| Commit message (Collapse) | Author | Files | Lines |
|---|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
|
|
needed to run migrations at run-time
Signed-off-by: Tobias Kremer <tobias.kremer@gmail.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
|
|
|
|
The recent sequelize upgrade introduced some other dependencies, this is
one of them. This patch replaces the old `mysql` library with `mysql2`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MERMAID-174698
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: BoHong Li <a60814billy@gmail.com>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
We will no longer test on node6 and instead focus on 8+. This won't
break node6 immediately, but we will no longer go out of our way
supporting a version that does not receive security updates.
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183
|
|
js-url is outdated and wurl is it's successor. This will fix some
vulnerabilities in the dependencies and also optimize the build process
by removing the external library toward internal tooling.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Max Wu <jackymaxj@gmail.com>
Co-Authored-By: Sheogorath <sheogorath@shivering-isles.com>
|
|
Snyk informed us about possible vulnerabilities in meta-marked. It seems
like at least some of them were already address by HackMD around a year
ago but never pushed upstream to CodiMD.
This patch provides a fix by using an up-to-date dependency from our own
repository with CI integration.
Details: https://app.snyk.io/vuln/SNYK-JS-JSYAML-174129
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
|
|
A few days ago the dependency was removed from npm. this causes various
setups to fail and blocks deployments and development.
This patch should fix the dependency and allow CodiMD to move forward.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JSYAML-174129
|
|
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
this removes the general `postinstall` call to `bin/heroku` and instead
puts it into a heroku-prebuild hook. At the same time, env vars get
updated to use the `CMD` prefix. The configured buildpacks were not used.
Finally, npm run build is now automatically
done by Heroku.
Signed-off-by: Claudius <opensource@amenthes.de>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
After a long discussion, it turned out that CodiMD as community project
and HackMD as a company, have fundamental different views on the project
governance.
Due to this, it came to point where the decision for a fork was made.
After the fork and move towards an own organisation, this patch updates
all links inside the project to the new repositories.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
I don't really like the way to go here, but I guess having those
forcefully upgraded is better than staying around with vulnerable
dependencies.
This patch fixes some vulnerbilities in dependencies that were
categories as high severity.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Synk found an security vulnerbility in the version we provide, that in
theory can provide an RCE.
Details: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
|
|
this commit has been blatantly stolen from @samselikoff in ember-cli-addon-docs. It prevents an issue introduced via a deep dependency that no longer supports node 6 (which we still would like to support).
see: https://github.com/ember-learn/ember-cli-addon-docs/commit/231275b5a4bed59bbac798ddaa1bde94319047cb
see: https://github.com/salesforce/tough-cookie/pull/141
Signed-off-by: Claudius Coenen <opensource@amenthes.de>
|
|
The tests are currently not linted. This causes a different coding style
than the rest of the sources.
This patch adds the `./test` directory to the eslint testing and fixes
linting for existing tests.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Since we lack of tests but got some great point to start, let's write
more tests.
This patch provides some basic tests for our CSP library. It's more an
integration than a unit test, but gets the job done.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Seems like finally there is a new bootstrap version for old version 3.
This patch implements this new version with CodiMD and this way fixes
some possible security issues in the frontend code.
See:
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889
https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Seems like there was a security problem with the library.
This patch updates to version 1.0.0 which fixed the details.
Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
|
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
|
Our socket.io version is 2.0.4 while the current socket.io version is
2.1.1.
This patch updates socket.io to version 2.1.1 and takes care of the CDN
client version.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
When installing doctoc it throws some warnings about the markdown-to-ast
package that moved to an own namespace.
This patch updates to the version containing the new, namespaced,
package.
References:
https://github.com/thlorenz/doctoc/pull/151
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
We currently install `uuid` and `node-uuid`. `node-uuid` is deprecated
in favor of `uuid`. It seems like we already switched a while ago, but
somehow missed to remove the dependency.
This patch does exactly that. It removes the dependency from
`package.json` and this way removes the warning during install about
`node-uuid` being deprecated.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
We got a security alert for a regular expression DoS attack on our used
library `to-markdown`.
After checking `to-markdown` to be maintained or not, it turned out they
renamed the library to `turndown`. So upgrading to `turndown` should fix
this vulnerbility.
References:
https://www.npmjs.com/package/to-markdown
https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.
A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.
https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
There is a new reveal.js version out. As we try to keep up with
upstream, time to integreate it.
This patch updates reveal.js in for CDN-using instances as well as the
ones using the libraries.
Checked that speaker view in slide mode still works, so no CSP change
needed.
https://github.com/hakimel/reveal.js/releases/tag/3.7.0
https://github.com/hackmdio/codimd/blob/2d241b93002a3a23f81ffe8fab82f2c6c98feca4/lib/csp.js#L72-L74
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
In my local environment I switched to Fedora 29. Fedora 29 comes with
NodeJS version 10.
As far as I can say, it works, so let's try to remove the restriction to
"<10.x"
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style
Signed-off-by: Claudius Coenen <opensource@amenthes.de>
|
|
Our log library got a new major version which should be implemented.
That's exactly what this patch does. Implementing the new version of the
logging library.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
`npm audit` reports a ton of issues on CodiMD. Most of them are minor
issues, but these are still things that should be fixed.
This changes were created by running `npm audit fix`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
Signed-off-by: MartB <mart.b@outlook.de>
|
