From 2ac777045925b1ce475c0452c5618ae299cda7f9 Mon Sep 17 00:00:00 2001
From: "Juan Picado @jotadeveloper" <juanpicado19@gmail.com>
Date: Wed, 23 Oct 2019 20:49:36 +0200
Subject: [PATCH] fix: security vulnerability at readme in dompurify dep
 (#1532)

Fix Cross-site Scripting (XSS) in @verdaccio/readme
---
 package.json |  14 +++++++-------
 yarn.lock    | Bin 367245 -> 368070 bytes
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/package.json b/package.json
index 4c1de55b8..b9fbcf07d 100644
--- a/package.json
+++ b/package.json
@@ -16,10 +16,10 @@
     "verdaccio": "./bin/verdaccio"
   },
   "dependencies": {
-    "@verdaccio/commons-api": "8.1.2",
-    "@verdaccio/local-storage": "8.1.2",
-    "@verdaccio/readme": "8.1.2",
-    "@verdaccio/streams": "8.1.2",
+    "@verdaccio/commons-api": "8.2.0",
+    "@verdaccio/local-storage": "8.2.0",
+    "@verdaccio/readme": "8.2.0",
+    "@verdaccio/streams": "8.2.0",
     "@verdaccio/ui-theme": "0.3.2",
     "JSONStream": "1.3.5",
     "async": "3.1.0",
@@ -49,7 +49,7 @@
     "request": "2.87.0",
     "semver": "6.3.0",
     "verdaccio-audit": "8.1.4",
-    "verdaccio-htpasswd": "8.1.2"
+    "verdaccio-htpasswd": "8.2.0"
   },
   "devDependencies": {
     "@commitlint/cli": "8.2.0",
@@ -88,8 +88,8 @@
     "standard-version": "7.0.0",
     "supertest": "4.0.2",
     "typescript": "3.6.3",
-    "verdaccio-auth-memory": "8.1.2",
-    "verdaccio-memory": "8.1.2"
+    "verdaccio-auth-memory": "8.2.0",
+    "verdaccio-memory": "8.2.0"
   },
   "keywords": [
     "private",
diff --git a/yarn.lock b/yarn.lock
index 14837091af073479cb3ebb33f4d13183641ac34f..8cb2cc2f06ad1e5758e6d7d9ffe66ce0df01dc29 100644
GIT binary patch
delta 2567
zcmY+GNvPz;8OQ1FX*-!rGQ3&dEV0S>ISe*Eev+!BDk;g}=~gf5eN}G<LrJCTy``2~
zy%C%EVC;**rXdPB<rYG6F(f=3UmVBeX7B{(VjFVGWgr+|d<rCbZ^jc_2kBFR;IDuE
zzVBae{^{^<?;ZZ)kC6vIje}$U=uYsK6TiOy_#-W-{w(s`akzH89PFOuEed#onPm_}
z7!M3n0uqDB6p;)?1q+74C?CB2`{?C;Ep|?)TgPxI2M04h$x0n)>U2`)E9*L4x;d5^
zuf#<mQC}l&Jg+c3uyeCKr-<G4VvtYv>8w^s6f{L~@nlVug|=k+w%1wh-+ub~$@6z3
z=g;jw`6zuV@IoNni##RBk9AUHVgv<=Q6};L5KELGQvfjqzyy<tR3b=ZLU8a_<WTqE
zVCOeF6_6j0j9y!=y?F|VgGQsBC24?|F-$<vsNkWwnJ(02e<*v{bBexXW_#*pxwU(f
zY&*M|!<ttxJChtKQi6k5Uyk1lo=irb`u@~5$@B$pX}e@#?eBk(dnoySDsqea+E~gf
zB99CiL)lV9g)tz8E;B4Z8BvS3WFmwQwtwf#Lw%4ZvmtYFYu!!Gsw)muDlVsvJXg`J
z%~Ip!HC)u@JDM!}{Z4Yb@JIck!tJ<pDczs(qNXH~Q&VixWaI9Z>TN46_Ivxq)tkYu
zz4#Afp`_riYUIaf#RE0+qqE{dIzsoKeDKKb_tTL}kF^s40hu8PLkgHBBTF_UDoM;R
zh$s?+2m%Grg2BOWqK7)m=lL-mZ3wMS>e*#>vh1&6ro8RtRxJ<Acf;u<S5`WGwi4?a
zaN6ye%Qiwr@fIn!Skm;>df--NFU?F<UTcLqT6&fC{?#|GKTGYI<GUlay>)czDn2@Y
zE4;>DxPI$MkWSeMew&Hhxe*pecWxcsTUjn8ra7`XZ|PcO=6%ikh2UN`a^>;=K><pN
zC>c~1!#f}hV2jAIY#E9oD?An`QwSsbXTCaY57uR^*tQGhj-N-gym76`XeA8HO2(N^
zxgzq%;@Gc_TkD~N@_I>68#{tqD65TOUUH<}rjf}^MwQ%L?aca<5idf#$kb21$VQxt
z!K@wm;(Mm;&hNd1kA-7?|K7D1gFmz*Kj6<^&pI@OheE`F2^1hfi4qj@FGER2W{4Cv
zC2Sdh1_z(S9(L%YB&ojLO>%UwnWl`k%cdTi?&`3XBpz<``Y8!isxvO^Z)Mc(6$Zs}
z0h;wfI<W*JDY3{Bc?ipCCsQqqnn=vZh0?rv((XiNe~!Eoe0UK3Dr(Puc{Q2~zI!Qp
zkrPARr-Q@*qHx9qG7vQ=&zqDH(~yXPFaf-XA(RDXoiRgDl8hI8cjiwrSfgECM|r#1
z@ijq115MeX#f%I*Z`m4Eu-O6GO3O161)vVSgwJY&zUsBPtu5Om<I{S{H58iLG~4yN
zch8?Uz3{v3G^lsZT?^iPH_8Wxm!qGaJ6k(=A(lIRy&|0A^l<(ug1~rY0ZD>@8X}Wu
zNH{ZP$YjMdMMDOr687yw)a%`5(g&TC*KBmv+IW>0VNc{|h?T9?YTKB}g?7@<Dig21
zlg2|LI-Q!Zc1RKTe910lO_b;+dx_y#?hP%r?V72S1PA-K|9vC)=jG@VPrSk(!((*v
z;Bxf8&t1en326_3_D1$R<UcrgG9m=e-;Lh9gU|eCGC+t>C^Jh4iC~6gKmY)Pf@M*I
zNv06aaJF}juC<%6%1<ZA%@&qbUg)=WWqUeRtGPj<lU%CnCe)=2=rq$kZo_$7yuf^8
zoKeN}%pDCSPG9UwrIgaOiv_v3Sf@6mvP$`4^7YT}Mo&J!8)NuVXy>=o3ex^S5`x$K
z*umqT6AfY!Dl!p?R>*<`p+ylf5sytv6nRCE%}}%vJoCHQp`I8vwiz~V)UxYVuRLqk
zA;++;%xiML(w`ZVnQl!m;``2KuGTt*{E(1R!`GWDrx3PEzo_Oil}%~AQK!4LQ+4Lu
z3R8!{A`!VBXsg)G_*r)agH<ejBjoqtTzN!}b?fM*GdxZ{T*baJgXYVzRPdiqW7j$9
z5i$^nCNBV4He?w|KtYHKNT3GBGL$jkWl<vX>2wUEs5MUVF4d)?T`#M=g&fDOG?tEo
zR^#jfB`Q7a%ERq?uHtq==#IJaQd{TpMoOrYB1irCcHCK7h23o8P;A>)XCUw`ystNJ
zy#B^#v6DAGJNK{s=`i1a{P!1w_ucsU;9Wa@`?2SeBp_KqSP?NX7(?L($QFSjWd<Pv
zHV{C949Qsrv9gPNewCRU*?J48)~sDHswrL*rZt-Og$6hFDxR%riBvyt4_nifsw@4L
zV$~YWhPHCo23V+68Ws9ZZLKM?uWB%tJhl8AA@ojo1o^hytBd&mBa@km2n;4z5(%e<
zB4ZgCm>0ufS43taV1;lCinL!`IMn@#QS9tAF&(Cbrc|=Zx@hxcqjSFR_%vBD{T$Xz
zAzR{Vwo_f;zTlP`SzI0@6E!(i$j#TJ-$;qh0)nA2Eh|t+W;$O-=K0_sYUE-Nb>lz(
zrrg_)Pa_Ny3y1TVA`yl)02Eu{p+qrE(?XI7O^GoR1n=LEU2An4`qtOf!Ms+`>si0=
zZRMVdz=|&o%1)v>tvZV>o1%1cH%kjfMjw<q-G$~%s>@+&xWw!Ha6H^i`WDv_!wvHD
sV|`Z*{&FXNBlwjUfBG!SPcuCNg8A#`ZUkR?@hh<q)sycm<FDQRAG=sB4FCWD

delta 2216
zcmah~ORVEo8J3e95JM|EGq;&X2M7U`QFHIjIkwNS%}aSW&zpB*=Ycff$8laxoY;vI
zM<B`q6{&zUx>BvGtFG7%66i{>05(;TP@$_?an}_rU^Ycv72gb8sS*s5H~w`N-{b$j
z|DE4NfBLKFtG}fF`t=Arq2ovXpWVpqXzBrfa{2qUYq6M1Y-eoEV{!hC_YR={-6Hk8
z|Lt#3_maVblhttdWsXKFV0A^u8W0Su3mT(iMbH$UF;rF15ekM1Is3(vsN`DZ(n23k
z?KZ(mchQ;^EU#E7Wxz}tR=gTP)-Ey06nR(xNnUpH<5I5Y5xUzcv+gWca0W87a>lEw
zQLch*qL^6c7dh5n-jCclf90FhXAW*W3pGkn_u!t`9yc}+EhvapblOlDgm{2?!fOoS
zX%=c20h(x-!~XBzjNIxl2C-2hljzfkt?r6e)@_WJqM8w!xt%F0YpyU!R%o}W<|h+*
zKF?HL9yPMov@1$nZn)0VGj}wZ4v@qSEDNgx)M%Za{qV=P{YaYnLfo`8#XNRamaPm)
z>e<@ApP^z`+S44uERXQz2Y6KlP%sR@B8Fp;9{55Ozygl-n;#rRC03ZAxtHM*=@m1w
zlBAl+<8CI=-GQP2s`Z__+wzNcq73bfwd^P6Q;)RRalgQo5>vIC)moDUr-+M94e66Y
z!;|?z&glgt?)rapA}<|WO7Fk4j>JCobbI_KZsd#MVCp|7Qu;HU`JG7JxLmlsFA&f)
z;Z%+2tR_GMaFA9p<^&qiyb1t^AyIg6_UOqiDK9Ii+gz<2gSRWKQ>K(o$^%i5x}#!R
zKTS$G?X&`RjYKZL9QT@?wAf#l8biIZYLhJ7u$7LKmezFB1xTdb@vM_p)cmRc_Tj;u
zxHVg>?Xls-;`9kPVd6m&VzG&%TeDakq5v%Pf1aa`E}e)U#p0<TCc2_&V=L*bY@*DZ
z|Cgauo;p1K4`*O-tS(@Vg-E3_P`Q9AgEYkeNDyd4SCOhB|ItrEhi8rOfjk>=OVZER
zYAdd~+BOC~hc8zgWNx;W3TL@WEvI26%?yg8p#U1$(<<i*#?CXlgQ4ooL9e~*oSG}k
zX(sh$UuwEyRtMtn{O@^c@ww-YVv1(j^V9<zaBOy{oBl$kF3yWRYWQpFf&b`6=)<V9
z@=TI?00U{jQA~53{lNd$>*3q}pWX|f_%B35hyKThp?A*z77cxL-*^5HO8H+&h3+0R
zdy|o-u>wX4%X4}VL87Y)Ruus=tO^-UGgO@;Dgyr7Z-t`r5&*oePer<1XqSh1u*|GD
zTOLWS)W~$R+eJa~(v?}!?QQ9C&8!+VdB-)x0_o+XNv$v}iIcRrLxMcWx>(9F65nfe
z<;`o4Q=#+6sj$HXy9qy0brAXQe>Et(SGVEofx~bQnTA9M(BPpiAY!l#%^3^{;)gM<
z5Caj6cplQ|?BV^Wq%{YvOom|;+ZNL#Yo~MFIh2^TYr9##=Q)|RBGi{d=yh$UpB(nJ
zwPRZ4EYlj4d+R<TWYo^iHV$vlePWKY%R+l<ul(j?>dqVYLf4<)8x)IQIuv;HkM9Ml
z@4WC)m^s0I`upLVVfutV|E(APQ1d^&70USk{7d*YVE@g7Q3QnsD$n8|Q4C?(OSv_U
z1ogoKq6bk^4GkgMziv`D@75RAaGmR$r9`W^<F<)0H>|@MNp5BTOFuif<<H*?fBLm|
zFT&^VUL0JUT@M!e6G}ck8XwpZaMf81(K(<ajYfi|1vzI3W*FXp(BL4X1x?olHbAu3
z5tZ6&*|A}gt8@znE6+uJl<4--uI!PvshcLrjmrgOmfCcu*z*e2-KpH36n8b;F}h2)
ze(G#dQ=D!39N(OIY-OIUG~n6t#ix~ZbQ#`j*RG;_JX$Rj$JyvlEBL<<5m%8{u85!j
zrx2_u!;m1e3Kj$&LpI<LBv(@y0wAwLR`nmYsHjvJ6y_bP%!91XEc-cny{K)qC9X1P
zV~W{sV!R}RleMg65ezF<BFl87PI-gaKHg>Fa%IjtGA(3AK^@jb8%_dYu&$jw{QRED
zHUDTGdHsKg|Is?~@)hRb!~uh61qN$64q8@6fDt$*xE`v&08I@#4AC0e=T0)Ja=E@S
zI<hFwip42wCz8|J!jgzw+O)uKyR1pA+$^bib*|j*S=nic=`@RC(ww*2<6I3BtJqJL
z8}&icV(Ef6JT;xMaHanKG+f>Y3i{u<IC#<j!8-EU7iMH;+1|0?#Nyy2SlRRRCi0_~
F{{@t&vl##Y