express-session seems to withhold sending secure cookies over HTTP, but this causes wrong behavior for localhost. MDN says secure cookies are allowed on localhost. I think the cookie should be always sent, and the browser should decide what to do with it.

const express = require('express');
const session = require('express-session');
const app = express();
app.use(session({
    secret: 'qwerqwerqwer',
    resave: true,
    saveUninitialized: true,
    cookie: {
        secure: true,
    },
}));
app.get('/hello', (req, res) => {
    res.cookie('test', 'asdf', {secure: true});
    res.send('');
});
const PORT = 7000;
app.listen(PORT, () => {
    console.log(`backend listening on port ${PORT}`);
});

res.cookie works because I see a test cookie but there is no connect.sid cookie. There is only a Set-Cookie header for test and not for connect.sid

Hello, yes, the specs for cookies have changed since 1.0 of this module was released. When created, the specs said that secure cookies were not to be sent over insecure connections from the server, which is how this module was implemented. The newer specs remove this and browsers have additionally made it such that localhost, even http non-secure protocol, is considered secure (which it didn't use to be). There is an issue regarding this and we are tracking to change the module's behavior in 2.0.

Duplicate of #837

So, this issue hasn't been fix 8 months after it was raised, I've been hooked on this error for three days before finding out now.
Does that mean express session shouldn't be use for the time being till version 2.0 is released.
Or there's a way around it?