From dee09011cb0feea32ad7feaa920e644fc3c8783b Mon Sep 17 00:00:00 2001 From: Juan Picado Date: Wed, 11 Dec 2024 20:46:11 +0100 Subject: [PATCH] [Snyk] Security upgrade express from 4.21.1 to 4.21.2 (#4985) * fix: packages/web/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-8482416 * fix * test --------- Co-authored-by: snyk-bot --- packages/api/package.json | 2 +- packages/web/package.json | 2 +- packages/web/src/api/readme.ts | 8 ++-- packages/web/src/api/sidebar.ts | 10 ++-- pnpm-lock.yaml | 83 ++++++++++++++++++++++++--------- 5 files changed, 73 insertions(+), 32 deletions(-) diff --git a/packages/api/package.json b/packages/api/package.json index 48159b99f..dca8a3b32 100644 --- a/packages/api/package.json +++ b/packages/api/package.json @@ -49,7 +49,7 @@ "body-parser": "1.20.3", "cookies": "0.9.1", "debug": "4.3.7", - "express": "4.21.1", + "express": "4.21.2", "lodash": "4.17.21", "mime": "2.6.0", "semver": "7.6.3" diff --git a/packages/web/package.json b/packages/web/package.json index 7c63df4c7..e174c946e 100644 --- a/packages/web/package.json +++ b/packages/web/package.json @@ -35,7 +35,7 @@ "@verdaccio/url": "workspace:13.0.0-next-8.4", "@verdaccio/utils": "workspace:8.1.0-next-8.4", "debug": "4.3.7", - "express": "4.21.1", + "express": "4.21.2", "lodash": "4.17.21" }, "devDependencies": { diff --git a/packages/web/src/api/readme.ts b/packages/web/src/api/readme.ts index 24ed7e2ff..d5f23fd3d 100644 --- a/packages/web/src/api/readme.ts +++ b/packages/web/src/api/readme.ts @@ -36,7 +36,7 @@ function addReadmeWebApi(storage: Storage, auth: Auth): Router { const pkgRouter = Router(); /* eslint new-cap: 0 */ pkgRouter.get( - '/package/readme/(@:scope/)?:package/:version?', + '/package/readme/:scope(@[^/]+)?/:package/:version?', can('access'), async function ( req: $RequestExtend, @@ -44,9 +44,9 @@ function addReadmeWebApi(storage: Storage, auth: Auth): Router { next: $NextFunctionVer ): Promise { debug('readme hit'); - const name = req.params.scope - ? addScope(req.params.scope, req.params.package) - : req.params.package; + const rawScope = req.params.scope; // May include '@' + const scope = rawScope ? rawScope.slice(1) : null; // Remove '@' if present + const name = scope ? addScope(scope, req.params.package) : req.params.package; debug('readme name %o', name); const requestOptions = { protocol: req.protocol, diff --git a/packages/web/src/api/sidebar.ts b/packages/web/src/api/sidebar.ts index f142bd905..ee8e5bcfb 100644 --- a/packages/web/src/api/sidebar.ts +++ b/packages/web/src/api/sidebar.ts @@ -26,18 +26,18 @@ function addSidebarWebApi(config: Config, storage: Storage, auth: Auth): Router beforeAll: (a, b) => logger.trace(a, b), afterAll: (a, b) => logger.trace(a, b), }); - // Get package readme + // Get package sidebar router.get( - '/sidebar/(@:scope/)?:package', + '/sidebar/:scope(@[^/]+)?/:package', can('access'), async function ( req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer ): Promise { - const name: string = req.params.scope - ? addScope(req.params.scope, req.params.package) - : req.params.package; + const rawScope = req.params.scope; // May include '@' + const scope = rawScope ? rawScope.slice(1) : null; // Remove '@' if present + const name: string = scope ? addScope(scope, req.params.package) : req.params.package; const requestOptions = { protocol: req.protocol, headers: req.headers as any, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 68ca7f59e..5eacd20d0 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -570,8 +570,8 @@ importers: specifier: 4.3.7 version: 4.3.7(supports-color@5.5.0) express: - specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + specifier: 4.21.2 + version: 4.21.2(supports-color@6.1.0) lodash: specifier: 4.17.21 version: 4.17.21 @@ -636,7 +636,7 @@ importers: version: link:../core/types express: specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + version: 4.21.1 supertest: specifier: 7.0.0 version: 7.0.0 @@ -941,7 +941,7 @@ importers: version: 4.3.7(supports-color@5.5.0) express: specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + version: 4.21.1 express-rate-limit: specifier: 5.5.1 version: 5.5.1 @@ -1015,7 +1015,7 @@ importers: version: link:../../core/core express: specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + version: 4.21.1 https-proxy-agent: specifier: 5.0.1 version: 5.0.1 @@ -1553,7 +1553,7 @@ importers: version: 4.3.7(supports-color@5.5.0) express: specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + version: 4.21.1 lodash: specifier: 4.17.21 version: 4.17.21 @@ -1850,7 +1850,7 @@ importers: version: 4.3.7(supports-color@5.5.0) express: specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + version: 4.21.1 fs-extra: specifier: 11.2.0 version: 11.2.0 @@ -2199,8 +2199,8 @@ importers: specifier: 4.3.7 version: 4.3.7(supports-color@5.5.0) express: - specifier: 4.21.1 - version: 4.21.1(supports-color@6.1.0) + specifier: 4.21.2 + version: 4.21.2(supports-color@6.1.0) lodash: specifier: 4.17.21 version: 4.17.21 @@ -5619,7 +5619,7 @@ packages: detect-port: 1.5.1 escape-html: 1.0.3 eta: 1.14.2 - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) file-loader: 6.2.0(webpack@5.90.0) fs-extra: 10.1.0 github-slugger: 1.5.0 @@ -9871,7 +9871,7 @@ packages: babel-plugin-polyfill-corejs3: 0.1.7(@babel/core@7.24.9) chalk: 4.1.2 core-js: 3.37.1 - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) file-system-cache: 1.1.0 find-up: 5.0.0 fork-ts-checker-webpack-plugin: 6.5.3(eslint@8.57.1)(typescript@4.9.5)(webpack@4.47.0) @@ -9950,7 +9950,7 @@ packages: core-js: 3.37.1 cpy: 8.1.2 detect-port: 1.5.1 - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) fs-extra: 9.1.0 global: 4.4.0 globby: 11.1.0 @@ -10111,7 +10111,7 @@ packages: chalk: 4.1.2 core-js: 3.37.1 css-loader: 3.6.0(webpack@4.47.0) - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) file-loader: 6.2.0(webpack@4.47.0) find-up: 5.0.0 fs-extra: 9.1.0 @@ -10168,7 +10168,7 @@ packages: chalk: 4.1.2 core-js: 3.37.1 css-loader: 5.2.7(webpack@5.93.0) - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) find-up: 5.0.0 fs-extra: 9.1.0 html-webpack-plugin: 5.6.0(webpack@5.93.0) @@ -17819,7 +17819,7 @@ packages: resolution: {integrity: sha512-MTjE2eIbHv5DyfuFz4zLYWxpqVhEhkTiwFGuB74Q9CSou2WHO52nlE5y3Zlg6SIsiYUIPj6ifFxnkPz6O3sIUg==} dev: false - /express@4.21.1(supports-color@6.1.0): + /express@4.21.1: resolution: {integrity: sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==} engines: {node: '>= 0.10.0'} dependencies: @@ -17857,6 +17857,44 @@ packages: transitivePeerDependencies: - supports-color + /express@4.21.2(supports-color@6.1.0): + resolution: {integrity: sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==} + engines: {node: '>= 0.10.0'} + dependencies: + accepts: 1.3.8 + array-flatten: 1.1.1 + body-parser: 1.20.3(supports-color@6.1.0) + content-disposition: 0.5.4 + content-type: 1.0.5 + cookie: 0.7.1 + cookie-signature: 1.0.6 + debug: 2.6.9(supports-color@6.1.0) + depd: 2.0.0 + encodeurl: 2.0.0 + escape-html: 1.0.3 + etag: 1.8.1 + finalhandler: 1.3.1(supports-color@6.1.0) + fresh: 0.5.2 + http-errors: 2.0.0 + merge-descriptors: 1.0.3 + methods: 1.1.2 + on-finished: 2.4.1 + parseurl: 1.3.3 + path-to-regexp: 0.1.12 + proxy-addr: 2.0.7 + qs: 6.13.0 + range-parser: 1.2.1 + safe-buffer: 5.2.1 + send: 0.19.0(supports-color@6.1.0) + serve-static: 1.16.2(supports-color@6.1.0) + setprototypeof: 1.2.0 + statuses: 2.0.1 + type-is: 1.6.18 + utils-merge: 1.0.1 + vary: 1.1.2 + transitivePeerDependencies: + - supports-color + /extend-shallow@2.0.1: resolution: {integrity: sha512-zCnTtlxNoAiDc3gqY2aYAWFx7XWWiasuF2K8Me5WbN8otHKTUKBwjPtNpRs/rbUZm7KxWAaNj7P1a/p52GbVug==} engines: {node: '>=0.10.0'} @@ -22120,7 +22158,7 @@ packages: minipass-fetch: 2.1.2 minipass-flush: 1.0.5 minipass-pipeline: 1.2.4 - negotiator: 0.6.3 + negotiator: 0.6.4 promise-retry: 2.0.1 socks-proxy-agent: 7.0.0 ssri: 9.0.1 @@ -22143,7 +22181,7 @@ packages: minipass-fetch: 3.0.5 minipass-flush: 1.0.5 minipass-pipeline: 1.2.4 - negotiator: 0.6.3 + negotiator: 0.6.4 promise-retry: 2.0.1 socks-proxy-agent: 7.0.0 ssri: 10.0.6 @@ -22166,7 +22204,7 @@ packages: minipass-fetch: 1.4.1 minipass-flush: 1.0.5 minipass-pipeline: 1.2.4 - negotiator: 0.6.3 + negotiator: 0.6.4 promise-retry: 2.0.1 socks-proxy-agent: 6.2.1 ssri: 8.0.1 @@ -24773,6 +24811,9 @@ packages: /path-to-regexp@0.1.10: resolution: {integrity: sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==} + /path-to-regexp@0.1.12: + resolution: {integrity: sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==} + /path-to-regexp@1.8.0: resolution: {integrity: sha512-n43JRhlUKUAlibEJhPeir1ncUID16QnEjNpwzNdO3Lm4ywrBpBZ5oLD0I6br9evr1Y9JTqwRtAh7JLoOzAQdVA==} dependencies: @@ -31458,7 +31499,7 @@ packages: connect-history-api-fallback: 1.6.0 debug: 4.3.7(supports-color@6.1.0) del: 4.1.1 - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) html-entities: 1.4.0 http-proxy-middleware: 0.19.1(debug@4.3.7)(supports-color@6.1.0) import-local: 2.0.0 @@ -31509,7 +31550,7 @@ packages: connect-history-api-fallback: 1.6.0 debug: 4.3.7(supports-color@6.1.0) del: 4.1.1 - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) html-entities: 1.4.0 http-proxy-middleware: 0.19.1(debug@4.3.7)(supports-color@6.1.0) import-local: 2.0.0 @@ -31568,7 +31609,7 @@ packages: compression: 1.7.5(supports-color@6.1.0) connect-history-api-fallback: 2.0.0 default-gateway: 6.0.3 - express: 4.21.1(supports-color@6.1.0) + express: 4.21.2(supports-color@6.1.0) graceful-fs: 4.2.11 html-entities: 2.3.3 http-proxy-middleware: 2.0.6(@types/express@4.17.21)(debug@4.3.7)