Bump on-headers, express-session and morgan #6

dependabot · 2025-07-18T11:27:43Z

Bumps on-headers to 1.1.0 and updates ancestor dependencies on-headers, express-session and morgan. These dependencies need to be updated together.

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

Migrate CI pipeline to GitHub actions by @carpasse in jshttp/on-headers#12

fix README.md badges by @carpasse in jshttp/on-headers#13

add OSSF scorecard action by @carpasse in jshttp/on-headers#14

fix: use ubuntu-latest as ci runner by @UlisesGascon in jshttp/on-headers#19

ci: apply OSSF Scorecard security best practices by @UlisesGascon in jshttp/on-headers#20

👷 add upstream change detection by @ctcpip in jshttp/on-headers#31

✨ add script to update known hashes by @ctcpip in jshttp/on-headers#32

💚 update CI - add newer node versions by @ctcpip in jshttp/on-headers#33

New Contributors

@carpasse made their first contribution in jshttp/on-headers#12

@UlisesGascon made their first contribution in jshttp/on-headers#19

@ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

4b017af 1.1.0
b636f2d ♻️ refactor header array code
3e2c2d4 ✨ ignore falsy header keys, matching node behavior
172eb41 ✨ support duplicate headers
c6e3849 🔒️ fix array handling
6893518 💚 update CI - add newer node versions
56a345d ✨ add script to update known hashes
175ab21 👷 add upstream change detection (#31)
ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
1a38c54 fix: use ubuntu-latest as ci runner (#19)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates express-session from 1.18.0 to 1.18.2

Release notes

Sourced from express-session's releases.

v1.18.2

What's Changed

fix: Resolve test failure - Refresh server.crt with existing key extending expiry to Nov 21 03:28:10 2034 GMT by @BaileyFirman in expressjs/session#1003

feat: gencert script to regenerate the test ssl certs by @wesleytodd in expressjs/session#1015

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/session#1008

ci: add CodeQL (SAST) by @bjohansebas in expressjs/session#1005

[StepSecurity] Apply security best practices by @step-security-bot in expressjs/session#1047

build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @dependabot[bot] in expressjs/session#1061

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot[bot] in expressjs/session#1048

build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 by @dependabot[bot] in expressjs/session#1050

build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in expressjs/session#1049

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in expressjs/session#1052

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/session#1051

chore: fix typos by @noritaka1166 in expressjs/session#1066

deps: [email protected] by @UlisesGascon in expressjs/session#1069

🔖 v1.18.2 by @ctcpip in expressjs/session#1070

New Contributors

@BaileyFirman made their first contribution in expressjs/session#1003

@wesleytodd made their first contribution in expressjs/session#1015

@carpasse made their first contribution in expressjs/session#1008

@step-security-bot made their first contribution in expressjs/session#1047

@dependabot[bot] made their first contribution in expressjs/session#1061

@noritaka1166 made their first contribution in expressjs/session#1066

@ctcpip made their first contribution in expressjs/session#1070

Full Changelog: expressjs/session@v1.18.1...v1.18.2

1.18.1

What's Changed

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/session#984

dep: [email protected] by @knolleary in expressjs/session#997

Release: 1.18.1 by @UlisesGascon in expressjs/session#998

New Contributors

@inigomarquinez made their first contribution in expressjs/session#984

@knolleary made their first contribution in expressjs/session#997

@UlisesGascon made their first contribution in expressjs/session#998

Full Changelog: expressjs/session@v1.18.0...v1.18.1

Changelog

Sourced from express-session's changelog.

1.18.2 / 2025-07-17

deps: [email protected]

deps: on-headers@~1.1.0

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

1.18.1 / 2024-10-08

deps: [email protected]

Fix object assignment of hasOwnProperty

deps: [email protected]

Allow leading dot for domain

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing

deps: [email protected]

perf: parse cookies ~10% faster

fix: narrow the validation of cookies to match RFC6265

fix: add main to package.json for rspack

Commits

d10709f 🔖 v1.18.2 (#1070)
5808783 deps: [email protected] (#1069)
b9fcad8 chore: fix typos (#1066)
a698c81 build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1051)
ec1957b build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 (#1052)
2caff6a build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#1049)
2633e88 build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 (#1050)
7e2c696 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#1048)
92dd300 build(deps-dev): bump mocha from 10.2.0 to 10.8.2 (#1061)
168271c fix(dependabot): do not update major versions
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express-session since your current version.

Updates morgan from 1.10.0 to 1.10.1

Release notes

Sourced from morgan's releases.

1.10.1

What's Changed

renaming simple to sample in readme by @ryhinchey in expressjs/morgan#237

adding installation instructions to readme by @ryhinchey in expressjs/morgan#233

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/morgan#291

ci: replace travis with github actions by @inigomarquinez in expressjs/morgan#290

docs: add example output for log formats by @jonchurch in expressjs/morgan#299

ci: use ubuntu-latest by @bjohansebas in expressjs/morgan#301

ci: apply OSSF Scorecard security best practices by @UlisesGascon in expressjs/morgan#300

remove --bail by @jonchurch in expressjs/morgan#314

⬆️ bump on-headers by @ctcpip in expressjs/morgan#319

New Contributors

@inigomarquinez made their first contribution in expressjs/morgan#291

@jonchurch made their first contribution in expressjs/morgan#299

@bjohansebas made their first contribution in expressjs/morgan#301

@UlisesGascon made their first contribution in expressjs/morgan#300

@ctcpip made their first contribution in expressjs/morgan#319

Full Changelog: expressjs/morgan@1.10.0...1.10.1

Changelog

Sourced from morgan's changelog.

1.10.1 / 2025-07-17

deps: on-headers@~1.1.0

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

c1c7f10 🔖 1.10.1
eb896c2 ⬆️ bump on-headers
1c3eec6 remove --bail (#314)
b144728 ci: apply OSSF Scorecard security best practices (#300)
68c2d21 ci: use ubuntu-latest (#301)
8740a19 docs: add example output for log formats (#299)
efd6bff ci: migra to GitHub actions (#290)
3b89789 ci: add support for OSSF scorecard reporting (#291)
19a6aa5 docs: add installation section
b94f3ff docs: change simple to sample in example descriptions
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for morgan since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [on-headers](https://github.com/jshttp/on-headers) to 1.1.0 and updates ancestor dependencies [on-headers](https://github.com/jshttp/on-headers), [express-session](https://github.com/expressjs/session) and [morgan](https://github.com/expressjs/morgan). These dependencies need to be updated together. Updates `on-headers` from 1.0.2 to 1.1.0 - [Release notes](https://github.com/jshttp/on-headers/releases) - [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md) - [Commits](jshttp/on-headers@v1.0.2...v1.1.0) Updates `express-session` from 1.18.0 to 1.18.2 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.18.0...v1.18.2) Updates `morgan` from 1.10.0 to 1.10.1 - [Release notes](https://github.com/expressjs/morgan/releases) - [Changelog](https://github.com/expressjs/morgan/blob/master/HISTORY.md) - [Commits](expressjs/morgan@1.10.0...1.10.1) --- updated-dependencies: - dependency-name: on-headers dependency-version: 1.1.0 dependency-type: indirect - dependency-name: express-session dependency-version: 1.18.2 dependency-type: direct:production - dependency-name: morgan dependency-version: 1.10.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 18, 2025

capcom6 merged commit 43b1e41 into master Aug 11, 2025
2 checks passed

capcom6 deleted the dependabot/npm_and_yarn/multi-2c2cf9d17b branch August 11, 2025 01:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump on-headers, express-session and morgan #6

Bump on-headers, express-session and morgan #6

Uh oh!

dependabot bot commented on behalf of github Jul 18, 2025

Uh oh!

Uh oh!

Uh oh!

Bump on-headers, express-session and morgan #6

Bump on-headers, express-session and morgan #6

Uh oh!

Conversation

dependabot bot commented on behalf of github Jul 18, 2025

1.1.0

Important

What's Changed

New Contributors

1.1.0 / 2025-07-17

v1.18.2

What's Changed

New Contributors

1.18.1

What's Changed

New Contributors

1.18.2 / 2025-07-17

1.18.1 / 2024-10-08

1.10.1

What's Changed

New Contributors

1.10.1 / 2025-07-17

Uh oh!

Uh oh!

Uh oh!