summaryrefslogtreecommitdiff
path: root/package.json (follow)
Commit message (Collapse)AuthorAgeFilesLines
* fix: package.json to reduce vulnerabilitiessnyk-bot2019-09-301-1/+1
| | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-HELMETCSP-469436
* fix: package.json to reduce vulnerabilitiessnyk-bot2019-09-261-1/+1
| | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-469063
* Move sequelize-cli from devDependencies to dependencies, because it is ↵Tobias Kremer2019-09-061-1/+1
| | | | | | needed to run migrations at run-time Signed-off-by: Tobias Kremer <tobias.kremer@gmail.com>
* fix: package.json to reduce vulnerabilitiessnyk-test2019-08-201-2/+2
| | | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AUTOLINKER-73494 - https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
* Release version 1.5.0Sheogorath2019-08-151-1/+1
|
* Switch mysql library to mysql2Sheogorath2019-08-151-1/+1
| | | | | | | The recent sequelize upgrade introduced some other dependencies, this is one of them. This patch replaces the old `mysql` library with `mysql2`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update meta-marked to latest versionSheogorath2019-08-151-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 https://github.com/markedjs/marked/pull/1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* fix: package.json to reduce vulnerabilitiessnyk-test2019-07-241-1/+1
| | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MERMAID-174698
* Update sequelize to latest versionSheogorath2019-06-221-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* fix: upgrade sequelize to latest version to fix CVEBoHong Li2019-06-111-3/+3
| | | | Signed-off-by: BoHong Li <a60814billy@gmail.com>
* Merge pull request #97 from SISheogorath/fix/lintingSheogorath2019-06-041-1/+1
|\ | | | | Fix eslint warnings
| * Fix eslint warningsSheogorath2019-05-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Release version 1.4.0Sheogorath2019-05-311-1/+1
|/ | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* drop node 6 supportClaudius2019-05-131-2/+2
| | | | | | | | We will no longer test on node6 and instead focus on 8+. This won't break node6 immediately, but we will no longer go out of our way supporting a version that does not receive security updates. Signed-off-by: Claudius <opensource@amenthes.de>
* polyfilling scrypt for node 8.5+Claudius2019-05-131-0/+1
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* asyncified setting and verifying the passwordClaudius2019-05-131-2/+2
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* Adding the first few lines of user model testClaudius2019-05-131-1/+2
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* Update jQuery to version 3.4.1Sheogorath2019-05-061-1/+1
|
* Merge pull request #51 from SISheogorath/fix/wurlChristoph (Sheogorath) Kern2019-04-191-1/+1
|\ | | | | Replace js-url with wurl
| * Replace js-url with wurlSheogorath2019-04-161-1/+1
| | | | | | | | | | | | | | | | js-url is outdated and wurl is it's successor. This will fix some vulnerabilities in the dependencies and also optimize the build process by removing the external library toward internal tooling. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | fix: package.json to reduce vulnerabilitiessnyk-bot2019-04-161-1/+1
|/ | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183
* Fix stored XSS in the graphviz error message rendering [Security Issue]Max Wu2019-04-161-0/+1
| | | | | | Signed-off-by: Max Wu <jackymaxj@gmail.com> Co-Authored-By: Sheogorath <sheogorath@shivering-isles.com>
* Update meta-marked to fix possible vulnerabilitiesSheogorath2019-04-101-1/+1
| | | | | | | | | | | | | Snyk informed us about possible vulnerabilities in meta-marked. It seems like at least some of them were already address by HackMD around a year ago but never pushed upstream to CodiMD. This patch provides a fix by using an up-to-date dependency from our own repository with CI integration. Details: https://app.snyk.io/vuln/SNYK-JS-JSYAML-174129 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #33 from codimd/lutim-supportChristoph (Sheogorath) Kern2019-04-101-0/+1
|\ | | | | Add support for image hosting with lutim
| * Add lutim supportDylan Dervaux2019-04-101-0/+1
| | | | | | | | Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
* | Fix broken dependency js-sequence-diagramsSheogorath2019-04-101-1/+1
| | | | | | | | | | | | | | | | | | A few days ago the dependency was removed from npm. this causes various setups to fail and blocks deployments and development. This patch should fix the dependency and allow CodiMD to move forward. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | fix: package.json to reduce vulnerabilitiessnyk-bot2019-04-071-1/+1
|/ | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-JSYAML-174129
* removing doctoc, which is no longer being usedClaudius2019-04-011-3/+1
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* cleanup of the heroku configurationClaudius2019-03-311-1/+1
| | | | | | | | | | this removes the general `postinstall` call to `bin/heroku` and instead puts it into a heroku-prebuild hook. At the same time, env vars get updated to use the `CMD` prefix. The configured buildpacks were not used. Finally, npm run build is now automatically done by Heroku. Signed-off-by: Claudius <opensource@amenthes.de>
* Release version 1.3.2Sheogorath2019-03-291-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update maintainers in package.jsonSheogorath2019-03-291-3/+4
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update links to new repositoriesSheogorath2019-03-271-2/+2
| | | | | | | | | | | | After a long discussion, it turned out that CodiMD as community project and HackMD as a company, have fundamental different views on the project governance. Due to this, it came to point where the decision for a fork was made. After the fork and move towards an own organisation, this patch updates all links inside the project to the new repositories. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Release version 1.3.1Sheogorath2019-03-231-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Release version 1.3.0Sheogorath2019-03-041-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Force upgrade of some outdated dependenciesSheogorath2019-03-021-1/+3
| | | | | | | | | | | I don't really like the way to go here, but I guess having those forcefully upgraded is better than staying around with vulnerable dependencies. This patch fixes some vulnerbilities in dependencies that were categories as high severity. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update handlebar to version 4.0.13Sheogorath2019-02-151-1/+1
| | | | | | | Synk found an security vulnerbility in the version we provide, that in theory can provide an RCE. Details: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
* Fixing deep dependency problem with node 6.xClaudius Coenen2019-01-231-0/+3
| | | | | | | | this commit has been blatantly stolen from @samselikoff in ember-cli-addon-docs. It prevents an issue introduced via a deep dependency that no longer supports node 6 (which we still would like to support). see: https://github.com/ember-learn/ember-cli-addon-docs/commit/231275b5a4bed59bbac798ddaa1bde94319047cb see: https://github.com/salesforce/tough-cookie/pull/141 Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* Add linting for testsSheogorath2019-01-211-1/+1
| | | | | | | | | | The tests are currently not linted. This causes a different coding style than the rest of the sources. This patch adds the `./test` directory to the eslint testing and fixes linting for existing tests. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add tests for csp.jsSheogorath2019-01-191-0/+1
| | | | | | | | | | Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update bootstrap from 3.3.7 to 3.4.0Sheogorath2019-01-111-1/+1
| | | | | | | | | | | | | Seems like finally there is a new bootstrap version for old version 3. This patch implements this new version with CodiMD and this way fixes some possible security issues in the frontend code. See: https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72889 https://snyk.io/vuln/SNYK-JS-BOOTSTRAP-72890 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update SAML to version 1.0.0Sheogorath2019-01-091-1/+1
| | | | | | | | | | Seems like there was a security problem with the library. This patch updates to version 1.0.0 which fixed the details. Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Remove blueimp-md5 dependencyDaan Sprenkels2018-12-221-1/+0
| | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Add a test for gravatar urlsDaan Sprenkels2018-12-221-1/+2
| | | | Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Update socket.ioSheogorath2018-11-281-2/+2
| | | | | | | | | | Our socket.io version is 2.0.4 while the current socket.io version is 2.1.1. This patch updates socket.io to version 2.1.1 and takes care of the CDN client version. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1072 from SISheogorath/update/doctocChristoph (Sheogorath) Kern2018-11-241-1/+1
|\ | | | | Update doctoc to version 1.4.0
| * Update doctoc to version 1.4.0Sheogorath2018-11-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | When installing doctoc it throws some warnings about the markdown-to-ast package that moved to an own namespace. This patch updates to the version containing the new, namespaced, package. References: https://github.com/thlorenz/doctoc/pull/151 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1069 from SISheogorath/fix/to-markdownChristoph (Sheogorath) Kern2018-11-241-1/+1
|\ \ | | | | | | Update from to-markdown to turndown
| * | Update from to-markdown to turndownSheogorath2018-11-211-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | We got a security alert for a regular expression DoS attack on our used library `to-markdown`. After checking `to-markdown` to be maintained or not, it turned out they renamed the library to `turndown`. So upgrading to `turndown` should fix this vulnerbility. References: https://www.npmjs.com/package/to-markdown https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / Remove node-uuidSheogorath2018-11-211-1/+0
|/ | | | | | | | | | | | We currently install `uuid` and `node-uuid`. `node-uuid` is deprecated in favor of `uuid`. It seems like we already switched a while ago, but somehow missed to remove the dependency. This patch does exactly that. It removes the dependency from `package.json` and this way removes the warning during install about `node-uuid` being deprecated. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1063 from SISheogorath/fix/nodeVersionChristoph (Sheogorath) Kern2018-11-211-1/+1
|\ | | | | After removing ws, node version 10 should work