| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
It turned out that we can't directly use the codemirror source files and actually need to run their build script manually.
This reverts commit 0ec180de
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
Breaking changes only include dropping node <8 and glob patterns.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
|
|
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
|
|
Other dependencies already depend on npm-releases of this, so it does not seem to make sense to get this via Git.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
|
|
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
|
|
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
|
|
This was computed based on our dependencies using `installed-check`.
Node 10 is supported until April 2021.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
|
|
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
|
webpack and webpack-cli
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-590103
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-PRISMJS-597628
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
|
|
Add remark-lint dependencies as dev dependencies, and an npm script alias to launch markdown linting with `npm run markdownlint`.
Signed-off-by: oupala <oupala@users.noreply.github.com>
|
|
As @davidmehren figured out, the problem that NodeJS version 14 gets
stuck while CodiMD is starting, was due to the outdated postgres
dependency. The old pg version doesn't work with node version 14 due to
an undocumented API change in the `readyState` in the socket API.
This patch updates the required dependency and this way resolves the
issue.
Reference:
https://github.com/sequelize/sequelize/issues/12158
https://github.com/brianc/node-postgres/commit/149f48232445da0fb3022044e4f1c53509040ad3
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JQUERY-565129
|
|
Thanks for all contributions, this community is awesome.
|
|
Signed-off-by: Antoine Aflalo <antoine@warrantymaster.com>
|
|
This update of revealJS helps us to get rid of the headjs depedency
integration using webpack. It updates reveal.js to 3.9.2 and updates the
csp hash accordingly for using the slide mode.
Background for this update is the critical security vulnerability
described by snyk in their disclosure:
https://snyk.io/vuln/SNYK-JS-REVEALJS-543841
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
|
|
This patch provides some major upgrades to all database backend library.
It also fixes an issues that appears since the change from sequelize v3
to v5 where mariadb was originally handled by mysql2 and is now handled
by an own mariadb library.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
|
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-459438
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HELMETCSP-469436
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
|
|
needed to run migrations at run-time
Signed-off-by: Tobias Kremer <tobias.kremer@gmail.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
|
|
|
|
The recent sequelize upgrade introduced some other dependencies, this is
one of them. This patch replaces the old `mysql` library with `mysql2`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MERMAID-174698
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: BoHong Li <a60814billy@gmail.com>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
We will no longer test on node6 and instead focus on 8+. This won't
break node6 immediately, but we will no longer go out of our way
supporting a version that does not receive security updates.
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183
|
|
js-url is outdated and wurl is it's successor. This will fix some
vulnerabilities in the dependencies and also optimize the build process
by removing the external library toward internal tooling.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Max Wu <jackymaxj@gmail.com>
Co-Authored-By: Sheogorath <sheogorath@shivering-isles.com>
|
|
Snyk informed us about possible vulnerabilities in meta-marked. It seems
like at least some of them were already address by HackMD around a year
ago but never pushed upstream to CodiMD.
This patch provides a fix by using an up-to-date dependency from our own
repository with CI integration.
Details: https://app.snyk.io/vuln/SNYK-JS-JSYAML-174129
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
|
|
A few days ago the dependency was removed from npm. this causes various
setups to fail and blocks deployments and development.
This patch should fix the dependency and allow CodiMD to move forward.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
