Snyk has created this PR to upgrade sirv-cli from 1.0.11 to 1.0.14.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 3 versions ahead of your current version.
The recommended version was released a month ago, on 2021-08-14.
(sirv) Only use req.path if has req._decoded flag exists (#82):
The req._decoded check was added & should have always been in there, since this was sirv's way of preventing duplicate decodeURIComponent calls. However, this was only true when it received a request from a polka@next app, since Polka was previously writing the decoded value to req.path – this changed with polka@v1.0.0-next.16
Now that the latest polka@next (and Express) doesn't decode automatically anymore, req.path isn't trustworthy on its own. It needs req._decoded to be there too in order to trust it.
This combo-check is backwards compatible for polka@next users who don't upgrade and will unblock Express users for the first time, who have always had a "raw" req.path value set.
Snyk has created this PR to upgrade sirv-cli from 1.0.11 to 1.0.14.
Release notes
Package name: sirv-cli
-
1.0.14 - 2021-08-14
- (
-
1.0.13 - 2021-08-13
-
-
1.0.12 - 2021-05-24
- (sirv-cli): Ensure
- (sirv): Bump
- Adjust GitHub Action env setup (#109): f2ae0f5
- Update Github Action image(s) and Node versions: 9334dfc, cf2de81, c7e0a20
- Add test for filename with space (#102): ede9189
-
1.0.11 - 2021-01-30
- (
from sirv-cli GitHub release notesChores
sirv): Bump@ polka/urlto take advantage of this fixPatches
(
sirv) Only usereq.pathif hasreq._decodedflag exists (#82):The
req._decodedcheck was added & should have always been in there, since this wassirv's way of preventing duplicatedecodeURIComponentcalls. However, this was only true when it received a request from apolka@nextapp, since Polka was previously writing the decoded value toreq.path– this changed withpolka@v1.0.0-next.16Now that the latest
polka@next(and Express) doesn't decode automatically anymore,req.pathisn't trustworthy on its own. It needsreq._decodedto be there too in order to trust it.This combo-check is backwards compatible for
polka@nextusers who don't upgrade and will unblock Express users for the first time, who have always had a "raw"req.pathvalue set.Patches
booleanoptions are parsed as booleans (#97): 8ebca7c@ polka/urldependency version: 7c5162aChores
Thank you @ samccone!
Patches
sirv) AddVaryheader when gzip or brotli is in use (#95): 86e6733Thank you @ istarkov~!
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs