Infrastructure/verdaccio
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-01-20 22:52:46 -05:00
Code Issues Activity

fix: security vulnerability at readme in dompurify dep (#1532)

Browse source 
Fix Cross-site Scripting (XSS) in @verdaccio/readme
This commit is contained in:
Juan Picado @jotadeveloper 2019-10-23 20:49:36 +02:00 committed by GitHub
parent 44c79ad708
commit 2ac7770459
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 83 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
package.json
View file

@ -16,10 +16,10 @@
"verdaccio": "./bin/verdaccio" "verdaccio": "./bin/verdaccio"
}, },
"dependencies": { "dependencies": {
"@verdaccio/commons-api": "8.1.2", "@verdaccio/commons-api": "8.2.0",
"@verdaccio/local-storage": "8.1.2", "@verdaccio/local-storage": "8.2.0",
"@verdaccio/readme": "8.1.2", "@verdaccio/readme": "8.2.0",
"@verdaccio/streams": "8.1.2", "@verdaccio/streams": "8.2.0",
"@verdaccio/ui-theme": "0.3.2", "@verdaccio/ui-theme": "0.3.2",
"JSONStream": "1.3.5", "JSONStream": "1.3.5",
"async": "3.1.0", "async": "3.1.0",
@ -49,7 +49,7 @@
"request": "2.87.0", "request": "2.87.0",
"semver": "6.3.0", "semver": "6.3.0",
"verdaccio-audit": "8.1.4", "verdaccio-audit": "8.1.4",
"verdaccio-htpasswd": "8.1.2" "verdaccio-htpasswd": "8.2.0"
}, },
"devDependencies": { "devDependencies": {
"@commitlint/cli": "8.2.0", "@commitlint/cli": "8.2.0",
@ -88,8 +88,8 @@
"standard-version": "7.0.0", "standard-version": "7.0.0",
"supertest": "4.0.2", "supertest": "4.0.2",
"typescript": "3.6.3", "typescript": "3.6.3",
"verdaccio-auth-memory": "8.1.2", "verdaccio-auth-memory": "8.2.0",
"verdaccio-memory": "8.1.2" "verdaccio-memory": "8.2.0"
}, },
"keywords": [ "keywords": [
"private", "private",

135
yarn.lock
View file

@ -1643,10 +1643,10 @@
babel-plugin-dynamic-import-node "2.3.0" babel-plugin-dynamic-import-node "2.3.0"
babel-plugin-emotion "10.0.17" babel-plugin-emotion "10.0.17"
"@verdaccio/commons-api@8.1.2", "@verdaccio/commons-api@^8.1.2": "@verdaccio/commons-api@8.2.0", "@verdaccio/commons-api@^8.2.0":
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/@verdaccio%2fcommons-api/-/commons-api-8.1.2.tgz#725b04dad6c09f6d9c3d6a9ca83fbb9d55f6dae1" resolved "https://registry.verdaccio.org/@verdaccio%2fcommons-api/-/commons-api-8.2.0.tgz#0ed20a7feba6af02bc525f36c46834971b9fd0a7"
integrity sha512-voJIpdikrSe6aWpRmGoyHGIB0mUgLyNe5oz+jBH81G0/8VsFiIEXye2WTJ4vmEGsZV3tsitMfJM0x+H+uFpE4Q== integrity sha512-dypbrd/3gmuAfLW3cUdkQ0NwQdtrGfEjv4qJ+Qw6/jnNf7goGmI/94XwqgIAZdmPN+JH99r7kwa9qHtfUyYWvA==
dependencies: dependencies:
http-errors "1.7.3" http-errors "1.7.3"
@ -1673,39 +1673,39 @@
dependencies: dependencies:
lockfile "1.0.4" lockfile "1.0.4"
"@verdaccio/file-locking@^8.1.2": "@verdaccio/file-locking@^8.2.0":
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/@verdaccio%2ffile-locking/-/file-locking-8.1.2.tgz#6f529a54ad2fa3558068e8c3e8241c6502ec6763" resolved "https://registry.verdaccio.org/@verdaccio%2ffile-locking/-/file-locking-8.2.0.tgz#d6c76315fdf4022ae453f92ac12f1cf4d5a64f1c"
integrity sha512-23fer5+B+Y254MzHoCvPiqDbB9QEzlDau7Gj/L2vQbFjjVnnBMv85PCokWDU7EguF2mvhjkZ5U4Zoo6bZ5PRKw== integrity sha512-s3gzuRWN2IgaEUPtwsnB24gRRVFaD26fbh+32RN7hcxlqCtZh8s7spKu5cFYCxtyoYkFVFxn3PsJcWkGaKda7Q==
dependencies: dependencies:
lockfile "1.0.4" lockfile "1.0.4"
"@verdaccio/local-storage@8.1.2": "@verdaccio/local-storage@8.2.0":
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/@verdaccio%2flocal-storage/-/local-storage-8.1.2.tgz#27564856856808bb019ff0453745d25bea04074a" resolved "https://registry.verdaccio.org/@verdaccio%2flocal-storage/-/local-storage-8.2.0.tgz#d09406b8738e949ff247fef71386de0e8a1de0f1"
integrity sha512-49j5nyB7+At3ho/eMBF6WB+Wz0H90MOzvzx8pS+J1rBoqY+nkyeR4iYG7I+kbWCcRjp7aDpwN5djGPyV8ZEsXw== integrity sha512-gIamhfr7TwXAmOv/2NNr/Cisr9UextH/8w3qPnzdAMuZWAyquiZK9/z/DLDZm04H9A6pP9oaSfjXydUVeD4ZYg==
dependencies: dependencies:
"@verdaccio/commons-api" "^8.1.2" "@verdaccio/commons-api" "^8.2.0"
"@verdaccio/file-locking" "^8.1.2" "@verdaccio/file-locking" "^8.2.0"
"@verdaccio/streams" "^8.1.2" "@verdaccio/streams" "^8.2.0"
async "3.1.0" async "3.1.0"
level "5.0.1" level "5.0.1"
lodash "4.17.15" lodash "4.17.15"
mkdirp "0.5.1" mkdirp "0.5.1"
"@verdaccio/readme@8.1.2": "@verdaccio/readme@8.2.0":
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/@verdaccio%2freadme/-/readme-8.1.2.tgz#1022e7bced4c91f0712b66792528b00761ea8031" resolved "https://registry.verdaccio.org/@verdaccio%2freadme/-/readme-8.2.0.tgz#a1628f633c46fe86e8b5d55fbba44aba11d23e33"
integrity sha512-FVa5WQttsf8rLRK3IA/VZD9UWhHAdK/UEcKL0zP+EFqiXQTADYuIPgdLtSeC1w4LTUAUu2Qv05D2vimTAabFKA== integrity sha512-fII0jdixadOkQFtFktZw3EMyYGvTs2nzhlkGM9WZfv4QH2pVVmrfx1E9sqBrKLHUvwgrO8sDfcC8wHJQ6tsNVw==
dependencies: dependencies:
dompurify "2.0.3" dompurify "2.0.7"
jsdom "15.1.1" jsdom "15.2.0"
marked "0.7.0" marked "0.7.0"
"@verdaccio/streams@8.1.2", "@verdaccio/streams@^8.1.2": "@verdaccio/streams@8.2.0", "@verdaccio/streams@^8.2.0":
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/@verdaccio%2fstreams/-/streams-8.1.2.tgz#0f74d967415b260b728b35caf05992fdb5bb5fe9" resolved "https://registry.verdaccio.org/@verdaccio%2fstreams/-/streams-8.2.0.tgz#3135945bd8445b2af27ea888eb9989071df9afa9"
integrity sha512-mh7qeYFNNt7MtxPZXs8JLs5lwxob1mELNEc6aA3ZHhg90PCKM7v9fzylWZgbsn0XSzTKltosQ/dqYUQvDCd0Dg== integrity sha512-gwMHKVoJMWuI6dMxrekiv1gcNEpll/K6uj4juOjTwhp6IULUDbza7T6FHj3I5p5zxREEkiNGnCWmZki0437qEQ==
"@verdaccio/types@8.1.0": "@verdaccio/types@8.1.0":
version "8.1.0" version "8.1.0"
@ -1787,11 +1787,16 @@ acorn@^5.5.3:
resolved "https://registry.verdaccio.org/acorn/-/acorn-5.7.3.tgz#67aa231bf8812974b85235a96771eb6bd07ea279" resolved "https://registry.verdaccio.org/acorn/-/acorn-5.7.3.tgz#67aa231bf8812974b85235a96771eb6bd07ea279"
integrity sha512-T/zvzYRfbVojPWahDsE5evJdHb3oJoQfFbsrKM7w5Zcs++Tr257tia3BmMP8XYVjp1S9RZXQMh7gao96BlqZOw== integrity sha512-T/zvzYRfbVojPWahDsE5evJdHb3oJoQfFbsrKM7w5Zcs++Tr257tia3BmMP8XYVjp1S9RZXQMh7gao96BlqZOw==
acorn@^6.0.1, acorn@^6.0.7, acorn@^6.1.1: acorn@^6.0.1, acorn@^6.0.7:
version "6.2.1" version "6.2.1"
resolved "https://registry.verdaccio.org/acorn/-/acorn-6.2.1.tgz#3ed8422d6dec09e6121cc7a843ca86a330a86b51" resolved "https://registry.verdaccio.org/acorn/-/acorn-6.2.1.tgz#3ed8422d6dec09e6121cc7a843ca86a330a86b51"
integrity sha512-JD0xT5FCRDNyjDda3Lrg/IxFscp9q4tiYtxE1/nOzlKCk7hIRuYjhq1kCNkbPjMRMZuFq20HNQn1I9k8Oj0E+Q== integrity sha512-JD0xT5FCRDNyjDda3Lrg/IxFscp9q4tiYtxE1/nOzlKCk7hIRuYjhq1kCNkbPjMRMZuFq20HNQn1I9k8Oj0E+Q==
acorn@^7.1.0:
version "7.1.0"
resolved "https://registry.verdaccio.org/acorn/-/acorn-7.1.0.tgz#949d36f2c292535da602283586c2477c57eb2d6c"
integrity sha512-kL5CuoXA/dgxlBbVrflsflzQ3PAas7RYZB52NOm/6839iVYJgKMJ3cQJD+t2i5+qFa8h3MDpEOJiS64E8JLnSQ==
agent-base@^4.3.0: agent-base@^4.3.0:
version "4.3.0" version "4.3.0"
resolved "https://registry.verdaccio.org/agent-base/-/agent-base-4.3.0.tgz#8165f01c436009bccad0b1d122f05ed770efc6ee" resolved "https://registry.verdaccio.org/agent-base/-/agent-base-4.3.0.tgz#8165f01c436009bccad0b1d122f05ed770efc6ee"
@ -2903,18 +2908,30 @@ cross-spawn@^6.0.0, cross-spawn@^6.0.5:
shebang-command "^1.2.0" shebang-command "^1.2.0"
which "^1.2.9" which "^1.2.9"
cssom@0.3.x, "cssom@>= 0.3.2 < 0.4.0", cssom@^0.3.6: cssom@0.3.x, "cssom@>= 0.3.2 < 0.4.0", cssom@~0.3.6:
version "0.3.8" version "0.3.8"
resolved "https://registry.verdaccio.org/cssom/-/cssom-0.3.8.tgz#9f1276f5b2b463f2114d3f2c75250af8c1a36f4a" resolved "https://registry.verdaccio.org/cssom/-/cssom-0.3.8.tgz#9f1276f5b2b463f2114d3f2c75250af8c1a36f4a"
integrity sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg== integrity sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg==
cssstyle@^1.0.0, cssstyle@^1.2.2: cssom@^0.4.1:
version "0.4.1"
resolved "https://registry.verdaccio.org/cssom/-/cssom-0.4.1.tgz#b24111d236b6dbd00cdfacb5ab67a20473381fe3"
integrity sha512-6Aajq0XmukE7HdXUU6IoSWuH1H6gH9z6qmagsstTiN7cW2FNTsb+J2Chs+ufPgZCsV/yo8oaEudQLrb9dGxSVQ==
cssstyle@^1.0.0:
version "1.4.0" version "1.4.0"
resolved "https://registry.verdaccio.org/cssstyle/-/cssstyle-1.4.0.tgz#9d31328229d3c565c61e586b02041a28fccdccf1" resolved "https://registry.verdaccio.org/cssstyle/-/cssstyle-1.4.0.tgz#9d31328229d3c565c61e586b02041a28fccdccf1"
integrity sha512-GBrLZYZ4X4x6/QEoBnIrqb8B/f5l4+8me2dkom/j1Gtbxy0kBv6OGzKuAsGM75bkGwGAFkt56Iwg28S3XTZgSA== integrity sha512-GBrLZYZ4X4x6/QEoBnIrqb8B/f5l4+8me2dkom/j1Gtbxy0kBv6OGzKuAsGM75bkGwGAFkt56Iwg28S3XTZgSA==
dependencies: dependencies:
cssom "0.3.x" cssom "0.3.x"
cssstyle@^2.0.0:
version "2.0.0"
resolved "https://registry.verdaccio.org/cssstyle/-/cssstyle-2.0.0.tgz#911f0fe25532db4f5d44afc83f89cc4b82c97fe3"
integrity sha512-QXSAu2WBsSRXCPjvI43Y40m6fMevvyRm8JVAuF9ksQz5jha4pWP1wpaK7Yu5oLFc6+XAY+hj8YhefyXcBB53gg==
dependencies:
cssom "~0.3.6"
csstype@^2.5.7: csstype@^2.5.7:
version "2.6.6" version "2.6.6"
resolved "https://registry.verdaccio.org/csstype/-/csstype-2.6.6.tgz#c34f8226a94bbb10c32cc0d714afdf942291fc41" resolved "https://registry.verdaccio.org/csstype/-/csstype-2.6.6.tgz#c34f8226a94bbb10c32cc0d714afdf942291fc41"
@ -3160,10 +3177,10 @@ domexception@^1.0.1:
dependencies: dependencies:
webidl-conversions "^4.0.2" webidl-conversions "^4.0.2"
dompurify@2.0.3: dompurify@2.0.7:
version "2.0.3" version "2.0.7"
resolved "https://registry.verdaccio.org/dompurify/-/dompurify-2.0.3.tgz#5cc4965a487d54aedba6ba9634b137cfbd7eb50d" resolved "https://registry.verdaccio.org/dompurify/-/dompurify-2.0.7.tgz#f8266ad38fe1602fb5b3222f31eedbf5c16c4fd5"
integrity sha512-q006uOkD2JGSJgF0qBt7rVhUvUPBWCxpGayALmHvXx2iNlMfNVz7PDGeXEUjNGgIDjADz59VZCv6UE3U8XRWVw== integrity sha512-S3O0lk6rFJtO01ZTzMollCOGg+WAtCwS3U5E2WSDY/x/sy7q70RjEC4Dmrih5/UqzLLB9XoKJ8KqwBxaNvBu4A==
dot-prop@^3.0.0: dot-prop@^3.0.0:
version "3.0.0" version "3.0.0"
@ -5158,17 +5175,17 @@ jsbn@~0.1.0:
resolved "https://registry.verdaccio.org/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513" resolved "https://registry.verdaccio.org/jsbn/-/jsbn-0.1.1.tgz#a5e654c2e5a2deb5f201d96cefbca80c0ef2f513"
integrity sha1-peZUwuWi3rXyAdls77yoDA7y9RM= integrity sha1-peZUwuWi3rXyAdls77yoDA7y9RM=
jsdom@15.1.1: jsdom@15.2.0:
version "15.1.1" version "15.2.0"
resolved "https://registry.verdaccio.org/jsdom/-/jsdom-15.1.1.tgz#21ed01f81d95ef4327f3e564662aef5e65881252" resolved "https://registry.verdaccio.org/jsdom/-/jsdom-15.2.0.tgz#4baead4f464e733533ed6ac607ce440918cf5cbb"
integrity sha512-cQZRBB33arrDAeCrAEWn1U3SvrvC8XysBua9Oqg1yWrsY/gYcusloJC3RZJXuY5eehSCmws8f2YeliCqGSkrtQ== integrity sha512-+hRyEfjRPFwTYMmSQ3/f7U9nP8ZNZmbkmUek760ZpxnCPWJIhaaLRuUSvpJ36fZKCGENxLwxClzwpOpnXNfChQ==
dependencies: dependencies:
abab "^2.0.0" abab "^2.0.0"
acorn "^6.1.1" acorn "^7.1.0"
acorn-globals "^4.3.2" acorn-globals "^4.3.2"
array-equal "^1.0.0" array-equal "^1.0.0"
cssom "^0.3.6" cssom "^0.4.1"
cssstyle "^1.2.2" cssstyle "^2.0.0"
data-urls "^1.1.0" data-urls "^1.1.0"
domexception "^1.0.1" domexception "^1.0.1"
escodegen "^1.11.1" escodegen "^1.11.1"
@ -5809,10 +5826,10 @@ media-typer@0.3.0:
resolved "https://registry.verdaccio.org/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748" resolved "https://registry.verdaccio.org/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g= integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=
memory-fs@0.4.1: memory-fs@0.5.0:
version "0.4.1" version "0.5.0"
resolved "https://registry.verdaccio.org/memory-fs/-/memory-fs-0.4.1.tgz#3a9a20b8462523e447cfbc7e8bb80ed667bfc552" resolved "https://registry.verdaccio.org/memory-fs/-/memory-fs-0.5.0.tgz#324c01288b88652966d161db77838720845a8e3c"
integrity sha1-OpoguEYlI+RHz7x+i7gO1me/xVI= integrity sha512-jA0rdU5KoQMC0e6ppoNRtpp6vjFq6+NY7r8hywnC7V+1Xj/MtHwGIbB1QaK/dunyjWteJzmkpd7ooeWg10T7GA==
dependencies: dependencies:
errno "^0.1.3" errno "^0.1.3"
readable-stream "^2.0.1" readable-stream "^2.0.1"
@ -8258,17 +8275,17 @@ verdaccio-audit@8.1.4:
express "4.17.1" express "4.17.1"
request "2.88.0" request "2.88.0"
verdaccio-auth-memory@8.1.2: verdaccio-auth-memory@8.2.0:
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/verdaccio-auth-memory/-/verdaccio-auth-memory-8.1.2.tgz#3ed70d5c259cc7bc3e6338f11f71129cdd94cfb2" resolved "https://registry.verdaccio.org/verdaccio-auth-memory/-/verdaccio-auth-memory-8.2.0.tgz#55168967947abff6ead8ea34dfbaa17b626183a1"
integrity sha512-5ISuVsr1/7LWGf4VnDdh+WXAvVyeSldlleEiJG5lIS2THXyGMzKVSjHzN6TfWqvOKsx5QDmwY78Qmy4LnCLP1g== integrity sha512-fMr6u0vEnbFQT2CemVJbOB0H1lPdDu1R/jsNsoHH+BZIohTlvCU9ZT9ePRSRHvrwb2qCd5iJZpPwH98uCH3GAQ==
dependencies: dependencies:
"@verdaccio/commons-api" "^8.1.2" "@verdaccio/commons-api" "^8.2.0"
verdaccio-htpasswd@8.1.2: verdaccio-htpasswd@8.2.0:
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/verdaccio-htpasswd/-/verdaccio-htpasswd-8.1.2.tgz#594c97eb33e260a699861411235cca3e018d14be" resolved "https://registry.verdaccio.org/verdaccio-htpasswd/-/verdaccio-htpasswd-8.2.0.tgz#fc942bf1e5aab698782b704a6494fc62ef311954"
integrity sha512-GZGnToJ80Cd3qYE2upNxcq6M35wlDCW+iqe9sCooqH0gLo+C3TUTJw54Y6zC1qtlnTV29Bhf07ODr1j5IS6dcA== integrity sha512-ukbKWzH4DtsNH9NF9wKo0axU/uupudANcuG7Hc1FL/PopOq7Z1rLRF7MgA+P8BJGnwaZRB4pq32hblM931AEWg==
dependencies: dependencies:
"@verdaccio/file-locking" "1.0.0" "@verdaccio/file-locking" "1.0.0"
apache-md5 "1.1.2" apache-md5 "1.1.2"
@ -8276,15 +8293,15 @@ verdaccio-htpasswd@8.1.2:
http-errors "1.7.3" http-errors "1.7.3"
unix-crypt-td-js "1.0.0" unix-crypt-td-js "1.0.0"
verdaccio-memory@8.1.2: verdaccio-memory@8.2.0:
version "8.1.2" version "8.2.0"
resolved "https://registry.verdaccio.org/verdaccio-memory/-/verdaccio-memory-8.1.2.tgz#68e0f84936cd6e7bd503973680b930cbdac52c5d" resolved "https://registry.verdaccio.org/verdaccio-memory/-/verdaccio-memory-8.2.0.tgz#f7ae7292d643f7a22d7e22a9bcce65c3c5ffc21f"
integrity sha512-fMVJOwfTVDVmHHk4r+/kNpoUeVIwR0zxqNUREm/cyO7JSXoCkI3TQHD/lnRSiEN6eoHY/JPOZQo42GygKlsi9g== integrity sha512-XRUyuHCgnPJUQFuZsy8YC62v0LgMp+OlOpqyfl6DSzmD1bEUgLWXqHpkOthBht7wIhjhzkZe/W46u0uIjUzOzw==
dependencies: dependencies:
"@verdaccio/commons-api" "^8.1.2" "@verdaccio/commons-api" "^8.2.0"
"@verdaccio/streams" "^8.1.2" "@verdaccio/streams" "^8.2.0"
http-errors "1.7.3" http-errors "1.7.3"
memory-fs "0.4.1" memory-fs "0.5.0"
verror@1.10.0: verror@1.10.0:
version "1.10.0" version "1.10.0"