fix(deps): update dependency passport to v0.6.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
passport (source)	0.5.2 -> 0.6.0

GitHub Vulnerability Alerts

CVE-2022-25896

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

---

Release Notes

jaredhanson/passport

v0.6.0

Compare Source

Added

• authenticate(), req#login, and req#logout accept a
  keepSessionInfo: true option to keep session information after regenerating
  the session.

Changed

• req#login() and req#logout() regenerate the the session and clear session
  information by default.
• req#logout() is now an asynchronous function and requires a callback
  function as the last argument.

Security

• Improved robustness against session fixation attacks in cases where there is
  physical access to the same system or the application is susceptible to
  cross-site scripting (XSS).

v0.5.3

Compare Source

Fixed

• initialize() middleware extends request with login(), logIn(),
  logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions
  again, reverting change from 0.5.1.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

👍 No new dependency issues detected in pull request

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

Pull request alert summary

Issue	Status
Install scripts	✅ 0 issues
Native code	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

---

📊 Modified Dependency Overview:

⬆️ Updated Package	Version Diff	Added Capability Access	+/- Transitive Count	Publisher
[email protected]	0.5.2...0.6.0	None	+0/-0	jaredhanson

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.6.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.