lukeed/sirv
### [`v0.4.6`](https://togithub.com/lukeed/sirv/releases/v0.4.6)
[Compare Source](https://togithub.com/lukeed/sirv/compare/v0.4.5...v0.4.6)
> **NOTICE** This version patches a directory-traversal **security vulnerability** that exists in `dev` mode only. All users should update _immediately_, even if they don't think they're using `--dev` or `opts.dev` on live servers. There are no other changes in this release.
>
> #### Patches
- Fixes `dev` mode security vulnerability ([#63](https://togithub.com/lukeed/sirv/issues/63)): [`1e0bac5`](https://togithub.com/lukeed/sirv/commit/1e0bac5)
_Thank you [@marvinhagemeister](https://togithub.com/marvinhagemeister)~!_
As Marvin describes:
This allows an attacker to traverse the file system outside of the specified directory.
Let's say `sirv` was initialized to serve files from /foo/bar:
```js
sirv("/foo/bar");
```
...and an attacker makes a request to:
GET /../../etc/passwd
...then they are able to download the contents of that file.
##### Chores
- Attach GitHub Actions: [`ea15d6a`](https://togithub.com/lukeed/sirv/commit/ea15d6a)
- Update test runner: [`2b965cd`](https://togithub.com/lukeed/sirv/commit/2b965cd)
- Update `lerna` version: [`0b6de8d`](https://togithub.com/lukeed/sirv/commit/0b6de8d)
Renovate configuration
:date: Schedule: At any time (no schedule defined).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
0.4.5
->0.4.6
Release Notes
lukeed/sirv
### [`v0.4.6`](https://togithub.com/lukeed/sirv/releases/v0.4.6) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.4.5...v0.4.6) > **NOTICE**This version patches a directory-traversal **security vulnerability** that exists in `dev` mode only. All users should update _immediately_, even if they don't think they're using `--dev` or `opts.dev` on live servers. There are no other changes in this release. > > #### Patches - Fixes `dev` mode security vulnerability ([#63](https://togithub.com/lukeed/sirv/issues/63)): [`1e0bac5`](https://togithub.com/lukeed/sirv/commit/1e0bac5) _Thank you [@marvinhagemeister](https://togithub.com/marvinhagemeister)~!_ As Marvin describes: This allows an attacker to traverse the file system outside of the specified directory. Let's say `sirv` was initialized to serve files from /foo/bar: ```js sirv("/foo/bar"); ``` ...and an attacker makes a request to: GET /../../etc/passwd ...then they are able to download the contents of that file. ##### Chores - Attach GitHub Actions: [`ea15d6a`](https://togithub.com/lukeed/sirv/commit/ea15d6a) - Update test runner: [`2b965cd`](https://togithub.com/lukeed/sirv/commit/2b965cd) - Update `lerna` version: [`0b6de8d`](https://togithub.com/lukeed/sirv/commit/0b6de8d)
Renovate configuration
:date: Schedule: At any time (no schedule defined).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.