🔒 fix: Address on-headers CVE-2025-7339 (#8553)

* 📦 chore: bump `compression` from 1.7.4 to 1.8.1

* chore: bump `express-session` to v1.18.2

* chore: update `connect-redis` from v7.1.0 to v8.1.0

* chore: update import for `connect-redis` to use named export due to v8.0.0 breaking change

api/cache/cacheFactory.js

@@ -3,7 +3,7 @@ const { Keyv } = require('keyv');
 const { cacheConfig } = require('./cacheConfig');
 const { keyvRedisClient, ioredisClient, GLOBAL_PREFIX_SEPARATOR } = require('./redisClients');
 const { Time } = require('librechat-data-provider');
-const ConnectRedis = require('connect-redis').default;
+const { RedisStore: ConnectRedis } = require('connect-redis');
 const MemoryStore = require('memorystore')(require('express-session'));
 const { violationFile } = require('./keyvFiles');
 const { RedisStore } = require('rate-limit-redis');

api/cache/cacheFactory.spec.js

@@ -44,9 +44,7 @@ jest.mock('./keyvFiles', () => ({
   violationFile: mockViolationFile,
 }));
 
-jest.mock('connect-redis', () => ({
-  default: mockConnectRedis,
-}));
+jest.mock('connect-redis', () => ({ RedisStore: mockConnectRedis }));
 
 jest.mock('memorystore', () => jest.fn(() => mockMemoryStore));
 

api/package.json

@@ -56,8 +56,8 @@
     "@waylaidwanderer/fetch-event-source": "^3.0.1",
     "axios": "^1.8.2",
     "bcryptjs": "^2.4.3",
-    "compression": "^1.7.4",
-    "connect-redis": "^7.1.0",
+    "compression": "^1.8.1",
+    "connect-redis": "^8.1.0",
     "cookie": "^0.7.2",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
@@ -67,7 +67,7 @@
     "express": "^4.21.2",
     "express-mongo-sanitize": "^2.2.0",
     "express-rate-limit": "^7.4.1",
-    "express-session": "^1.18.1",
+    "express-session": "^1.18.2",
     "express-static-gzip": "^2.2.0",
     "file-type": "^18.7.0",
     "firebase": "^11.0.2",