fix(res): handle null maxAge gracefully in res.cookie() and updated the dependency "cookie" to the 1.0.2 latest version

[SaisakthiM]

This pull request fixes an edge case in res.cookie() where specifying maxAge: null caused the function to produce incorrect cookie headers or throw an internal error when updated to 1.0.2

Previously, maxAge: null was not normalized and led to unintended conversion to 0, causing an undesired Expires header (Max-Age=0). This behavior conflicted with Express’s intended semantics, where null should mean “no expiration — session cookie”.

Updated Behavior

When maxAge is explicitly null, it is now normalized to undefined.
The cookie is serialized without Expires or Max-Age fields (consistent with session cookies).
Existing logic for finite and numeric maxAge values remains unchanged.
All test cases, including res.cookie(name, string, options) maxAge should not throw on null, now pass successfully.

Implementation Summary

In lib/response.js, the logic under res.cookie() was updated:

if (opts.maxAge === null) {
  opts.maxAge = undefined;
}

This ensures that null values are excluded from expiration logic.

Test Results

1. In cookie 1.0.2
   Test:

  1238 passing (11s)
  0 failing

Version :

npm list cookie
express@5.1.0 C:\Coding Project\Git\express
├─┬ cookie-parser@1.4.7
│ └── cookie@0.7.2
├── cookie@1.0.2
└─┬ express-session@1.18.2
  └── cookie@0.7.2

2. In cookie 0.7.2
   Test:

  1238 passing (11s)

Version:

npm list cookie
express@5.1.0 C:\Coding Project\Git\express
├─┬ cookie-parser@1.4.7
│ └── cookie@0.7.2 deduped
├── cookie@0.7.2
└─┬ express-session@1.18.2
  └── cookie@0.7.2 deduped

Motivation

This change improves compatibility with earlier Express 4.x behavior, aligns with the HTTP cookie specification for session cookies, and maintains backward compatibility with existing user code.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cookie@​1.0.2

View full report

[efekrskl]

Thanks for the PR!

This PR feels a bit off, as far as I can see maxAge: null already works fine. I think you are self introducing a regression by updating cookie to 1.0.2. If updating cookie is the goal, IMO that should be a separate PR with its own discussion and tests.

[SaisakthiM]

Thanks for the PR!

This PR feels a bit off, as far as I can see maxAge: null already works fine. I think you are self introducing a regression by updating cookie to 1.0.2. If updating cookie is the goal, IMO that should be a separate PR with its own discussion and tests.

yes, you are right i am trying to update the cookie to 1.0.2
but in the new cookie module, null values are not ignored and it throws a error if normally updated
so i also updated the test to convert the null to undefined so now it ignores and this approach is backward compatible
so that's the reason why i made this PR
it updates and handles tests and modules

the bigger question now is why we need separate discussion for updating cookie if it is handled here
is there any kind of security threats in cookie module or do you feel it is a unnecessary update

[SaisakthiM]

@efekrskl
what happend to this PR
is it bad or is my explanation bad

[efekrskl]

Hi @SaisakthiM, I'd say I've made my points already about the PR. Let's wait for others to chime in. Let's not tag them directly, though, because the team is really busy.

Keep in mind this doesn't mean that your PR is bad or anything. We just need more opinions before making a final decision.

[SaisakthiM]

Hi @SaisakthiM, I'd say I've made my points already about the PR. Let's wait for others to chime in. Let's not tag them directly, though, because the team is really busy.

Keep in mind this doesn't mean that your PR is bad or anything. We just need more opinions before making a final decision.

sorry for that
i did not know that you guys are busy
take your time
i don't want to rush things

[SaisakthiM]

wll it take more time for review

[SaisakthiM]

any progreess done
are you maintainers that much busy if so sorry

[bjohansebas]

I see that there are two changes here: one is updating cookie and the other is handling a null case (or are they related?). The cookie update cannot be done until express 6, as it introduces breaking changes such as jshttp/cookie#180 (see https://github.com/jshttp/cookie/releases/tag/v1.0.0).

That’s why I’m adding the labels, so we can revisit this in the future when we start working on Express 6.

[SaisakthiM]

I see that there are two changes here: one is updating cookie and the other is handling a null case (or are they related?). The cookie update cannot be done until express 6, as it introduces breaking changes such as jshttp/cookie#180 (see https://github.com/jshttp/cookie/releases/tag/v1.0.0).

That’s why I’m adding the labels, so we can revisit this in the future when we start working on Express 6.

yes it is related, the new cookie module does not support null value so for backward compaitability, i hardcoded the null into undefined so that it works in both old and new
and i checked the breaking changes, i read it

Remove hasOwnProperty, use undefined check for performance

i did check these 2, i did one but now actually the whole test is kinda waste as it cannot be even undefined now it has to be like 0
or is it review the test and check if this works in the new one so i can chnage the test accordingly