electrode-csrf-jwt - npm Package Compare versions

Comparing version 1.2.0 to 1.2.1

lib/csrf-express.js

@@ -21,2 +21,3 @@ "use strict";
       const cookiePayload = {type: "cookie", uuid: id};
+      const cookieOptions = {httpOnly: true, secure: false};
 
@@ -28,3 +29,3 @@ return Promise.all([
         res.header("x-csrf-jwt", headerToken);
-        res.cookie("x-csrf-jwt", cookieToken);
+        res.cookie("x-csrf-jwt", cookieToken, cookieOptions);
         return next();
@@ -31,0 +32,0 @@ });

lib/csrf-hapi.js

@@ -31,3 +31,5 @@ "use strict";
         reply.state("x-csrf-jwt", cookieToken, {
-          path: "/"
+          path: "/",
+          isSecure: false,
+          httpOnly: true
         });
@@ -34,0 +36,0 @@ return reply.continue();

lib/csrf-koa.js

@@ -21,2 +21,3 @@ "use strict";
       const cookiePayload = {type: "cookie", uuid: id};
+      const cookieOptions = {httpOnly: true, secure: false};
 
@@ -28,3 +29,3 @@ return Promise.all([
         ctx.set("x-csrf-jwt", headerToken);
-        ctx.cookies.set("x-csrf-jwt", cookieToken);
+        ctx.cookies.set("x-csrf-jwt", cookieToken, cookieOptions);
         return next();
@@ -31,0 +32,0 @@ });

package.json

 {
   "name": "electrode-csrf-jwt",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "",
@@ -9,3 +9,3 @@ "main": "lib/index.js",
     "test": "npm run lint && gulp test",
-    "coverage": "istanbul cover -x lib/csrf-express.js lib/csrf-koa.js node_modules/.bin/_mocha",
+    "coverage": "gulp check",
     "prepublish": "npm test"
@@ -12,0 +12,0 @@ },

test/spec/csrf-express-test.js

@@ -66,2 +66,3 @@ "use strict";
         expect(csrfCookie).to.contain("x-csrf-jwt=");
+        expect(csrfCookie).to.contain("HttpOnly");
 
@@ -68,0 +69,0 @@ return fetch(`${url}/2`, {

test/spec/csrf-koa-test.js

@@ -67,2 +67,3 @@ "use strict";
         expect(csrfCookie).to.contain("x-csrf-jwt=");
+        expect(csrfCookie).to.contain("httponly");
 
@@ -69,0 +70,0 @@ return fetch(`${url}/2`, {

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Native code

Supply chain risk

Contains native code (e.g., compiled binaries or shared libraries). Including native code can obscure malicious behavior.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

31086

increased by33.39%

Number of package files

17

increased by6.25%

Lines of code

561

increased by1.08%

Worsened metrics

Number of medium supply chain risk alerts

16

increased by14.29%

No dependency changes