express-session — Greenflagged

Simple session middleware for Express

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dougwilsonulisesgascon

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:rand-token	AI (dependencies): rand-token is a legitimate random token generation library, a natural replacement for uid2 in session ID generation. Pinned to exact version 0.2.1 by a trusted maintainer.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): safe-buffer is a well-known, trusted package by Feross Aboukhadijeh; its addition is a legitimate dependency for safe Buffer handling.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): ulisesgascon is a known Express.js TC member; addition is part of the documented project revitalization, not a takeover.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers is consistent with the Express.js TC transition; dougwilson stepped back from active maintenance publicly.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy aligns with the Express.js project's reduced activity period before TC revitalization; not indicative of account compromise.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Publisher change from dougwilson to ulisesgascon reflects the documented Express.js TC maintainer transition in 2024; legitimate for this package going forward.	ai	2026/04/23
provenance	no-provenance	AI (provenance): express-session is a well-known Express.js project; lack of Sigstore provenance is common and not a risk indicator for this established package.	ai	2026/04/21
dependencies	unvetted-dep:uid-safe	AI (dependencies): uid-safe is a standard secure UID generator, a core dependency of express-session for session ID generation; stable and expected.	ai	2026/04/21
dependencies	unvetted-dep:depd	AI (dependencies): depd is a well-established Express ecosystem utility for deprecation warnings; its use here is expected and benign.	ai	2026/04/21

Versions (showing 67 of 67)

Version	Deps	Published
1.19.0	8 / 8	2026-01-22
1.18.2	8 / 8	2025-07-17
1.18.1	8 / 8	2024-10-08
1.18.0	8 / 8	2024-01-28
1.17.3	8 / 8	2022-05-11
1.17.2	8 / 8	2021-05-19
1.17.1	8 / 8	2020-04-17
1.17.0	8 / 8	2019-10-11
1.16.2	8 / 8	2019-06-12
1.16.1	8 / 8	2019-04-11
1.16.0	8 / 8	2019-04-11
1.15.6	9 / 8	2017-09-26
1.15.5	9 / 6	2017-08-03
1.15.4	9 / 6	2017-07-19
1.15.3	9 / 6	2017-05-18
1.15.2	9 / 6	2017-03-26
1.15.1	9 / 6	2017-02-11
1.15.0	9 / 6	2017-01-23
1.14.2	9 / 6	2016-10-31
1.14.1	9 / 6	2016-08-24
1.14.0	9 / 6	2016-07-02
1.13.0	9 / 6	2016-01-11
1.12.1	9 / 6	2015-10-29
1.12.0	9 / 6	2015-10-26
1.11.3	9 / 6	2015-06-11
1.11.2	9 / 6	2015-05-11
1.11.1	9 / 6	2015-04-08
1.11.0	9 / 6	2015-04-08
1.10.4	9 / 6	2015-03-16
1.10.3	9 / 6	2015-02-17
1.10.2	9 / 6	2015-02-01
1.10.1	9 / 6	2015-01-09
1.10.0	9 / 6	2015-01-05
1.9.3	9 / 7	2014-12-03
1.9.2	9 / 7	2014-11-23
1.9.1	9 / 7	2014-10-22
1.9.0	9 / 7	2014-10-17
1.8.2	9 / 7	2014-09-16
1.8.1	9 / 7	2014-09-08
1.8.0	9 / 7	2014-09-08
1.7.6	9 / 7	2014-08-18
1.7.5	9 / 7	2014-08-11
1.7.4	8 / 7	2014-08-06
1.7.3	8 / 7	2014-08-06
1.7.2	8 / 7	2014-07-27
1.7.1	8 / 7	2014-07-26
1.7.0	8 / 7	2014-07-22
1.6.5	8 / 7	2014-07-12
1.6.4	8 / 7	2014-07-07
1.6.3	8 / 7	2014-07-04
1.6.2	8 / 7	2014-07-04
1.6.1	8 / 7	2014-06-29
1.6.0	8 / 7	2014-06-28
1.5.2	8 / 6	2014-06-26
1.5.1	8 / 6	2014-06-22
1.5.0	8 / 6	2014-06-20
1.4.0	7 / 6	2014-06-18
1.3.1	7 / 6	2014-06-14
1.3.0	7 / 6	2014-06-14
1.2.1	7 / 5	2014-05-27
1.2.0	7 / 5	2014-05-19
1.1.0	6 / 5	2014-05-12
1.0.4	6 / 5	2014-04-28
1.0.3	6 / 5	2014-04-20
1.0.2	6 / 5	2014-02-23
1.0.1	5 / 6	2014-02-16
1.0.0	1 / 6	2014-02-16

v1.18.1

2 findings

HIGH Publisher changed: dougwilson → ulisesgascon (on 2024-10-08) provenance

This version was published by a different npm account than previous versions on 2024-10-08. This could indicate a legitimate maintainer transition or an account compromise.