mirror of
https://github.com/toeverything/AFFiNE.git
synced 2024-12-23 07:51:45 +03:00
chore: bump up express version to v4.19.2 [SECURITY] (#6308)
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [express](http://expressjs.com/) ([source](https://togithub.com/expressjs/express)) | [`4.18.2` -> `4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.2/4.19.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-29041](https://togithub.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc) ### Impact Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://togithub.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. ### Patches0867302ddb
0b746953c4
An initial fix went out with `express@4.19.0`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`. ### Workarounds The fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`. ### References [https://github.com/expressjs/express/pull/5539](https://togithub.com/expressjs/express/pull/5539) [https://github.com/koajs/koa/issues/1800](https://togithub.com/koajs/koa/issues/1800) https://expressjs.com/en/4x/api.html#res.location --- ### Release Notes <details> <summary>expressjs/express (express)</summary> ### [`v4.19.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25) [Compare Source](https://togithub.com/expressjs/express/compare/4.19.1...4.19.2) \========== - Improved fix for open redirect allow list bypass ### [`v4.19.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20) [Compare Source](https://togithub.com/expressjs/express/compare/4.19.0...4.19.1) \========== - Allow passing non-strings to res.location with new encoding handling checks ### [`v4.19.0`](https://togithub.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87) [Compare Source](https://togithub.com/expressjs/express/compare/4.18.3...4.19.0) ### [`v4.18.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-26) [Compare Source](https://togithub.com/expressjs/express/compare/4.18.2...4.18.3) \========== - Fix routing requests without method - deps: body-parser@1.20.2 - Fix strict json error message on Node.js 19+ - deps: content-type@~1.0.5 - deps: raw-body@2.5.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
This commit is contained in:
parent
1a1af83375
commit
2662ba763c
41
yarn.lock
41
yarn.lock
@ -21139,7 +21139,7 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"express@npm:4.18.2, express@npm:^4.17.1, express@npm:^4.17.3, express@npm:^4.18.2":
|
||||
"express@npm:4.18.2":
|
||||
version: 4.18.2
|
||||
resolution: "express@npm:4.18.2"
|
||||
dependencies:
|
||||
@ -21178,6 +21178,45 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"express@npm:^4.17.1, express@npm:^4.17.3, express@npm:^4.18.2":
|
||||
version: 4.19.2
|
||||
resolution: "express@npm:4.19.2"
|
||||
dependencies:
|
||||
accepts: "npm:~1.3.8"
|
||||
array-flatten: "npm:1.1.1"
|
||||
body-parser: "npm:1.20.2"
|
||||
content-disposition: "npm:0.5.4"
|
||||
content-type: "npm:~1.0.4"
|
||||
cookie: "npm:0.6.0"
|
||||
cookie-signature: "npm:1.0.6"
|
||||
debug: "npm:2.6.9"
|
||||
depd: "npm:2.0.0"
|
||||
encodeurl: "npm:~1.0.2"
|
||||
escape-html: "npm:~1.0.3"
|
||||
etag: "npm:~1.8.1"
|
||||
finalhandler: "npm:1.2.0"
|
||||
fresh: "npm:0.5.2"
|
||||
http-errors: "npm:2.0.0"
|
||||
merge-descriptors: "npm:1.0.1"
|
||||
methods: "npm:~1.1.2"
|
||||
on-finished: "npm:2.4.1"
|
||||
parseurl: "npm:~1.3.3"
|
||||
path-to-regexp: "npm:0.1.7"
|
||||
proxy-addr: "npm:~2.0.7"
|
||||
qs: "npm:6.11.0"
|
||||
range-parser: "npm:~1.2.1"
|
||||
safe-buffer: "npm:5.2.1"
|
||||
send: "npm:0.18.0"
|
||||
serve-static: "npm:1.15.0"
|
||||
setprototypeof: "npm:1.2.0"
|
||||
statuses: "npm:2.0.1"
|
||||
type-is: "npm:~1.6.18"
|
||||
utils-merge: "npm:1.0.1"
|
||||
vary: "npm:~1.1.2"
|
||||
checksum: 10/3fcd792536f802c059789ef48db3851b87e78fba103423e524144d79af37da7952a2b8d4e1a007f423329c7377d686d9476ac42e7d9ea413b80345d495e30a3a
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"extend@npm:^3.0.0, extend@npm:^3.0.2":
|
||||
version: 3.0.2
|
||||
resolution: "extend@npm:3.0.2"
|
||||
|
Loading…
Reference in New Issue
Block a user