Bump express-openid-connect from 2.20.2 to 3.0.0

[dependabot]

Bumps express-openid-connect from 2.20.2 to 3.0.0.

Release notes

Sourced from express-openid-connect's releases.

v3.0.0

⚠️ BREAKING CHANGES

• migration: openid-client and jose migration #785 (aks96)

Changelog

Sourced from express-openid-connect's changelog.

v3.0.0 (2026-05-13)

Full Changelog

This release upgrades openid-client and jose to their latest major versions v6, bringing improved security, performance, and standards compliance. See the V3 Migration Guide for full upgrade instructions. #785 (aks96)

⚠️ BREAKING CHANGES

• Node.js version requirement - requires ^20.19.0 || ^22.12.0 || >= 23.0.0. Node.js 14–19 are no longer supported.

• httpAgent config removed - The httpAgent option is no longer supported. Affects apps using httpAgent for proxy configuration.

• clientAssertionSigningAlg now required - The implicit RS256 default has been removed. Affects apps using clientAssertionSigningKey with a PEM, Buffer, KeyObject, or a JWK without an alg property.

• ES256K and EdDSA removed from clientAssertionSigningAlg - openid-client v6 no longer supports these algorithm values.

• afterCallback now receives the incoming user's tokens, not the previous session - req.oidc inside afterCallback now reflects the new tokens from the current authentication. Affects apps that read req.oidc inside afterCallback to inspect the prior session.

• Session cookie silently dropped when headers are sent before res.end() - v2 used on-headers, which hooked res.writeHead and could inject Set-Cookie regardless of how the response was written. v3 uses a res.end wrapper instead, so the cookie is written only at res.end(). Any response that flushes headers earlier via res.write(), res.flushHeaders(), res.writeHead(), res.sendFile(), or res.download() will have res.headersSent set to true by the time the cookie write runs, and the session cookie is silently dropped with no workaround. Standard OIDC flows are unaffected.

• clientAssertionSigningKey TypeScript type updated - KeyInput and JSONWebKey (jose v2) are replaced by string/Buffer and JWK respectively. CryptoKey is newly supported. Runtime behavior is unchanged.

Commits

• a4a14dd Release v3.0.0 (#820)
• 01184eb chore: update typedoc compiler options for ESM compatibility (#819)
• 076fb82 migration: openid-client and jose migration (#785)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
express-openid-connect	3.0.0	Null	Unknown License

Denied Licenses:

GPL-1.0-or-later, LGPL-2.0-or-later

OpenSSF Scorecard

Package	Version	Score	Details
npm/aggregate-error	3.1.0	🟢 3.7	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/clean-stack	2.2.0	🟢 3.8	Details Check Score Reason Code-Review 🟢 3 Found 9/30 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/express-openid-connect	3.0.0	Unknown	Unknown
npm/indent-string	4.0.0	🟢 3.7	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/json-buffer	3.0.1	⚠️ 2.1	Details Check Score Reason Code-Review ⚠️ 1 Found 4/29 approved changesets -- score normalized to 1 Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ -1 no dependencies found Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 project is archived CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/keyv	4.5.4	🟢 4.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ -1 internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Although you appear to have the correct authorization credentials, the `AikidoSec` organization has an IP allow list enabled, and your IP address is not permitted to access this resource.
npm/oauth4webapi	3.8.6	Unknown	Unknown
npm/openid-client	6.8.4	Unknown	Unknown

Scanned Files

• package-lock.json