Open NicholasEllul opened 3 years ago
Can anyone publish the latest updates to npm? I see that the latest commit fixes some issues but doesn't publish to npm
@cloudhead : I went ahead and replaced the history so as to avoid all the merges (though keeping a copy of the old branch with all of them), so I think it should be ready for your review before a release. ~(And if accepted, we can also close #232 )~
@cloudhead : Can we go ahead with this?
@cloudhead : Do you want periodic checkbacks like this or do you have an ETA? The commit history should be all cleaned up.
Am I crazy, or did this replace the npm package with the wrong code?
var version = [0, 7, 9];
Maybe I'm losing it, but something is pretty bizarre here, and my only theory is a funky npm registry update.
alternate path to reproduce:
edit:
npm i cloudhead/node-static
installs the correct versionIf you look at https://www.npmjs.com/package/node-static , it was last published 4 years ago, and the latest version is 0.7.11.
If you use the "blame" feature for the file defining the version, you can see a commit from 12 months ago where it was changed from var
to const
(but still listing 0.7.9) at the time.
Thus, the version just hadn't been updated despite subsequent releases up to 0.7.11
As to why there is a const
, etc., there have been (many) changes on master
since that time and we are awaiting a new publishing. The project owner still needs to give final approval on these changes, so these many changes have not been published to npm yet.
FWIW, some of the changes are available on my fork, @brettz9/node-static
(using a different (smaller) versioning number as it is an independent project), but as the author of the regular node-static
here eventually replied granting access to the project with openness to including my changes, I resumed work here.
Hi. When this upgrade will be done? We get this issue from snyk
Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-NODESTATIC-1297183] in node-static@0.7.11
introduced by node-static@0.7.11
No upgrade or patch available
Thank you.
Hey, sorry, am pretty overwhelmed with other stuff, @brettz9 -- can you point me again to the cleaned up history?
Sure, @cloudhead ...Thankfully, we were able to get the history cleaned, so master
is already a cleaned history.
If you want the diffs from what is apparently the final commit for the latest published published version, 0.7.11 (there's no tag for it), see https://github.com/cloudhead/node-static/compare/e59fe21dffbee46678362d26d26fdfb241f49506..master , but there's a whole lot of noise if trying to look at all at once.
Hi, We are concerned by the same issue as @andreeatirgovatustockX . Is there a workaround we can apply to not be impacted by the SNYK-JS-NODESTATIC-1297183 security issue anymore ? (waiting until a new version is published)
@francoisihry : As mentioned at https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183 , this was fixed in master
of this project. Ideally, however, @cloudhead may be able to review the commits on master
since the last release so a new npm release can be published.
Thank you @brettz9 we look forward for a new version to be released so that we can easily integrate the fix.
Hey 👋 I notice its been a while since a new version of node-static has been pushed to NPM, and the version that currently exists there contains the package minimist which has a (github advisory) for it. This package was being used which is used by a package in this project called optimist. In this pull request, @brettz9 removed optimist to resolve this vulnerability. As a result, publishing a new version of
node-static
will ensure that all users of this package will use a safe version by default.cc @cloudhead