Back to Explore

tj/node-cookie-signature

GitHub
1 watchersOpen source

Last release:

node-cookie-signature provides functions to sign and unsign cookies, helping verify that cookie values were created with a shared secret. It is useful when you need to protect cookie integrity in Node.js applications.

Project status

  • Maintenance status: The source does not look actively maintained, with the most recent published updates dating to 1.2.2 (2024-10-29), over a year and a half before 2026-06-09 (last upstream push noted as 2025-04-30).
  • Update cadence: Updates appear infrequent and irregular, with a long gap between 1.2.2 (2024) and earlier versions (for example 1.2.1 in 2023, 1.2.0 in 2022, and older updates going back to 2018).

AI summary generated

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • 1.2.2

    Release 1.2.2 contains no documented code changes in the provided release notes (none were supplied). The diff shows metadata updates plus a small packaging change in package.json that affects how the module entrypoint is resolved.

  • 1.2.1

    Release 1.2.1 appears to be a small update to cookie-signature. The only code-level diff shown updates the documented/annotated allowed types for the `secret` parameter in signing and verifying, plus a metadata update to the LICENSE and the package version.

  • 1.2.0

    Release 1.2.0 was published on 2022-02-17, but no release notes were provided by the publisher. As a result, there is no documented information about new features, bug fixes, breaking changes, or security updates in this release.

  • 1.1.0

    Release 1.1.0 updates cookie signature verification. No publisher release notes were provided, but the code diff shows a change to the MAC comparison approach in `exports.unsign` and an updated Node.js engine requirement.

    BreakingSecurity
  • 1.0.6

    This release updates cookie-signature to 1.0.6 with relatively small code changes and test-related workflow adjustments. The only functional code diff is the wording of thrown TypeError messages for invalid inputs in sign and unsign; the API signatures and signing logic are unchanged.

  • 1.0.5

    Release 1.0.5 contains a very small change set. The provided release notes are empty, so there is no documented functional change to compare against.

  • 1.0.4

    Version 1.0.4 updates the cookie-signature verification logic. The release notes field is empty, but the changelog and code indicate this release is about correcting timing-attack avoidance in the `unsign` function.

    Security
  • 1.0.3

    This release bumps cookie-signature from 1.0.2 to 1.0.3. The only functional change in the diff is within the cookie verification path (exports.unsign), adjusting how the signature check is performed to mitigate timing attacks.

    Security
  • 1.0.2

    Release 1.0.2 contains no publisher-provided release notes (the release notes field is empty). The included diff shows a version bump in package.json, an update to History.md mentioning a timing-attack fix, and a small change to a test assertion, but no runtime/library implementation changes are visible in the provided diff.

  • 1.0.1

    Release 1.0.1 was published on 2013-04-15, but the publisher provided no release notes describing changes. As a result, there is no documented information on new features, fixes, breaking changes, or dependency updates in this release.