Back to Explore

tj/node-cookie-signature

GitHub
1 watchersOpen source

Last release: 10/29/2024

node-cookie-signature provides functions to sign and unsign cookies, helping verify that cookie values were created with a shared secret. It is useful when you need to protect cookie integrity in Node.js applications.

Project status

  • The repository appears to have ongoing activity on GitHub (last upstream push dated 2025-04-30), but the published updates show long gaps between version bumps (1.2.1 in 2023, 1.2.2 in 2024).
  • Apparent update cadence is low and irregular, with multi-year intervals between minor versions (1.2.0 in 2022, then 1.2.1 in 2023, then 1.2.2 in 2024).

AI summary generated Today

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • 1.2.2

    10/29/2024

    Release 1.2.2 contains no documented code changes in the provided release notes (none were supplied). The diff shows metadata updates plus a small packaging change in package.json that affects how the module entrypoint is resolved.

  • 1.2.1

    2/27/2023

    Release 1.2.1 appears to be a small update to cookie-signature. The only code-level diff shown updates the documented/annotated allowed types for the `secret` parameter in signing and verifying, plus a metadata update to the LICENSE and the package version.

  • 1.2.0

    2/17/2022

    Release 1.2.0 was published on 2022-02-17, but no release notes were provided by the publisher. As a result, there is no documented information about new features, bug fixes, breaking changes, or security updates in this release.

  • 1.1.0

    1/19/2018

    Release 1.1.0 updates cookie signature verification. No publisher release notes were provided, but the code diff shows a change to the MAC comparison approach in `exports.unsign` and an updated Node.js engine requirement.

    BreakingSecurity

  • 1.0.6

    2/3/2015

    This release updates cookie-signature to 1.0.6 with relatively small code changes and test-related workflow adjustments. The only functional code diff is the wording of thrown TypeError messages for invalid inputs in sign and unsign; the API signatures and signing logic are unchanged.

  • 1.0.5

    9/5/2014

    Release 1.0.5 contains a very small change set. The provided release notes are empty, so there is no documented functional change to compare against.

  • 1.0.4

    6/25/2014

    Version 1.0.4 updates the cookie-signature verification logic. The release notes field is empty, but the changelog and code indicate this release is about correcting timing-attack avoidance in the `unsign` function.

    Security

  • 1.0.3

    1/29/2014

    This release bumps cookie-signature from 1.0.2 to 1.0.3. The only functional change in the diff is within the cookie verification path (exports.unsign), adjusting how the signature check is performed to mitigate timing attacks.

    Security

  • 1.0.2

    1/28/2014

    Release 1.0.2 contains no publisher-provided release notes (the release notes field is empty). The included diff shows a version bump in package.json, an update to History.md mentioning a timing-attack fix, and a small change to a test assertion, but no runtime/library implementation changes are visible in the provided diff.

  • 1.0.1

    4/15/2013

    Release 1.0.1 was published on 2013-04-15, but the publisher provided no release notes describing changes. As a result, there is no documented information on new features, fixes, breaking changes, or dependency updates in this release.