097)
00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express-session since your current version.

Updates @types/express-session from 1.18.0 to 1.19.0

Commits

See full diff in compare view

Updates winston from 3.14.2 to 3.19.0

Release notes

Sourced from winston's releases.

v3.19.0

Run npm audit fix e7ccdc4

Don't include jest.config.js in npm package 5a63c8c

fix: append error cause when using logger.child() (#2467) e74a7ae

Bump rimraf from 5.0.1 to 5.0.10 (#2517) 8a956fd

fix: ensure File transport flushes all data before emitting finish (#2594) 86c890f

Bump actions/setup-node from 4 to 6 (#2589) 3b8be02

Bump @babel/core from 7.28.0 to 7.28.5 (#2591) f4c3e2c

Bump actions/checkout from 4 to 6 (#2593) dd7906e

chore: migrate test runner from mocha to jest (#2567) 2e9eb18

winstonjs/winston@v3.18.3...v3.19.0

v3.18.3

Update diagnostics dependency (removes fix-esm transitive dependency) a15a9e9

winstonjs/winston@v3.18.2...v3.18.3

v3.18.2

Bump diagnostics package to resolve #2583 (again) f4582c3

winstonjs/winston@v3.18.1...v3.18.2

v3.18.1

Bump diagnostics package to resolve #2583 e668c2c

winstonjs/winston@v3.18.0...v3.18.1

v3.18.0

Update diagnostics package to latest version to remove vulnerability 376e331

add @initd.sg/winston-cloudwatch (#2532) 71ee92a

Update transports.md (#2549) 3547a95

docs: update transport.md (#2550) dc88db0

feat: adds helper function for highest log level (#2514) c69cdb0

winstonjs/winston@v3.17.0...v3.18.0

v3.17.0

Try winston-transport 4.9.0 3e87128

Revert "Try bumping winston-transport to 4.8.0" 69625fc

... (truncated)

Commits

ed45345 3.19.0
e7ccdc4 Run npm audit fix
5a63c8c Don't include jest.config.js in npm package
e74a7ae fix: append error cause when using logger.child() (#2467)
8a956fd Bump rimraf from 5.0.1 to 5.0.10 (#2517)
86c890f fix: ensure File transport flushes all data before emitting finish (#2594)
3b8be02 Bump actions/setup-node from 4 to 6 (#2589)
f4c3e2c Bump @babel/core from 7.28.0 to 7.28.5 (#2591)
dd7906e Bump actions/checkout from 4 to 6 (#2593)
2e9eb18 chore: migrate test runner from mocha to jest (#2567)
Additional commits viewable in compare view

Updates @types/express-session from 1.18.0 to 1.19.0

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the minor-updates group with 3 updates: [express-session](https://github.com/expressjs/session), [@types/express-session](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express-session) and [winston](https://github.com/winstonjs/winston). Updates `express-session` from 1.18.0 to 1.19.0 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.18.0...v1.19.0) Updates `@types/express-session` from 1.18.0 to 1.19.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express-session) Updates `winston` from 3.14.2 to 3.19.0 - [Release notes](https://github.com/winstonjs/winston/releases) - [Changelog](https://github.com/winstonjs/winston/blob/master/CHANGELOG.md) - [Commits](winstonjs/winston@v3.14.2...v3.19.0) Updates `@types/express-session` from 1.18.0 to 1.19.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express-session) --- updated-dependencies: - dependency-name: express-session dependency-version: 1.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: "@types/express-session" dependency-version: 1.19.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: winston dependency-version: 3.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: "@types/express-session" dependency-version: 1.19.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-22T08:08:09Z

Labels

The following labels could not be found: pnpm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot Bot added the dependencies Pull requests that update a dependency file label May 22, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Bump the minor-updates group with 3 updates#16

chore(deps): Bump the minor-updates group with 3 updates#16
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/minor-updates-81ee9eb1e7

dependabot Bot commented on behalf of github May 22, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v1.19.0

What's Changed

Main Changes

PRs

New Contributors

1.19.0 / 2026-01-22

1.18.2 / 2025-07-17

1.18.1 / 2024-10-08

v3.19.0

v3.18.3

v3.18.2

v3.18.1

v3.18.0

v3.17.0

Uh oh!

dependabot Bot commented on behalf of github May 22, 2026

Labels

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 22, 2026 •

edited

Loading