The nonlocal behavior of quantum mechanics enables to generate guaranteed fresh randomness from an untrusted device that consists of two nonsignalling components. Since the generation process requires some initial fresh randomness to act as a catalyst, one also speaks of randomness expansion. Previous works showed the freshness of the generated randomness only for an adversary that holds no quantum side information, or, equivalently, has measured all quantum side information before the randomness is generated by the device. Thus, until now it was unclear if and how much fresh randomness can be generated by an untrusted device in the presence of an adversary that maintains a quantum state. In this work, we show that security against quantum side information comes "for free". Specifically, we show that with the same procedure, the very same amount of randomness can be generated in the presence of quantum side information as can be generated without any (quantum or classical) side information. Our result on the freshness of the generated randomness against an adversary that is permitted to maintain an arbitrary quantum state, not only provides security in a stronger and more realistic setting, but also implies composability. For instance, the randomness generated from one device can be used as initial randomness for another - possibly entangled - device, and the resulting generated randomness from this second device can then again be used as initial randomness for the first device, and so on. As an application of the composability, we obtain the first randomness-expansion scheme from untrusted devices that offers exponential expansion; previous schemes merely achieved polynomial expansion.