use 'lax' instead of 'Lax' as default for cookie sameSite option (#271)

Change to support @fastify/cookie ^11.0.0

The downstream jshttp/cookie module now enforces the sameSite option to
be lowercase, which means this default is causing the plugin to throw
when setting the session cookie.

Signed-off-by: Niall Molloy <niall.molloy@engineering.digital.dwp.gov.uk>

lib/cookie.js

@@ -28,7 +28,7 @@ module.exports = class Cookie {
       if (request.protocol === 'https') {
         this.secure = true
       } else {
-        this.sameSite = 'Lax'
+        this.sameSite = 'lax'
         this.secure = false
       }
     }

package.json

@@ -27,7 +27,7 @@
     "url": "git+https://github.com/fastify/session.git"
   },
   "devDependencies": {
-    "@fastify/cookie": "^10.0.0",
+    "@fastify/cookie": "^11.0.0",
     "@fastify/pre-commit": "^2.1.0",
     "@types/node": "^22.0.0",
     "c8": "^10.1.2",

test/session.test.js

@@ -834,7 +834,7 @@ test("clears cookie if not backed by a session, and there's nothing to save", as
   })
 
   t.assert.strictEqual(response.statusCode, 200)
-  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
+  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Max-Age=0; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
 })
 
 test("clearing cookie sets the domain if it's specified in the cookie options", async t => {
@@ -853,7 +853,7 @@ test("clearing cookie sets the domain if it's specified in the cookie options",
   })
 
   t.assert.strictEqual(response.statusCode, 200)
-  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Domain=domain.test; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
+  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Max-Age=0; Domain=domain.test; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
 })
 
 test('does not clear cookie if no session cookie in request', async t => {