Snyk has created this PR to upgrade sirv-cli from 1.0.11 to 1.0.14.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 3 versions ahead of your current version.
The recommended version was released a month ago, on 2021-08-14.
(sirv) Only use req.path if has req._decoded flag exists (#82):
The req._decoded check was added & should have always been in there, since this was sirv's way of preventing duplicate decodeURIComponent calls. However, this was only true when it received a request from a polka@next app, since Polka was previously writing the decoded value to req.path – this changed with polka@v1.0.0-next.16
Now that the latest polka@next (and Express) doesn't decode automatically anymore, req.path isn't trustworthy on its own. It needs req._decoded to be there too in order to trust it.
This combo-check is backwards compatible for polka@next users who don't upgrade and will unblock Express users for the first time, who have always had a "raw" req.path value set.
Snyk has created this PR to upgrade sirv-cli from 1.0.11 to 1.0.14.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: sirv-cli
Chores
sirv
): Bump@ polka/url
to take advantage of this fixPatches
(
sirv
) Only usereq.path
if hasreq._decoded
flag exists (#82):The
req._decoded
check was added & should have always been in there, since this wassirv
's way of preventing duplicatedecodeURIComponent
calls. However, this was only true when it received a request from apolka@next
app, since Polka was previously writing the decoded value toreq.path
– this changed withpolka@v1.0.0-next.16
Now that the latest
polka@next
(and Express) doesn't decode automatically anymore,req.path
isn't trustworthy on its own. It needsreq._decoded
to be there too in order to trust it.This combo-check is backwards compatible for
polka@next
users who don't upgrade and will unblock Express users for the first time, who have always had a "raw"req.path
value set.Patches
boolean
options are parsed as booleans (#97): 8ebca7c@ polka/url
dependency version: 7c5162aChores
Thank you @ samccone!
Patches
sirv
) AddVary
header when gzip or brotli is in use (#95): 86e6733Thank you @ istarkov~!
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs