Update dependency passport to ^0.6.0 [SECURITY]

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
passport (source)	^0.4.0 -> ^0.6.0

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

---

Release Notes

jaredhanson/passport (passport)

v0.6.0

Compare Source

Added

• authenticate(), req#login, and req#logout accept a
  keepSessionInfo: true option to keep session information after regenerating
  the session.

Changed

• req#login() and req#logout() regenerate the the session and clear session
  information by default.
• req#logout() is now an asynchronous function and requires a callback
  function as the last argument.

Security

• Improved robustness against session fixation attacks in cases where there is
  physical access to the same system or the application is susceptible to
  cross-site scripting (XSS).

v0.5.3

Compare Source

Fixed

• initialize() middleware extends request with login(), logIn(),
  logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
  again, reverting change from 0.5.1.

v0.5.2

Compare Source

Fixed

• Introduced a compatibility layer for strategies that depend directly on
  passport@0.4.x or earlier (such as passport-azure-ad), which were
  broken by the removal of private variables in passport@0.5.1.

v0.5.1

Compare Source

Fixed

• Introduced a compatibility layer for strategies that depend directly on
  passport@0.4.x or earlier (such as passport-azure-ad), which were
  broken by the removal of private variables in passport@0.5.1.

v0.5.0

Compare Source

Changed

• initialize() middleware extends request with login(), logIn(),
  logout(), logOut(), isAuthenticated(), and isUnauthenticated()
  functions.

Removed

• login(), logIn(), logout(), logOut(), isAuthenticated(), and
  isUnauthenticated() functions no longer added to http.IncomingMessage.prototype.

Fixed

• userProperty option to initialize() middleware only affects the current
  request, rather than all requests processed via singleton Passport instance,
  eliminating a race condition in situations where initialize() middleware is
  used multiple times in an application with userProperty set to different
  values.

v0.4.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Stockholm, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

ERROR: npm v9.7.1 is known not to run on Node.js v12.22.12.  This version of npm supports the following node versions: `^14.17.0 || ^16.13.0 || >=18.0.0`. You can find the latest version at https://nodejs.org/.

ERROR:
/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/utils/exit-handler.js:19
  const hasLoadedNpm = npm?.config.loaded
                           ^

SyntaxError: Unexpected token '.'
    at wrapSafe (internal/modules/cjs/loader.js:915:16)
    at Module._compile (internal/modules/cjs/loader.js:963:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
    at Module.load (internal/modules/cjs/loader.js:863:32)
    at Function.Module._load (internal/modules/cjs/loader.js:708:14)
    at Module.require (internal/modules/cjs/loader.js:887:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at module.exports (/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/cli-entry.js:15:23)
    at module.exports (/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/es6/validate-engines.js:39:10)
    at module.exports (/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/cli.js:4:31)
ERROR: npm v9.7.1 is known not to run on Node.js v12.22.12.  This version of npm supports the following node versions: `^14.17.0 || ^16.13.0 || >=18.0.0`. You can find the latest version at https://nodejs.org/.

ERROR:
/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/utils/exit-handler.js:19
  const hasLoadedNpm = npm?.config.loaded
                           ^

SyntaxError: Unexpected token '.'
    at wrapSafe (internal/modules/cjs/loader.js:915:16)
    at Module._compile (internal/modules/cjs/loader.js:963:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
    at Module.load (internal/modules/cjs/loader.js:863:32)
    at Function.Module._load (internal/modules/cjs/loader.js:708:14)
    at Module.require (internal/modules/cjs/loader.js:887:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at module.exports (/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/cli-entry.js:15:23)
    at module.exports (/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/es6/validate-engines.js:39:10)
    at module.exports (/opt/containerbase/tools/npm/9.7.1/node_modules/npm/lib/cli.js:4:31)