Update dependency express-session to v1.19.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
express-session	1.15.3 → 1.19.0

---

Release Notes

expressjs/session (express-session)

v1.19.0

Compare Source

v1.18.2

Compare Source

==========

• deps: mocha@​10.8.2
• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

v1.18.1

Compare Source

==========

• deps: cookie@​0.7.2
  • Fix object assignment of hasOwnProperty
• deps: cookie@​0.7.1
  • Allow leading dot for domain
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
• deps: cookie@​0.7.0
  • perf: parse cookies ~10% faster
  • fix: narrow the validation of cookies to match RFC6265
  • fix: add main to package.json for rspack

v1.18.0

Compare Source

===================

• Add debug log for pathname mismatch
• Add partitioned to cookie options
• Add priority to cookie options
• Fix handling errors from setting cookie
• Support any type in secret that crypto.createHmac supports
• deps: cookie@​0.6.0
  • Fix expires option to reject invalid dates
  • perf: improve default decode speed
  • perf: remove slow string split in parse
• deps: cookie-signature@​1.0.7

v1.17.3

Compare Source

===================

• Fix resaving already-saved new session at end of request
• deps: cookie@​0.4.2

v1.17.2

Compare Source

===================

• Fix res.end patch to always commit headers
• deps: cookie@​0.4.1
• deps: safe-buffer@​5.2.1

v1.17.1

Compare Source

===================

• Fix internal method wrapping error on failed reloads

v1.17.0

Compare Source

===================

• deps: cookie@​0.4.0
  • Add SameSite=None support
• deps: safe-buffer@​5.2.0

v1.16.2

Compare Source

===================

• Fix restoring cookie.originalMaxAge when store returns Date
• deps: parseurl@~1.3.3

v1.16.1

Compare Source

===================

• Fix error passing data option to Cookie constructor
• Fix uncaught error from bad session data

v1.16.0

Compare Source

===================

• Catch invalid cookie.maxAge value earlier
• Deprecate setting cookie.maxAge to a Date object
• Fix issue where resave: false may not save altered sessions
• Remove utils-merge dependency
• Use safe-buffer for improved Buffer API
• Use Set-Cookie as cookie header name for compatibility
• deps: depd@~2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
  • perf: remove argument reassignment
• deps: on-headers@~1.0.2
  • Fix res.writeHead patch missing return value

v1.15.6

Compare Source

===================

• deps: debug@​2.6.9
• deps: parseurl@~1.3.2
  • perf: reduce overhead for full URLs
  • perf: unroll the "fast-path" RegExp
• deps: uid-safe@~2.1.5
  • perf: remove only trailing =
• deps: utils-merge@​1.0.1

v1.15.5

Compare Source

===================

• Fix TypeError when req.url is an empty string
• deps: depd@~1.1.1
  • Remove unnecessary Buffer loading

v1.15.4

Compare Source

===================

• deps: debug@​2.6.8

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.