Publish New NPM version for Node-Static

[NicholasEllul]

Hey 👋 I notice its been a while since a new version of node-static has been pushed to NPM, and the version that currently exists there contains the package minimist which has a (github advisory) for it. This package was being used which is used by a package in this project called optimist. In this pull request, @brettz9 removed optimist to resolve this vulnerability. As a result, publishing a new version of node-static will ensure that all users of this package will use a safe version by default.

cc @cloudhead

[ibesty]

Can anyone publish the latest updates to npm? I see that the latest commit fixes some issues but doesn't publish to npm

[brettz9]

@cloudhead : I went ahead and replaced the history so as to avoid all the merges (though keeping a copy of the old branch with all of them), so I think it should be ready for your review before a release. ~(And if accepted, we can also close #232 )~

[brettz9]

@cloudhead : Can we go ahead with this?

[brettz9]

@cloudhead : Do you want periodic checkbacks like this or do you have an ETA? The commit history should be all cleaned up.

[kenjura]

Am I crazy, or did this replace the npm package with the wrong code?

• using ubuntu 20.04.2 LTS (WSL)
• npm i node-static
• observe: package.json and package-lock.json shows 0.7.11
• more node_modules/bin/node-static/lib/node-static.js
• observe: line 11 reads var version = [0, 7, 9];
• observe: missing features, "var"s everywhere, code completely does not match github

Maybe I'm losing it, but something is pretty bizarre here, and my only theory is a funky npm registry update.

alternate path to reproduce:

• download https://registry.npmjs.org/node-static/-/node-static-0.7.11.tgz (the path of the latest npm package for this repo)
• unzip, untar
• observe pacakge/lib/node-static.js: appears to be 0.7.9

edit:

• npm i cloudhead/node-static installs the correct version

[brettz9]

If you look at https://www.npmjs.com/package/node-static , it was last published 4 years ago, and the latest version is 0.7.11.

If you use the "blame" feature for the file defining the version, you can see a commit from 12 months ago where it was changed from var to const (but still listing 0.7.9) at the time.

Thus, the version just hadn't been updated despite subsequent releases up to 0.7.11

As to why there is a const, etc., there have been (many) changes on master since that time and we are awaiting a new publishing. The project owner still needs to give final approval on these changes, so these many changes have not been published to npm yet.

FWIW, some of the changes are available on my fork, @brettz9/node-static (using a different (smaller) versioning number as it is an independent project), but as the author of the regular node-static here eventually replied granting access to the project with openness to including my changes, I resumed work here.

[andreeatirgovatustockX]

Hi. When this upgrade will be done? We get this issue from snyk

Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-NODESTATIC-1297183] in node-static@0.7.11
    introduced by node-static@0.7.11
  No upgrade or patch available

Thank you.

[cloudhead]

Hey, sorry, am pretty overwhelmed with other stuff, @brettz9 -- can you point me again to the cleaned up history?

[brettz9]

Sure, @cloudhead ...Thankfully, we were able to get the history cleaned, so master is already a cleaned history.

If you want the diffs from what is apparently the final commit for the latest published published version, 0.7.11 (there's no tag for it), see https://github.com/cloudhead/node-static/compare/e59fe21dffbee46678362d26d26fdfb241f49506..master , but there's a whole lot of noise if trying to look at all at once.

[francoisihry]

Hi, We are concerned by the same issue as @andreeatirgovatustockX . Is there a workaround we can apply to not be impacted by the SNYK-JS-NODESTATIC-1297183 security issue anymore ? (waiting until a new version is published)

[brettz9]

@francoisihry : As mentioned at https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183 , this was fixed in master of this project. Ideally, however, @cloudhead may be able to review the commits on master since the last release so a new npm release can be published.

[francoisihry]

Thank you @brettz9 we look forward for a new version to be released so that we can easily integrate the fix.