From c35486d495cfbd8ccc8cba553644c716549e7cce Mon Sep 17 00:00:00 2001 From: "Juan Picado @jotadeveloper" Date: Tue, 5 Feb 2019 07:24:27 +0100 Subject: [PATCH 1/5] fix: lodash vulnerability --- package.json | 40 +++--- yarn.lock | 338 +++++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 296 insertions(+), 82 deletions(-) diff --git a/package.json b/package.json index 852568bee..25cc26fc0 100644 --- a/package.json +++ b/package.json @@ -15,40 +15,40 @@ "verdaccio": "./bin/verdaccio" }, "dependencies": { - "@verdaccio/file-locking": "0.0.7", - "@verdaccio/local-storage": "1.1.3", + "@verdaccio/file-locking": "0.0.8", + "@verdaccio/local-storage": "1.1.4", "@verdaccio/streams": "1.0.0", - "JSONStream": "1.3.3", + "JSONStream": "1.3.5", "async": "2.6.1", "body-parser": "1.18.3", "bunyan": "1.8.12", - "chalk": "2.4.1", - "commander": "2.16.0", + "chalk": "2.4.2", + "commander": "2.19.0", "compression": "1.7.3", - "cookies": "0.7.1", - "cors": "2.8.4", + "cookies": "0.7.3", + "cors": "2.8.5", "date-fns": "1.29.0", - "express": "4.16.3", + "express": "4.16.4", "global": "4.3.2", - "handlebars": "4.0.11", - "http-errors": "1.6.3", - "js-base64": "2.4.8", + "handlebars": "4.0.12", + "http-errors": "1.7.1", + "js-base64": "2.5.1", "js-string-escape": "1.0.1", - "js-yaml": "3.12.0", - "jsonwebtoken": "8.3.0", + "js-yaml": "3.12.1", + "jsonwebtoken": "8.4.0", "lockfile": "1.0.4", - "lodash": "4.17.10", + "lodash": "4.17.11", "lunr": "0.7.0", - "marked": "0.4.0", - "mime": "2.3.1", + "marked": "0.6.0", + "mime": "2.4.0", "minimatch": "3.0.4", "mkdirp": "0.5.1", "mv": "2.1.1", "pkginfo": "0.4.1", - "request": "2.87.0", - "semver": "5.5.0", - "verdaccio-audit": "1.0.0", - "verdaccio-htpasswd": "0.2.2" + "request": "2.88.0", + "semver": "5.6.0", + "verdaccio-audit": "1.1.0", + "verdaccio-htpasswd": "0.2.3" }, "devDependencies": { "@commitlint/cli": "7.0.0", diff --git a/yarn.lock b/yarn.lock index 57af8a420..8bd28d93b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -237,22 +237,31 @@ version "10.5.4" resolved "https://registry.npmjs.org/@types/node/-/node-10.5.4.tgz#6eccc158504357d1da91434d75e86acde94bb10b" -"@verdaccio/file-locking@0.0.7", "@verdaccio/file-locking@^0.0.7": +"@verdaccio/file-locking@0.0.7": version "0.0.7" resolved "https://registry.npmjs.org/@verdaccio/file-locking/-/file-locking-0.0.7.tgz#5fd1b2bd391e54fa32d079002b5f7ba90844e344" dependencies: lockfile "1.0.3" lodash "4.17.10" -"@verdaccio/local-storage@1.1.3": - version "1.1.3" - resolved "https://registry.npmjs.org/@verdaccio/local-storage/-/local-storage-1.1.3.tgz#2c1e5b830f69a6ade5a855aea581f3ba96a37cfd" +"@verdaccio/file-locking@0.0.8": + version "0.0.8" + resolved "https://registry.npmjs.org/@verdaccio/file-locking/-/file-locking-0.0.8.tgz#6acb62e17db2fa093f86158e4a1c0b2802a69359" + integrity sha512-kK7siED1Yc/t8+G3Iyb0vdQ6mM+TKNW2wM8LO0D6bXg3rBWlf863JG7JIedSGUeMzwFOKjX75jreiE+xVeAb3w== + dependencies: + lockfile "1.0.4" + lodash "4.17.11" + +"@verdaccio/local-storage@1.1.4": + version "1.1.4" + resolved "https://registry.npmjs.org/@verdaccio/local-storage/-/local-storage-1.1.4.tgz#e40f0315fb1964cb4234e32f6526dc5c5a40d285" + integrity sha512-ocmot986URUER2DYXFM2iMqRTlO1so7tY2uxPF86+T9qOpvBS+TT2Q+ZwMyDJxe6f5GMAjpB19WFFFBq8k6LSA== dependencies: "@verdaccio/file-locking" "0.0.7" "@verdaccio/streams" "1.0.0" async "2.6.1" - http-errors "1.6.2" - lodash "4.17.10" + http-errors "1.7.1" + lodash "4.17.11" mkdirp "0.5.1" "@verdaccio/streams@1.0.0", "@verdaccio/streams@^1.0.0": @@ -410,7 +419,15 @@ text-table "^0.2.0" webpack-log "^1.1.2" -JSONStream@1.3.3, JSONStream@^1.0.4: +JSONStream@1.3.5: + version "1.3.5" + resolved "https://registry.npmjs.org/JSONStream/-/JSONStream-1.3.5.tgz#3208c1f08d3a4d99261ab64f92302bc15e111ca0" + integrity sha512-E+iruNOY8VV9s4JEbe1aNEm6MiszPRr/UfcHMz0TQh1BXSxHK+ASV1R6W4HpjBhSeS+54PIsAMCBmwD06LLsqQ== + dependencies: + jsonparse "^1.2.0" + through ">=2.2.7 <3" + +JSONStream@^1.0.4: version "1.3.3" resolved "https://registry.npmjs.org/JSONStream/-/JSONStream-1.3.3.tgz#27b4b8fbbfeab4e71bcf551e7f27be8d952239bf" dependencies: @@ -498,6 +515,16 @@ ajv@^6.0.1, ajv@^6.1.0, ajv@^6.5.0: json-schema-traverse "^0.4.1" uri-js "^4.2.1" +ajv@^6.5.5: + version "6.8.1" + resolved "https://registry.npmjs.org/ajv/-/ajv-6.8.1.tgz#0890b93742985ebf8973cd365c5b23920ce3cb20" + integrity sha512-eqxCp82P+JfqL683wwsL73XmFs1eG6qjw+RD3YHx+Jll1r0jNd4dh8QG9NYAeNGA/hnZjeEDgtTskgJULbxpWQ== + dependencies: + fast-deep-equal "^2.0.1" + fast-json-stable-stringify "^2.0.0" + json-schema-traverse "^0.4.1" + uri-js "^4.2.2" + align-text@^0.1.1, align-text@^0.1.3: version "0.1.4" resolved "https://registry.npmjs.org/align-text/-/align-text-0.1.4.tgz#0cd90a561093f35d0a99256c22b7069433fad117" @@ -559,9 +586,10 @@ anymatch@^2.0.0: micromatch "^3.1.4" normalize-path "^2.1.1" -apache-md5@^1.1.2: +apache-md5@1.1.2: version "1.1.2" resolved "https://registry.npmjs.org/apache-md5/-/apache-md5-1.1.2.tgz#ee49736b639b4f108b6e9e626c6da99306b41692" + integrity sha1-7klza2ObTxCLbp5ibG2pkwa0FpI= append-transform@^1.0.0: version "1.0.0" @@ -769,6 +797,11 @@ aws4@^1.2.1, aws4@^1.6.0: version "1.7.0" resolved "https://registry.npmjs.org/aws4/-/aws4-1.7.0.tgz#d4d0e9b9dbfca77bf08eeb0a8a471550fe39e289" +aws4@^1.8.0: + version "1.8.0" + resolved "https://registry.npmjs.org/aws4/-/aws4-1.8.0.tgz#f0e003d9ca9e7f59c7a508945d7b2ef9a04a542f" + integrity sha512-ReZxvNHIOv88FlT7rxcXIIC0fPt4KZqZbOlivyWtXLt8ESx84zd3kMC6iK5jVeS2qt+g7ftS7ye4fi06X5rtRQ== + axios@0.15.3: version "0.15.3" resolved "https://registry.npmjs.org/axios/-/axios-0.15.3.tgz#2c9d638b2e191a08ea1d6cc988eadd6ba5bdc053" @@ -2046,9 +2079,10 @@ chalk@2.3.1: escape-string-regexp "^1.0.5" supports-color "^5.2.0" -chalk@2.4.1, chalk@^2.0.0, chalk@^2.0.1, chalk@^2.1.0, chalk@^2.3.0, chalk@^2.3.2, chalk@^2.4.1: - version "2.4.1" - resolved "https://registry.npmjs.org/chalk/-/chalk-2.4.1.tgz#18c49ab16a037b6eb0152cc83e3471338215b66e" +chalk@2.4.2: + version "2.4.2" + resolved "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz#cd42541677a54333cf541a49108c1432b44c9424" + integrity sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ== dependencies: ansi-styles "^3.2.1" escape-string-regexp "^1.0.5" @@ -2064,6 +2098,14 @@ chalk@^1.1.1, chalk@^1.1.3: strip-ansi "^3.0.0" supports-color "^2.0.0" +chalk@^2.0.0, chalk@^2.0.1, chalk@^2.1.0, chalk@^2.3.0, chalk@^2.3.2, chalk@^2.4.1: + version "2.4.1" + resolved "https://registry.npmjs.org/chalk/-/chalk-2.4.1.tgz#18c49ab16a037b6eb0152cc83e3471338215b66e" + dependencies: + ansi-styles "^3.2.1" + escape-string-regexp "^1.0.5" + supports-color "^5.3.0" + character-entities-html4@^1.0.0: version "1.1.2" resolved "https://registry.npmjs.org/character-entities-html4/-/character-entities-html4-1.1.2.tgz#c44fdde3ce66b52e8d321d6c1bf46101f0150610" @@ -2353,14 +2395,31 @@ combined-stream@1.0.6, combined-stream@^1.0.5, combined-stream@~1.0.5: dependencies: delayed-stream "~1.0.0" -commander@2.16.0, commander@2.16.x, commander@^2.11.0, commander@^2.13.0, commander@~2.16.0: +combined-stream@^1.0.6, combined-stream@~1.0.6: + version "1.0.7" + resolved "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.7.tgz#2d1d24317afb8abe95d6d2c0b07b57813539d828" + integrity sha512-brWl9y6vOB1xYPZcpZde3N9zDByXTosAeMDo4p1wzo6UMOX4vumB+TP1RZ76sfE6Md68Q0NJSrE/gbezd4Ul+w== + dependencies: + delayed-stream "~1.0.0" + +commander@2.16.x, commander@^2.11.0, commander@^2.13.0, commander@~2.16.0: version "2.16.0" resolved "https://registry.npmjs.org/commander/-/commander-2.16.0.tgz#f16390593996ceb4f3eeb020b31d78528f7f8a50" +commander@2.19.0: + version "2.19.0" + resolved "https://registry.npmjs.org/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a" + integrity sha512-6tvAOO+D6OENvRAh524Dh9jcfKTYDQAqvqezbCW82xj5X0pSrcpxtvRKHLG0yBY6SD7PSDrJaj+0AiOcKVd1Xg== + commander@~2.13.0: version "2.13.0" resolved "https://registry.npmjs.org/commander/-/commander-2.13.0.tgz#6964bca67685df7c1f1430c584f07d7597885b9c" +commander@~2.17.1: + version "2.17.1" + resolved "https://registry.npmjs.org/commander/-/commander-2.17.1.tgz#bd77ab7de6de94205ceacc72f1716d29f20a77bf" + integrity sha512-wPMUt6FnH2yzG95SA6mzjQOEKUU3aLaDEmzs1ti+1E9h+CsrZghRlqEM/EJ4KscsQVG8uNN4uVreUeT8+drlgg== + commondir@^1.0.1: version "1.0.1" resolved "https://registry.npmjs.org/commondir/-/commondir-1.0.1.tgz#ddd800da0c66127393cca5950ea968a3aaf1253b" @@ -2597,12 +2656,13 @@ cookiejar@^2.1.0: version "2.1.2" resolved "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz#dd8a235530752f988f9a0844f3fc589e3111125c" -cookies@0.7.1: - version "0.7.1" - resolved "https://registry.npmjs.org/cookies/-/cookies-0.7.1.tgz#7c8a615f5481c61ab9f16c833731bcb8f663b99b" +cookies@0.7.3: + version "0.7.3" + resolved "https://registry.npmjs.org/cookies/-/cookies-0.7.3.tgz#7912ce21fbf2e8c2da70cf1c3f351aecf59dadfa" + integrity sha512-+gixgxYSgQLTaTIilDHAdlNPZDENDQernEMiIcZpYYP14zgHsCt4Ce1FEjFtcp6GefhozebB6orvhAAWx/IS0A== dependencies: - depd "~1.1.1" - keygrip "~1.0.2" + depd "~1.1.2" + keygrip "~1.0.3" copy-concurrently@^1.0.0: version "1.0.5" @@ -2631,9 +2691,10 @@ core-util-is@1.0.2, core-util-is@~1.0.0: version "1.0.2" resolved "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7" -cors@2.8.4: - version "2.8.4" - resolved "https://registry.npmjs.org/cors/-/cors-2.8.4.tgz#2bd381f2eb201020105cd50ea59da63090694686" +cors@2.8.5: + version "2.8.5" + resolved "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz#eac11da51592dd86b9f06f6e7ac293b3df875d29" + integrity sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g== dependencies: object-assign "^4" vary "^1" @@ -3144,6 +3205,7 @@ depd@1.1.1: depd@^1.1.0, depd@~1.1.1, depd@~1.1.2: version "1.1.2" resolved "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9" + integrity sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak= des.js@^1.0.0: version "1.0.0" @@ -3857,7 +3919,43 @@ expect@^23.4.0: jest-message-util "^23.4.0" jest-regex-util "^23.3.0" -express@4.16.3, express@^4.16.2: +express@4.16.4: + version "4.16.4" + resolved "https://registry.npmjs.org/express/-/express-4.16.4.tgz#fddef61926109e24c515ea97fd2f1bdbf62df12e" + integrity sha512-j12Uuyb4FMrd/qQAm6uCHAkPtO8FDTRJZBDd5D2KOL2eLaz1yUNdUB/NOIyq0iU4q4cFarsUCrnFDPBcnksuOg== + dependencies: + accepts "~1.3.5" + array-flatten "1.1.1" + body-parser "1.18.3" + content-disposition "0.5.2" + content-type "~1.0.4" + cookie "0.3.1" + cookie-signature "1.0.6" + debug "2.6.9" + depd "~1.1.2" + encodeurl "~1.0.2" + escape-html "~1.0.3" + etag "~1.8.1" + finalhandler "1.1.1" + fresh "0.5.2" + merge-descriptors "1.0.1" + methods "~1.1.2" + on-finished "~2.3.0" + parseurl "~1.3.2" + path-to-regexp "0.1.7" + proxy-addr "~2.0.4" + qs "6.5.2" + range-parser "~1.2.0" + safe-buffer "5.1.2" + send "0.16.2" + serve-static "1.13.2" + setprototypeof "1.1.0" + statuses "~1.4.0" + type-is "~1.6.16" + utils-merge "1.0.1" + vary "~1.1.2" + +express@^4.16.2: version "4.16.3" resolved "https://registry.npmjs.org/express/-/express-4.16.3.tgz#6af8a502350db3246ecc4becf6b5a34d22f7ed53" dependencies: @@ -3905,7 +4003,7 @@ extend-shallow@^3.0.0, extend-shallow@^3.0.2: assign-symbols "^1.0.0" is-extendable "^1.0.1" -extend@^3.0.0, extend@~3.0.0, extend@~3.0.1: +extend@^3.0.0, extend@~3.0.0, extend@~3.0.1, extend@~3.0.2: version "3.0.2" resolved "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa" @@ -4231,6 +4329,15 @@ form-data@~2.1.1: combined-stream "^1.0.5" mime-types "^2.1.12" +form-data@~2.3.2: + version "2.3.3" + resolved "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz#dcce52c05f644f298c6a7ab936bd724ceffbf3a6" + integrity sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ== + dependencies: + asynckit "^0.4.0" + combined-stream "^1.0.6" + mime-types "^2.1.12" + format@^0.2.2: version "0.2.2" resolved "https://registry.npmjs.org/format/-/format-0.2.2.tgz#d6170107e9efdc4ed30c9dc39016df942b5cb58b" @@ -4584,7 +4691,18 @@ handle-thing@^2.0.0: resolved "https://registry.npmjs.org/handle-thing/-/handle-thing-2.0.0.tgz#0e039695ff50c93fc288557d696f3c1dc6776754" integrity sha512-d4sze1JNC454Wdo2fkuyzCr6aHcbL6PGGuFAz0Li/NcOm1tCHGnWDRmJP85dh9IhQErTc2svWFEX5xHIOo//kQ== -handlebars@4.0.11, handlebars@^4.0.2, handlebars@^4.0.3: +handlebars@4.0.12: + version "4.0.12" + resolved "https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz#2c15c8a96d46da5e266700518ba8cb8d919d5bc5" + integrity sha512-RhmTekP+FZL+XNhwS1Wf+bTTZpdLougwt5pcgA1tuz6Jcx0fpH/7z0qd71RKnZHBCxIRBHfBOnio4gViPemNzA== + dependencies: + async "^2.5.0" + optimist "^0.6.1" + source-map "^0.6.1" + optionalDependencies: + uglify-js "^3.1.4" + +handlebars@^4.0.2, handlebars@^4.0.3: version "4.0.11" resolved "https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz#630a35dfe0294bc281edae6ffc5d329fc7982dcc" dependencies: @@ -4616,6 +4734,14 @@ har-validator@~5.0.3: ajv "^5.1.0" har-schema "^2.0.0" +har-validator@~5.1.0: + version "5.1.3" + resolved "https://registry.npmjs.org/har-validator/-/har-validator-5.1.3.tgz#1ef89ebd3e4996557675eed9893110dc350fa080" + integrity sha512-sNvOCzEQNr/qrvJgc3UG/kD4QtlHycrzwS+6mfTrrSq97BvaYcPZZI1ZSqGSPR73Cxn4LKTD4PttRwfU7jWq5g== + dependencies: + ajv "^6.5.5" + har-schema "^2.0.0" + harmony-reflect@^1.4.6: version "1.6.0" resolved "https://registry.npmjs.org/harmony-reflect/-/harmony-reflect-1.6.0.tgz#9c28a77386ec225f7b5d370f9861ba09c4eea58f" @@ -4852,6 +4978,17 @@ http-errors@1.6.3, http-errors@~1.6.2, http-errors@~1.6.3: setprototypeof "1.1.0" statuses ">= 1.4.0 < 2" +http-errors@1.7.1: + version "1.7.1" + resolved "https://registry.npmjs.org/http-errors/-/http-errors-1.7.1.tgz#6a4ffe5d35188e1c39f872534690585852e1f027" + integrity sha512-jWEUgtZWGSMba9I1N3gc1HmvpBUaNC9vDdA46yScAdp+C5rdEuKWUBLWTQpW9FwSWSbYYs++b6SDCxf9UEJzfw== + dependencies: + depd "~1.1.2" + inherits "2.0.3" + setprototypeof "1.1.0" + statuses ">= 1.5.0 < 2" + toidentifier "1.0.0" + http-parser-js@>=0.4.0: version "0.4.13" resolved "https://registry.npmjs.org/http-parser-js/-/http-parser-js-0.4.13.tgz#3bd6d6fde6e3172c9334c3b33b6c193d80fe1137" @@ -5025,6 +5162,7 @@ inflight@^1.0.4: inherits@2, inherits@2.0.3, inherits@^2.0.1, inherits@^2.0.3, inherits@~2.0.0, inherits@~2.0.1, inherits@~2.0.3: version "2.0.3" resolved "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz#633c2c83e3da42a502f52466022480f4208261de" + integrity sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4= inherits@2.0.1: version "2.0.1" @@ -5832,7 +5970,12 @@ jest@23.4.1: import-local "^1.0.0" jest-cli "^23.4.1" -js-base64@2.4.8, js-base64@^2.1.8, js-base64@^2.1.9: +js-base64@2.5.1: + version "2.5.1" + resolved "https://registry.npmjs.org/js-base64/-/js-base64-2.5.1.tgz#1efa39ef2c5f7980bb1784ade4a8af2de3291121" + integrity sha512-M7kLczedRMYX4L8Mdh4MzyAMM9O5osx+4FcOQuTvr3A9F2D9S5JXheN0ewNbrvK2UatkTRhL5ejGmGSjNMiZuw== + +js-base64@^2.1.8, js-base64@^2.1.9: version "2.4.8" resolved "https://registry.npmjs.org/js-base64/-/js-base64-2.4.8.tgz#57a9b130888f956834aa40c5b165ba59c758f033" @@ -5848,7 +5991,15 @@ js-tokens@^3.0.0, js-tokens@^3.0.2: version "4.0.0" resolved "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz#19203fb59991df98e3a287050d4647cdeaf32499" -js-yaml@3.12.0, js-yaml@^3.11.0, js-yaml@^3.7.0, js-yaml@^3.9.0: +js-yaml@3.12.1: + version "3.12.1" + resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz#295c8632a18a23e054cf5c9d3cecafe678167600" + integrity sha512-um46hB9wNOKlwkHgiuyEVAybXBjwFUV0Z/RaHJblRd9DXltue9FTYvzCr9ErQrK9Adz5MU4gHWVaNUfdmrC8qA== + dependencies: + argparse "^1.0.7" + esprima "^4.0.0" + +js-yaml@^3.11.0, js-yaml@^3.7.0, js-yaml@^3.9.0: version "3.12.0" resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz#eaed656ec8344f10f527c6bfa1b6e2244de167d1" dependencies: @@ -5962,9 +6113,10 @@ jsonparse@^1.2.0: version "1.3.1" resolved "https://registry.npmjs.org/jsonparse/-/jsonparse-1.3.1.tgz#3f4dae4a91fac315f71062f8521cc239f1366280" -jsonwebtoken@8.3.0: - version "8.3.0" - resolved "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.3.0.tgz#056c90eee9a65ed6e6c72ddb0a1d325109aaf643" +jsonwebtoken@8.4.0: + version "8.4.0" + resolved "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.4.0.tgz#8757f7b4cb7440d86d5e2f3becefa70536c8e46a" + integrity sha512-coyXjRTCy0pw5WYBpMvWOMN+Kjaik2MwTUIq9cna/W7NpO9E+iYbumZONAz3hcr+tXFJECoQVrtmIoC3Oz0gvg== dependencies: jws "^3.1.5" lodash.includes "^4.3.0" @@ -6006,9 +6158,10 @@ jws@^3.1.5: jwa "^1.1.5" safe-buffer "^5.0.1" -keygrip@~1.0.2: - version "1.0.2" - resolved "https://registry.npmjs.org/keygrip/-/keygrip-1.0.2.tgz#ad3297c557069dea8bcfe7a4fa491b75c5ddeb91" +keygrip@~1.0.3: + version "1.0.3" + resolved "https://registry.npmjs.org/keygrip/-/keygrip-1.0.3.tgz#399d709f0aed2bab0a059e0cdd3a5023a053e1dc" + integrity sha512-/PpesirAIfaklxUzp4Yb7xBper9MwP6hNRA6BGGUFCgbJ+BM5CKBtsoxinNXkLHAr+GXS1/lSlF2rP7cv5Fl+g== killable@^1.0.0: version "1.0.0" @@ -6286,6 +6439,11 @@ lodash@4.17.10, lodash@^4.0.0, lodash@^4.13.1, lodash@^4.15.0, lodash@^4.17.10, version "4.17.10" resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7" +lodash@4.17.11: + version "4.17.11" + resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz#b39ea6229ef607ecd89e2c8df12536891cac9b8d" + integrity sha512-cQKh8igo5QUhZ7lg38DYWAxMvjSAKG0A8wGSVimP07SIUEK2UO+arSRKbRZWtelMtN5V0Hkwh5ryOto/SshYIg== + log-symbols@^2.0.0, log-symbols@^2.1.0: version "2.2.0" resolved "https://registry.npmjs.org/log-symbols/-/log-symbols-2.2.0.tgz#5740e1c5d6f0dfda4ad9323b5332107ef6b4c40a" @@ -6403,9 +6561,10 @@ markdown-table@^1.1.0: version "1.1.2" resolved "https://registry.npmjs.org/markdown-table/-/markdown-table-1.1.2.tgz#c78db948fa879903a41bce522e3b96f801c63786" -marked@0.4.0: - version "0.4.0" - resolved "https://registry.npmjs.org/marked/-/marked-0.4.0.tgz#9ad2c2a7a1791f10a852e0112f77b571dce10c66" +marked@0.6.0: + version "0.6.0" + resolved "https://registry.npmjs.org/marked/-/marked-0.6.0.tgz#a18d01cfdcf8d15c3c455b71c8329e5e0f01faa1" + integrity sha512-HduzIW2xApSXKXJSpCipSxKyvMbwRRa/TwMbepmlZziKdH8548WSoDP4SxzulEKjlo8BE39l+2fwJZuRKOln6g== math-expression-evaluator@^1.2.14: version "1.2.17" @@ -6575,29 +6734,37 @@ miller-rabin@^4.0.0: version "1.35.0" resolved "https://registry.npmjs.org/mime-db/-/mime-db-1.35.0.tgz#0569d657466491283709663ad379a99b90d9ab47" +mime-db@~1.37.0: + version "1.37.0" + resolved "https://registry.npmjs.org/mime-db/-/mime-db-1.37.0.tgz#0b6a0ce6fdbe9576e25f1f2d2fde8830dc0ad0d8" + integrity sha512-R3C4db6bgQhlIhPU48fUtdVmKnflq+hRdad7IyKhtFj06VPNVdk2RhiYL3UjQIlso8L+YxAtFkobT0VK+S/ybg== + mime-types@^2.1.12, mime-types@~2.1.17, mime-types@~2.1.18, mime-types@~2.1.7: version "2.1.19" resolved "https://registry.npmjs.org/mime-types/-/mime-types-2.1.19.tgz#71e464537a7ef81c15f2db9d97e913fc0ff606f0" dependencies: mime-db "~1.35.0" +mime-types@~2.1.19: + version "2.1.21" + resolved "https://registry.npmjs.org/mime-types/-/mime-types-2.1.21.tgz#28995aa1ecb770742fe6ae7e58f9181c744b3f96" + integrity sha512-3iL6DbwpyLzjR3xHSFNFeb9Nz/M8WDkX33t1GFQnFOllWk8pOrh/LSrB5OXlnlW5P9LH73X6loW/eogc+F5lJg== + dependencies: + mime-db "~1.37.0" + mime@1.4.1: version "1.4.1" resolved "https://registry.npmjs.org/mime/-/mime-1.4.1.tgz#121f9ebc49e3766f311a76e1fa1c8003c4b03aa6" -mime@2.3.1: - version "2.3.1" - resolved "https://registry.npmjs.org/mime/-/mime-2.3.1.tgz#b1621c54d63b97c47d3cfe7f7215f7d64517c369" +mime@2.4.0, mime@^2.3.1: + version "2.4.0" + resolved "https://registry.npmjs.org/mime/-/mime-2.4.0.tgz#e051fd881358585f3279df333fe694da0bcffdd6" + integrity sha512-ikBcWwyqXQSHKtciCcctu9YfPbFYZ4+gbHEmE0Q8jzcTYQg5dHCr3g2wwAZjPoJfQVXZq6KXAjpXOTf5/cjT7w== mime@^1.3.4, mime@^1.4.1: version "1.6.0" resolved "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1" -mime@^2.3.1: - version "2.4.0" - resolved "https://registry.npmjs.org/mime/-/mime-2.4.0.tgz#e051fd881358585f3279df333fe694da0bcffdd6" - integrity sha512-ikBcWwyqXQSHKtciCcctu9YfPbFYZ4+gbHEmE0Q8jzcTYQg5dHCr3g2wwAZjPoJfQVXZq6KXAjpXOTf5/cjT7w== - mimic-fn@^1.0.0: version "1.2.0" resolved "https://registry.npmjs.org/mimic-fn/-/mimic-fn-1.2.0.tgz#820c86a39334640e99516928bd03fca88057d022" @@ -7082,6 +7249,11 @@ oauth-sign@~0.8.1, oauth-sign@~0.8.2: version "0.8.2" resolved "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.8.2.tgz#46a6ab7f0aead8deae9ec0565780b7d4efeb9d43" +oauth-sign@~0.9.0: + version "0.9.0" + resolved "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz#47a7b016baa68b5fa0ecf3dee08a85c679ac6455" + integrity sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ== + object-assign@^4, object-assign@^4.0.1, object-assign@^4.1.0, object-assign@^4.1.1: version "4.1.1" resolved "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz#2109adc7965887cfc05cbbd442cac8bfbb360863" @@ -8225,7 +8397,7 @@ prop-types@^15.5.4, prop-types@^15.6.0, prop-types@^15.6.1, prop-types@^15.6.2: loose-envify "^1.3.1" object-assign "^4.1.1" -proxy-addr@~2.0.3: +proxy-addr@~2.0.3, proxy-addr@~2.0.4: version "2.0.4" resolved "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.4.tgz#ecfc733bf22ff8c6f407fa275327b9ab67e48b93" dependencies: @@ -8325,7 +8497,7 @@ qs@6.5.1: version "6.5.1" resolved "https://registry.npmjs.org/qs/-/qs-6.5.1.tgz#349cdf6eef89ec45c12d7d5eb3fc0c870343a6d8" -qs@6.5.2, qs@^6.5.1, qs@~6.5.1: +qs@6.5.2, qs@^6.5.1, qs@~6.5.1, qs@~6.5.2: version "6.5.2" resolved "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36" @@ -8837,6 +9009,32 @@ request@2.87.0, request@^2.87.0: tunnel-agent "^0.6.0" uuid "^3.1.0" +request@2.88.0: + version "2.88.0" + resolved "https://registry.npmjs.org/request/-/request-2.88.0.tgz#9c2fca4f7d35b592efe57c7f0a55e81052124fef" + integrity sha512-NAqBSrijGLZdM0WZNsInLJpkJokL72XYjUpnB0iwsRgxh7dB6COrHnTBNwN0E+lHDAJzu7kLAkDeY08z2/A0hg== + dependencies: + aws-sign2 "~0.7.0" + aws4 "^1.8.0" + caseless "~0.12.0" + combined-stream "~1.0.6" + extend "~3.0.2" + forever-agent "~0.6.1" + form-data "~2.3.2" + har-validator "~5.1.0" + http-signature "~1.2.0" + is-typedarray "~1.0.0" + isstream "~0.1.2" + json-stringify-safe "~5.0.1" + mime-types "~2.1.19" + oauth-sign "~0.9.0" + performance-now "^2.1.0" + qs "~6.5.2" + safe-buffer "^5.1.2" + tough-cookie "~2.4.3" + tunnel-agent "^0.6.0" + uuid "^3.3.2" + "request@>=2.9.0 <2.82.0": version "2.81.0" resolved "https://registry.npmjs.org/request/-/request-2.81.0.tgz#c6928946a0e06c5f8d6f8a9333469ffda46298a0" @@ -9115,7 +9313,7 @@ selfsigned@^1.9.1: version "5.5.0" resolved "https://registry.npmjs.org/semver/-/semver-5.5.0.tgz#dc4bbc7a6ca9d916dee5d43516f0092b58f7b8ab" -semver@^5.6.0: +semver@5.6.0, semver@^5.6.0: version "5.6.0" resolved "https://registry.npmjs.org/semver/-/semver-5.6.0.tgz#7e74256fbaa49c75aa7c7a205cc22799cac80004" integrity sha512-RS9R6R35NYgQn++fkDWaOmqGoj4Ek9gGs+DPxNUZKuwE183xjJroKvyo1IzVFeXvUrvmALy6FWD5xrdJT25gMg== @@ -9204,6 +9402,7 @@ setprototypeof@1.0.3: setprototypeof@1.1.0: version "1.1.0" resolved "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz#d0bd85536887b6fe7c0d818cb962d9d91c54e656" + integrity sha512-BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ== sha.js@^2.4.0, sha.js@^2.4.8: version "2.4.11" @@ -9513,9 +9712,10 @@ static-extend@^0.1.1: define-property "^0.2.5" object-copy "^0.1.0" -"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2": +"statuses@>= 1.3.1 < 2", "statuses@>= 1.4.0 < 2", "statuses@>= 1.5.0 < 2": version "1.5.0" resolved "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz#161c7dac177659fd9811f43771fa99381478628c" + integrity sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow= statuses@~1.4.0: version "1.4.0" @@ -10010,11 +10210,16 @@ to-regex@^3.0.1, to-regex@^3.0.2: regex-not "^1.0.2" safe-regex "^1.1.0" +toidentifier@1.0.0: + version "1.0.0" + resolved "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz#7e1be3470f1e77948bc43d94a3c8f4d7752ba553" + integrity sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw== + toposort@^1.0.0: version "1.0.7" resolved "https://registry.npmjs.org/toposort/-/toposort-1.0.7.tgz#2e68442d9f64ec720b8cc89e6443ac6caa950029" -tough-cookie@>=2.3.3, tough-cookie@^2.3.4: +tough-cookie@>=2.3.3, tough-cookie@^2.3.4, tough-cookie@~2.4.3: version "2.4.3" resolved "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz#53f36da3f47783b0925afa06ff9f3b165280f781" dependencies: @@ -10133,6 +10338,14 @@ uglify-js@^2.6: optionalDependencies: uglify-to-browserify "~1.0.0" +uglify-js@^3.1.4: + version "3.4.9" + resolved "https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.9.tgz#af02f180c1207d76432e473ed24a28f4a782bae3" + integrity sha512-8CJsbKOtEbnJsTyv6LE6m6ZKniqMiFWmm9sRbopbkGs3gMPPfd3Fh8iIA4Ykv5MgaTbqHr4BaoGLJLZNhsrW1Q== + dependencies: + commander "~2.17.1" + source-map "~0.6.1" + uglify-to-browserify@~1.0.0: version "1.0.2" resolved "https://registry.npmjs.org/uglify-to-browserify/-/uglify-to-browserify-1.0.2.tgz#6e0924d6bda6b5afe349e39a6d632850a0f882b7" @@ -10243,9 +10456,10 @@ unist-util-visit@^1.1.0: dependencies: unist-util-visit-parents "^2.0.0" -unix-crypt-td-js@^1.0.0: +unix-crypt-td-js@1.0.0: version "1.0.0" resolved "https://registry.npmjs.org/unix-crypt-td-js/-/unix-crypt-td-js-1.0.0.tgz#1c0824150481bc7a01d49e98f1ec668d82412f3b" + integrity sha1-HAgkFQSBvHoB1J6Y8exmjYJBLzs= unpipe@1.0.0, unpipe@~1.0.0: version "1.0.0" @@ -10270,7 +10484,7 @@ upper-case@^1.1.1: version "1.1.3" resolved "https://registry.npmjs.org/upper-case/-/upper-case-1.1.3.tgz#f6b4501c2ec4cdd26ba78be7222961de77621598" -uri-js@^4.2.1: +uri-js@^4.2.1, uri-js@^4.2.2: version "4.2.2" resolved "https://registry.npmjs.org/uri-js/-/uri-js-4.2.2.tgz#94c540e1ff772956e2299507c010aea6c8838eb0" dependencies: @@ -10383,27 +10597,27 @@ vendors@^1.0.0: version "1.0.2" resolved "https://registry.npmjs.org/vendors/-/vendors-1.0.2.tgz#7fcb5eef9f5623b156bcea89ec37d63676f21801" -verdaccio-audit@1.0.0: - version "1.0.0" - resolved "https://registry.npmjs.org/verdaccio-audit/-/verdaccio-audit-1.0.0.tgz#4893baac6f711c4d065022684085220060b7c020" +verdaccio-audit@1.1.0: + version "1.1.0" + resolved "https://registry.npmjs.org/verdaccio-audit/-/verdaccio-audit-1.1.0.tgz#82c2c6722fc3ce61f3ba45bf1a2046b247f00d28" + integrity sha512-5bCiTWWBauq49vF1Ndt0Jl0GbIBDOzjiRNO33gWBPfgjoZfPn8wFpR/woFcMfS3SPzC06rH9LBcUn9KN3uWjEg== dependencies: - body-parser "1.18.3" - compression "1.7.3" - express "4.16.3" - request "2.87.0" + express "4.16.4" + request "2.88.0" verdaccio-auth-memory@0.0.4: version "0.0.4" resolved "https://registry.npmjs.org/verdaccio-auth-memory/-/verdaccio-auth-memory-0.0.4.tgz#b44a65209778a8dc3c8d39478141a0bc22e04375" -verdaccio-htpasswd@0.2.2: - version "0.2.2" - resolved "https://registry.npmjs.org/verdaccio-htpasswd/-/verdaccio-htpasswd-0.2.2.tgz#6873fe42cd83ff03d260b21483941635f320c8ba" +verdaccio-htpasswd@0.2.3: + version "0.2.3" + resolved "https://registry.npmjs.org/verdaccio-htpasswd/-/verdaccio-htpasswd-0.2.3.tgz#5e8a3ae7c74cca386a1d424b5bec4d01a4519d89" + integrity sha512-NgtqhsTukvdnAiyD0dlJjC7cH9gdUhKp3Ohtgr56AZW+i4qJ5X0IYr7MVV+JboHFRd7FGJ9iaSvLiW7nZ1TvIg== dependencies: - "@verdaccio/file-locking" "^0.0.7" - apache-md5 "^1.1.2" + "@verdaccio/file-locking" "0.0.8" + apache-md5 "1.1.2" bcryptjs "2.4.3" - unix-crypt-td-js "^1.0.0" + unix-crypt-td-js "1.0.0" verdaccio-memory@1.0.3: version "1.0.3" From 1c0b07a46e83561cd2e5f7fbd94197229291bf96 Mon Sep 17 00:00:00 2001 From: "Juan Picado @jotadeveloper" Date: Tue, 5 Feb 2019 07:25:10 +0100 Subject: [PATCH 2/5] chore(release): 3.11.2 --- CHANGELOG.md | 10 ++++++++++ package.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5c219726..fff49a0fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. + +## [3.11.2](https://github.com/verdaccio/verdaccio/compare/v3.11.1...v3.11.2) (2019-02-05) + + +### Bug Fixes + +* lodash vulnerability ([c35486d](https://github.com/verdaccio/verdaccio/commit/c35486d)) + + + ## [3.11.1](https://github.com/verdaccio/verdaccio/compare/v3.11.0...v3.11.1) (2019-01-31) diff --git a/package.json b/package.json index 25cc26fc0..4040055eb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "verdaccio", - "version": "3.11.1", + "version": "3.11.2", "description": "Private npm repository server", "author": { "name": "Alex Kocharin", From 7f79c77354d051f77a9cbd61f837de7f94bb8744 Mon Sep 17 00:00:00 2001 From: Stef Louwers Date: Thu, 7 Feb 2019 16:26:32 +0100 Subject: [PATCH 3/5] fix: server keepAliveTimeout is in milliseconds, config value in seconds. --- src/lib/bootstrap.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/bootstrap.js b/src/lib/bootstrap.js index 1d4ce449a..d7f0c63fe 100644 --- a/src/lib/bootstrap.js +++ b/src/lib/bootstrap.js @@ -91,7 +91,7 @@ function startVerdaccio(config: any, } if (config.server && config.server.keepAliveTimeout) { // $FlowFixMe library definition for node is not up to date (doesn't contain recent 8.0 changes) - webServer.keepAliveTimeout = config.server.keepAliveTimeout; + webServer.keepAliveTimeout = config.server.keepAliveTimeout * 1000; } unlinkAddressPath(addr); From c4b1e1550ce90e5c2b86459f4ba966b230f833da Mon Sep 17 00:00:00 2001 From: "Juan Picado @jotadeveloper" Date: Thu, 7 Feb 2019 19:07:29 +0100 Subject: [PATCH 4/5] chore(release): 3.11.3 --- CHANGELOG.md | 10 ++++++++++ package.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fff49a0fe..145d8c928 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. + +## [3.11.3](https://github.com/verdaccio/verdaccio/compare/v3.11.2...v3.11.3) (2019-02-07) + + +### Bug Fixes + +* server keepAliveTimeout is in milliseconds, config value in seconds. ([7f79c77](https://github.com/verdaccio/verdaccio/commit/7f79c77)) + + + ## [3.11.2](https://github.com/verdaccio/verdaccio/compare/v3.11.1...v3.11.2) (2019-02-05) diff --git a/package.json b/package.json index 4040055eb..5b2550008 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "verdaccio", - "version": "3.11.2", + "version": "3.11.3", "description": "Private npm repository server", "author": { "name": "Alex Kocharin", From 10370c6eeb714803ba2137dfebbbe7988eabd5c8 Mon Sep 17 00:00:00 2001 From: "Juan Picado @jotadeveloper" Date: Thu, 7 Feb 2019 19:37:05 +0100 Subject: [PATCH 5/5] chore: update lock file --- yarn.lock | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yarn.lock b/yarn.lock index 49cf32f4d..a74ad7e8b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1217,6 +1217,14 @@ lockfile "1.0.3" lodash "4.17.10" +"@verdaccio/file-locking@0.0.8": + version "0.0.8" + resolved "https://registry.verdaccio.org/@verdaccio%2ffile-locking/-/file-locking-0.0.8.tgz#6acb62e17db2fa093f86158e4a1c0b2802a69359" + integrity sha512-kK7siED1Yc/t8+G3Iyb0vdQ6mM+TKNW2wM8LO0D6bXg3rBWlf863JG7JIedSGUeMzwFOKjX75jreiE+xVeAb3w== + dependencies: + lockfile "1.0.4" + lodash "4.17.11" + "@verdaccio/local-storage@2.0.0-beta.1": version "2.0.0-beta.1" resolved "https://registry.verdaccio.org/@verdaccio%2flocal-storage/-/local-storage-2.0.0-beta.1.tgz#1aa602b24fa2f6b02d682e5e56b4894112e198e6"