search

freeCodeCamp / solana-curriculum

freeCodeCamp Solana Curriculum
BSD 3-Clause "New" or "Revised" License
130 stars 50 forks source link

chore(deps): update dependency express to v4.20.0 [security] #369

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
express (source) 4.19.2 -> 4.20.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template

Release Notes

expressjs/express (express) ### [`v4.20.0`](https://redirect.github.com/expressjs/express/blob/HEAD/History.md#4200--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/express/compare/4.19.2...4.20.0) \========== - deps: serve-static@0.16.0 - Remove link renderization in html while redirecting - deps: send@0.19.0 - Remove link renderization in html while redirecting - deps: body-parser@0.6.0 - add `depth` option to customize the depth level in the parser - IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) - Remove link renderization in html while using `res.redirect` - deps: path-to-regexp@0.1.10 - Adds support for named matching groups in the routes using a regex - Adds backtracking protection to parameters without regexes defined - deps: encodeurl@~2.0.0 - Removes encoding of `\`, `|`, and `^` to align better with URL spec - Deprecate passing `options.maxAge` and `options.expires` to `res.clearCookie` - Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

This PR was generated by Mend Renovate. View the repository job log.

socket-security[bot] commented 1 month ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@ampproject/remapping@2.2.0 None 0 55.3 kB jridgewell
npm/@babel/core@7.22.9 environment, filesystem, unsafe +1 838 kB nicolo-ribaudo
npm/@babel/parser@7.24.5 None 0 1.89 MB nicolo-ribaudo
npm/@babel/runtime@7.24.5 None 0 262 kB nicolo-ribaudo
npm/@freecodecamp/freecodecamp-os@1.10.0 Transitive: environment, eval, filesystem, network, shell, unsafe +347 26.6 MB shaunshamilton
npm/@jridgewell/gen-mapping@0.1.1 None 0 52.4 kB jridgewell
npm/@jridgewell/resolve-uri@3.1.0 None 0 55.2 kB jridgewell
npm/@jridgewell/sourcemap-codec@1.4.14 None 0 40 kB jridgewell
npm/@jridgewell/trace-mapping@0.3.17 None 0 164 kB jridgewell
npm/@metaplex-foundation/js@0.20.1 network Transitive: environment, eval, filesystem, shell +217 76.6 MB blockiosaurus
npm/@noble/curves@1.4.0 None +1 2.16 MB paulmillr
npm/@noble/hashes@1.3.3 None 0 761 kB paulmillr
npm/@solana/spl-token@0.4.6 Transitive: environment +15 5.12 MB steveluscher
npm/@solana/web3.js@1.91.8 network 0 10.8 MB lorisleiva
npm/@types/json-schema@7.0.11 None 0 32.2 kB types
npm/@types/node@18.17.3 None 0 3.71 MB types
npm/@types/react-dom@18.2.7 None 0 30.2 kB types
npm/@types/react@18.2.18 None 0 364 kB types
npm/acorn@8.8.1 None 0 467 kB marijn
npm/babeliser@0.6.0 None 0 645 kB shaunshamilton
npm/borsh@2.0.0 None 0 80.1 kB boatnear
npm/chai@4.3.7 None 0 752 kB chai
npm/check-error@1.0.2 None 0 20.2 kB chaijs
npm/commander@8.3.0 environment, filesystem, shell 0 151 kB abetomo
npm/electron-to-chromium@1.4.487 None 0 243 kB kilianvalkhof
npm/eslint-scope@5.1.1 None 0 78.4 kB eslintbot
npm/estraverse@4.3.0 None 0 36.3 kB michaelficarra
npm/express@4.18.2 environment, filesystem, network Transitive: eval, unsafe +49 1.8 MB dougwilson
npm/find-up@4.1.0 None 0 11.6 kB sindresorhus
npm/get-func-name@2.0.0 None 0 9.83 kB chaijs
npm/is-plain-obj@3.0.0 None 0 3.82 kB sindresorhus
npm/locate-path@5.0.0 filesystem 0 6.58 kB sindresorhus
npm/lru-cache@5.1.1 None 0 15.7 kB isaacs
npm/node-fetch@2.7.0 network 0 162 kB node-fetch-bot
npm/p-limit@2.3.0 None +1 11.8 kB sindresorhus
npm/p-locate@4.1.0 None 0 7.29 kB sindresorhus
npm/postcss@8.4.24 environment, filesystem 0 194 kB ai
npm/punycode@2.1.1 None 0 32.4 kB mathias
npm/resolve-from@5.0.0 filesystem, unsafe 0 5.82 kB sindresorhus
npm/rpc-websockets@7.11.0 None 0 5.27 MB mkozjak
npm/semver@6.3.0 None 0 67.1 kB isaacs
npm/tslib@2.4.1 None 0 52.8 kB typescript-bot
npm/wrap-ansi@6.2.0 None 0 9.5 kB sindresorhus
npm/yallist@3.1.1 None 0 14.8 kB isaacs

🚮 Removed packages: npm/@ampproject/remapping@2.2.1, npm/@babel/core@7.22.10, npm/@babel/parser@7.22.10, npm/@babel/plugin-transform-react-jsx-self@7.22.5, npm/@babel/plugin-transform-react-jsx-source@7.22.5, npm/@babel/runtime@7.22.10, npm/@coral-xyz/anchor@0.27.0, npm/@coral-xyz/anchor@0.28.1-beta.1, npm/@coral-xyz/borsh@0.27.0, npm/@coral-xyz/borsh@0.28.0, npm/@esbuild/android-arm64@0.18.20, npm/@esbuild/android-arm@0.18.20, npm/@esbuild/android-x64@0.18.20, npm/@esbuild/darwin-arm64@0.18.20, npm/@esbuild/darwin-x64@0.18.20, npm/@esbuild/freebsd-arm64@0.18.20, npm/@esbuild/freebsd-x64@0.18.20, npm/@esbuild/linux-arm64@0.18.17, npm/@esbuild/linux-arm64@0.18.20, npm/@esbuild/linux-arm@0.18.17, npm/@esbuild/linux-arm@0.18.20, npm/@esbuild/linux-ia32@0.18.17, npm/@esbuild/linux-ia32@0.18.20, npm/@esbuild/linux-loong64@0.18.17, npm/@esbuild/linux-loong64@0.18.20, npm/@esbuild/linux-mips64el@0.18.17, npm/@esbuild/linux-mips64el@0.18.20, npm/@esbuild/linux-ppc64@0.18.17, npm/@esbuild/linux-ppc64@0.18.20, npm/@esbuild/linux-riscv64@0.18.17, npm/@esbuild/linux-riscv64@0.18.20, npm/@esbuild/linux-s390x@0.18.17, npm/@esbuild/linux-s390x@0.18.20, npm/@esbuild/linux-x64@0.18.17, npm/@esbuild/linux-x64@0.18.20, npm/@esbuild/netbsd-x64@0.18.17, npm/@esbuild/netbsd-x64@0.18.20, npm/@esbuild/openbsd-x64@0.18.17, npm/@esbuild/openbsd-x64@0.18.20, npm/@esbuild/sunos-x64@0.18.17, npm/@esbuild/sunos-x64@0.18.20, npm/@esbuild/win32-arm64@0.18.17, npm/@esbuild/win32-arm64@0.18.20, npm/@esbuild/win32-ia32@0.18.17, npm/@esbuild/win32-ia32@0.18.20, npm/@esbuild/win32-x64@0.18.17, npm/@esbuild/win32-x64@0.18.20, npm/@eslint-community/eslint-utils@4.4.0, npm/@eslint-community/regexpp@4.6.2, npm/@eslint/eslintrc@2.1.2, npm/@eslint/js@8.52.0, npm/@humanwhocodes/config-array@0.11.13, npm/@humanwhocodes/module-importer@1.0.1, npm/@humanwhocodes/object-schema@2.0.1, npm/@jridgewell/gen-mapping@0.3.3, npm/@jridgewell/resolve-uri@3.1.1, npm/@jridgewell/sourcemap-codec@1.4.15, npm/@jridgewell/trace-mapping@0.3.19, npm/@noble/curves@1.1.0, npm/@noble/hashes@1.3.0, npm/@noble/hashes@1.3.1, npm/@noble/secp256k1@1.7.1, npm/@nodelib/fs.scandir@2.1.5, npm/@nodelib/fs.stat@2.0.5, npm/@nodelib/fs.walk@1.2.8, npm/@solana/wallet-adapter-base@0.9.23, npm/@solana/wallet-adapter-phantom@0.9.24, npm/@solana/wallet-standard-features@1.1.0, npm/@solana/web3.js@1.75.0, npm/@solana/web3.js@1.78.3, npm/@types/bn.js@5.1.3, npm/@types/chai@4.3.9, npm/@types/connect@3.4.37, npm/@types/json-schema@7.0.12, npm/@types/json5@0.0.29, npm/@types/mocha@10.0.1, npm/@types/mocha@9.1.1, npm/@types/node@20.4.9, npm/@types/node@20.5.0, npm/@types/node@20.8.7, npm/@types/react-dom@18.2.14, npm/@types/react@18.2.31, npm/@types/semver@7.5.0, npm/@typescript-eslint/eslint-plugin@6.8.0, npm/@typescript-eslint/parser@6.8.0, npm/@typescript-eslint/scope-manager@6.8.0, npm/@typescript-eslint/type-utils@6.8.0, npm/@typescript-eslint/types@6.8.0, npm/@typescript-eslint/typescript-estree@6.8.0, npm/@typescript-eslint/utils@6.8.0, npm/@typescript-eslint/visitor-keys@6.8.0, npm/@ungap/promise-all-settled@1.1.2, npm/@ungap/structured-clone@1.2.0, npm/@vitejs/plugin-react@4.0.4, npm/@wallet-standard/base@1.0.1, npm/@wallet-standard/features@1.0.3, npm/acorn-jsx@5.3.2, npm/acorn@8.10.0, npm/agentkeepalive@4.3.0, npm/ansi-colors@4.1.1, npm/argparse@2.0.1, npm/array-union@2.1.0, npm/arrify@1.0.1, npm/browser-stdout@1.3.1, npm/callsites@3.1.0, npm/camelcase@6.3.0, npm/chai@4.3.10, npm/check-error@1.0.3, npm/cliui@7.0.4, npm/cross-fetch@3.1.5, npm/crypto-hash@1.3.0, npm/decamelize@4.0.0, npm/deep-is@0.1.4, npm/diff@5.0.0, npm/dir-glob@3.0.1, npm/doctrine@3.0.0, npm/electron-to-chromium@1.4.488, npm/esbuild@0.18.17, npm/esbuild@0.18.20, npm/escape-string-regexp@4.0.0, npm/eslint-plugin-react-hooks@4.6.0, npm/eslint-plugin-react-refresh@0.4.3, npm/eslint-scope@7.2.2, npm/eslint-visitor-keys@3.4.2, npm/eslint@8.52.0, npm/espree@9.6.1, npm/esquery@1.5.0, npm/express@4.19.2, npm/fast-glob@3.3.1, npm/fast-levenshtein@2.0.6, npm/fastq@1.15.0, npm/file-entry-cache@6.0.1, npm/find-up@5.0.0, npm/flat-cache@3.0.4, npm/flat@5.0.2, npm/flatted@3.2.7, npm/fsevents@2.3.2, npm/get-caller-file@2.0.5, npm/get-func-name@2.0.2, npm/glob@7.2.0, npm/globby@11.1.0, npm/graphemer@1.4.0, npm/growl@1.10.5, npm/ignore@5.2.4, npm/import-fresh@3.3.0, npm/imurmurhash@0.1.4, npm/is-path-inside@3.0.3, npm/is-plain-obj@2.1.0, npm/jayson@3.7.0, npm/js-yaml@4.1.0, npm/json-stable-stringify-without-jsonify@1.0.1, npm/json5@1.0.2, npm/levn@0.4.1, npm/locate-path@6.0.0, npm/lodash.merge@4.6.2, npm/make-error@1.3.6, npm/merge2@1.4.1, npm/minimist@1.2.8, npm/mkdirp@0.5.6, npm/mocha@10.2.0, npm/mocha@9.2.2, npm/nanoid@3.3.1, npm/nanoid@3.3.3, npm/natural-compare@1.4.0, npm/node-fetch@2.6.12, npm/node-fetch@2.6.7, npm/node-gyp-build@4.6.0, npm/optionator@0.9.3, npm/p-limit@3.1.0, npm/p-locate@5.0.0, npm/pako@2.1.0, npm/parent-module@1.0.1, npm/path-type@4.0.0, npm/postcss@8.4.27, npm/prelude-ls@1.2.1, npm/prettier@2.8.8, npm/prettier@3.0.1, npm/punycode@2.3.0, npm/queue-microtask@1.2.3, npm/react-refresh@0.14.0, npm/regenerator-runtime@0.13.11, npm/regenerator-runtime@0.14.0, npm/require-directory@2.1.1, npm/resolve-from@4.0.0, npm/reusify@1.0.4, npm/rollup@3.28.0, npm/rpc-websockets@7.5.1, npm/rpc-websockets@7.6.0, npm/run-parallel@1.2.0, npm/slash@3.0.0, npm/snake-case@3.0.4, npm/strip-bom@3.0.0, npm/strip-json-comments@3.1.1, npm/text-table@0.2.0, npm/toml@3.0.0, npm/ts-api-utils@1.0.1, npm/ts-mocha@10.0.0, npm/ts-node@7.0.1, npm/tsconfig-paths@3.14.2, npm/tslib@2.5.0, npm/tslib@2.6.1, npm/type-check@0.4.0, npm/typescript@5.1.6, npm/undici-types@5.25.3, npm/vite@4.5.3, npm/workerpool@6.2.0, npm/workerpool@6.2.1, npm/wrap-ansi@7.0.0, npm/y18n@5.0.8, npm/yargs-parser@20.2.9, npm/yargs-unparser@2.0.0, npm/yargs@16.2.0, npm/yn@2.0.0, npm/yocto-queue@0.1.0

View full report↗︎

socket-security[bot] commented 1 month ago

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Critical CVE npm/webpack@5.75.0 ⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/webpack@5.75.0