Open renovate[bot] opened 5 years ago
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR contains the following updates:
0.2.2
->0.4.6
Release Notes
lukeed/sirv
### [`v0.4.6`](https://togithub.com/lukeed/sirv/releases/tag/v0.4.6) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.4.2...v0.4.6) > **NOTICE**This version patches a directory-traversal **security vulnerability** that exists in `dev` mode only. All users should update *immediately*, even if they don't think they're using `--dev` or `opts.dev` on live servers. There are no other changes in this release. ##### Patches - Fixes `dev` mode security vulnerability ([#63](https://togithub.com/lukeed/sirv/issues/63)): [`1e0bac5`](https://togithub.com/lukeed/sirv/commit/1e0bac5) *Thank you [@marvinhagemeister](https://togithub.com/marvinhagemeister)~!* As Marvin describes: This allows an attacker to traverse the file system outside of the specified directory. Let's say `sirv` was initialized to serve files from /foo/bar: ```js sirv("/foo/bar"); ``` ...and an attacker makes a request to: GET /../../etc/passwd ...then they are able to download the contents of that file. ##### Chores - Attach GitHub Actions: [`ea15d6a`](https://togithub.com/lukeed/sirv/commit/ea15d6a) - Update test runner: [`2b965cd`](https://togithub.com/lukeed/sirv/commit/2b965cd) - Update `lerna` version: [`0b6de8d`](https://togithub.com/lukeed/sirv/commit/0b6de8d) ### [`v0.4.2`](https://togithub.com/lukeed/sirv/releases/tag/v0.4.2) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.4.1...v0.4.2) #### Patches - Immediately fix regression for `--single` flag in "dev" mode: [`c73fd13`](https://togithub.com/lukeed/sirv/commit/c73fd13) ### [`v0.4.1`](https://togithub.com/lukeed/sirv/releases/tag/v0.4.1) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.4.0...v0.4.1) #### Patches - (`sirv`): Handle files without an extension correctly ([#26](https://togithub.com/lukeed/sirv/issues/26)): [`b2e1baf`](https://togithub.com/lukeed/sirv/commit/b2e1baf) *Wrongly assumed all extensionless files were pathnames meant to be expanded.* - (`sirv`): Call `return` from `for-loop` directly: [`c39f0e4`](https://togithub.com/lukeed/sirv/commit/c39f0e4) ### [`v0.4.0`](https://togithub.com/lukeed/sirv/releases/tag/v0.4.0) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.3.1...v0.4.0) #### Breaking - (`sirv`) Change `opts.onNoMatch` from `(res)` to `(req, res)`: [`abe9d69`](https://togithub.com/lukeed/sirv/commit/abe9d69) *Allowing the callback to consume the original request & response is more expected and flexible.* #### Patches - Fix(`sirv-cli`) Maintain `Range`/partial requests during `--dev` mode: [`abe9d69`](https://togithub.com/lukeed/sirv/commit/abe9d69) *By sending an empty object, the original request's headers were all lost.* ### [`v0.3.1`](https://togithub.com/lukeed/sirv/releases/tag/v0.3.1) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.3.0...v0.3.1) #### Patches - Run custom `opts.setHeaders` function in `dev` mode: ([#22](https://togithub.com/lukeed/sirv/issues/22)): [`e4b7cc3`](https://togithub.com/lukeed/sirv/commit/e4b7cc3) ### [`v0.3.0`](https://togithub.com/lukeed/sirv/releases/tag/v0.3.0) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.2.5...v0.3.0) #### Features - (`sirv`) Respond to [`Range`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Range) headers/partial requests correctly! ([#19](https://togithub.com/lukeed/sirv/issues/19)): [`135db55`](https://togithub.com/lukeed/sirv/commit/135db55) Now, larger files (video, PDF, etc) will be served correctly. Previously, `sirv` would ignore the ranged requests and pipe down the entire file at once. #### Patches - (`sirv`) Running `dev` mode will also send `Last-Modified` and `Content-Length` headers: [`135db55`](https://togithub.com/lukeed/sirv/commit/135db55) ### [`v0.2.5`](https://togithub.com/lukeed/sirv/releases/tag/v0.2.5) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.2.4...v0.2.5) #### Patches - Replace `tiny-glob` with manual directory traversal: [`38ba617`](https://togithub.com/lukeed/sirv/commit/38ba617) While `tiny-glob` is very much a great *globbing* library, `sirv` really had no need for a globbing library because it asks for **all files** within the directory. This makes declaring & responding to filter patterns pointless. ### [`v0.2.4`](https://togithub.com/lukeed/sirv/releases/tag/v0.2.4) [Compare Source](https://togithub.com/lukeed/sirv/compare/v0.2.2...v0.2.4) #### Patches - (`sirv`) Decode incoming URL pathnames ([#20](https://togithub.com/lukeed/sirv/issues/20), [#21](https://togithub.com/lukeed/sirv/issues/21)): [`54dde5f`](https://togithub.com/lukeed/sirv/commit/54dde5f) *Thanks [@Seb35](https://togithub.com/Seb35)!* - (`sirv`) Allow `maxAge` option to have `0` value: [`9a392f1`](https://togithub.com/lukeed/sirv/commit/9a392f1) - (`sirv`) Capitalize all outgoing header names: [`633644f`](https://togithub.com/lukeed/sirv/commit/633644f)
Configuration
📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.