mirror of https://github.com/Unleash/unleash.git synced 2025-01-11 00:08:30 +01:00
Gastón Fournier 7952d7e240
chore: upgrade deps (#7245)
Bump express to 4.19.2 (same as in enterprise repo).

This solves a security report:

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta
versions before 5.0.0-beta.3 are affected by an open redirect
vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL
Express performs an encode [using
encodeurl](https://github.com/pillarjs/encodeurl) on the contents before
passing it to the location header. This can cause malformed URLs to be
evaluated in unexpected ways by common redirect allow list
implementations in Express applications, leading to an Open Redirect via
bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from
within res.redirect().



An initial fix went out with express@4.19.0, we then patched a feature
regression in 4.19.1 and added improved handling for the bypass in
2024-06-03 12:58:20 +02:00

239 lines
8.3 KiB
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

"name": "unleash-server",
"description": "Unleash is an enterprise ready feature toggles service. It provides different strategies for handling feature toggles.",
"version": "5.12.4+main",
"keywords": [
"feature toggle",
"feature flag",
"files": [
"repository": {
"type": "git",
"url": "ssh://git@github.com:unleash/unleash.git"
"bugs": {
"url": "https://github.com/unleash/unleash/issues"
"types": "./dist/lib/server-impl.d.ts",
"engines": {
"node": ">=18 <21"
"license": "Apache-2.0",
"main": "./dist/lib/server-impl.js",
"scripts": {
"start": "TZ=UTC node ./dist/server.js",
"copy-templates": "copyfiles -u 1 src/mailtemplates/**/*.mustache dist/",
"build:backend": "tsc --pretty --strictNullChecks false",
"build:frontend": "yarn --cwd ./frontend run build",
"build:frontend:if-needed": "if [ ! -d ./frontend/build ]; then yarn install --cwd ./frontend --frozen-lockfile --ignore-scripts && yarn build:frontend; fi",
"build": "concurrently \"yarn:copy-templates\" \"yarn:build:frontend\" \"yarn:build:backend\"",
"dev:backend": "TZ=UTC NODE_ENV=development tsc-watch --strictNullChecks false --onSuccess \"node dist/server-dev.js\"",
"dev:frontend": "wait-on tcp:4242 && yarn --cwd ./frontend run dev",
"dev": "concurrently \"yarn:dev:backend\" \"yarn:dev:frontend\"",
"prepare:backend": "concurrently \"yarn:copy-templates\" \"yarn:build:backend\"",
"prestart:dev": "yarn run clean",
"start:dev": "TZ=UTC NODE_ENV=development tsc-watch --strictNullChecks false --onSuccess \"node dist/server-dev.js\"",
"db-migrate": "db-migrate --migrations-dir ./src/migrations",
"lint": "biome check .",
"lint:fix": "biome check . --apply",
"local:package": "del-cli --force build && mkdir build && cp -r dist docs CHANGELOG.md LICENSE README.md package.json build",
"prebuild:watch": "yarn run clean",
"build:watch": "tsc -w --strictNullChecks false",
"prebuild": "yarn run clean",
"prepare": "husky && yarn --cwd ./frontend install && if [ ! -d ./dist ]; then yarn build; fi",
"test": "NODE_ENV=test PORT=4243 node --trace-warnings node_modules/.bin/jest",
"test:unit": "NODE_ENV=test PORT=4243 jest --testPathIgnorePatterns=src/test/e2e --testPathIgnorePatterns=dist",
"test:docker": "./scripts/docker-postgres.sh",
"test:report": "NODE_ENV=test PORT=4243 jest --reporters=\"default\" --reporters=\"jest-junit\"",
"test:docker:cleanup": "docker rm -f unleash-postgres",
"test:watch": "yarn test --watch",
"test:coverage": "NODE_ENV=test PORT=4243 jest --coverage --testLocationInResults --outputFile=\"coverage/report.json\" --forceExit --testTimeout=10000",
"test:coverage:jest": "NODE_ENV=test PORT=4243 jest --silent --ci --json --coverage --testLocationInResults --outputFile=\"report.json\" --forceExit --testTimeout=10000",
"seed:setup": "ts-node --compilerOptions '{\"strictNullChecks\": false}' src/test/e2e/seed/segment.seed.ts",
"seed:serve": "UNLEASH_DATABASE_NAME=unleash_test UNLEASH_DATABASE_SCHEMA=seed yarn run start:dev",
"clean": "del-cli --force dist",
"preversion": "./scripts/check-release.sh",
"heroku-postbuild": "cd frontend && yarn && yarn build"
"jest-junit": {
"suiteName": "Unleash Unit Tests",
"outputDirectory": "./reports",
"outputName": "jest-junit.xml",
"uniqueOutputName": "false",
"classNameTemplate": "{classname}-{title}",
"titleTemplate": "{classname}-{title}",
"ancestorSeparator": " ",
"usePathForSuiteName": "true"
"jest": {
"automock": false,
"maxWorkers": 4,
"testTimeout": 10000,
"globalSetup": "./scripts/jest-setup.js",
"transform": {
"^.+\\.tsx?$": ["@swc/jest"]
"testRegex": "(/__tests__/.*|(\\.|/)(test|spec))\\.(jsx?|tsx?)$",
"testPathIgnorePatterns": [
"moduleFileExtensions": ["ts", "tsx", "js", "jsx", "json"],
"coveragePathIgnorePatterns": [
"dependencies": {
"@slack/web-api": "^6.10.0",
"@wesleytodd/openapi": "^0.3.0",
"ajv": "^8.12.0",
"ajv-formats": "^2.1.1",
"async": "^3.2.4",
"bcryptjs": "^2.4.3",
"compression": "^1.7.4",
"connect-session-knex": "^3.0.0",
"cookie-parser": "^1.4.6",
"cookie-session": "^2.0.0-rc.1",
"cors": "^2.8.5",
"date-fns": "^2.25.0",
"db-migrate": "0.11.14",
"db-migrate-pg": "1.5.2",
"db-migrate-shared": "1.2.0",
"deep-object-diff": "^1.1.9",
"deepmerge": "^4.3.1",
"errorhandler": "^1.5.1",
"express": "4.19.2",
"express-rate-limit": "^7.1.2",
"express-session": "^1.17.3",
"fast-json-patch": "^3.1.0",
"hash-sum": "^2.0.0",
"helmet": "^6.0.0",
"http-errors": "^2.0.0",
"ip": "^2.0.1",
"joi": "^17.3.0",
"js-sha256": "^0.11.0",
"js-yaml": "^4.1.0",
"json-diff": "^1.0.6",
"json-schema-to-ts": "2.12.0",
"json2csv": "^5.0.7",
"knex": "^2.5.1",
"lodash.get": "^4.4.2",
"lodash.groupby": "^4.6.0",
"lodash.sortby": "^4.7.0",
"log4js": "^6.0.0",
"make-fetch-happen": "^13.0.0",
"memoizee": "^0.4.15",
"mime": "^3.0.0",
"multer": "^1.4.5-lts.1",
"murmurhash3js": "^3.0.1",
"mustache": "^4.1.0",
"nodemailer": "^6.9.9",
"openapi-types": "^12.0.0",
"owasp-password-strength-test": "^1.3.0",
"parse-database-url": "^0.3.0",
"pg": "^8.7.3",
"pg-connection-string": "^2.5.0",
"pkginfo": "^0.4.1",
"prom-client": "^14.0.0",
"response-time": "^2.3.2",
"sanitize-filename": "^1.6.3",
"semver": "^7.5.4",
"serve-favicon": "^2.5.0",
"slug": "^9.0.0",
"stoppable": "^1.1.0",
"ts-toolbelt": "^9.6.0",
"type-is": "^1.6.18",
"unleash-client": "5.5.3",
"uuid": "^9.0.0"
"devDependencies": {
"@apidevtools/swagger-parser": "10.1.0",
"@babel/core": "7.24.6",
"@biomejs/biome": "1.6.4",
"@swc/core": "1.5.7",
"@swc/jest": "0.2.36",
"@types/bcryptjs": "2.4.6",
"@types/cors": "2.8.17",
"@types/express": "4.17.21",
"@types/express-session": "1.18.0",
"@types/faker": "5.5.9",
"@types/hash-sum": "^1.0.0",
"@types/jest": "29.5.12",
"@types/js-yaml": "4.0.9",
"@types/lodash.groupby": "4.6.9",
"@types/make-fetch-happen": "10.0.4",
"@types/memoizee": "0.4.11",
"@types/mime": "3.0.4",
"@types/node": "20.12.13",
"@types/nodemailer": "6.4.15",
"@types/owasp-password-strength-test": "1.3.2",
"@types/pg": "8.11.6",
"@types/semver": "7.5.8",
"@types/slug": "^5.0.8",
"@types/stoppable": "1.1.3",
"@types/supertest": "6.0.2",
"@types/type-is": "1.6.6",
"@types/uuid": "9.0.8",
"concurrently": "^8.0.1",
"copyfiles": "2.4.1",
"coveralls": "3.1.1",
"del-cli": "5.1.0",
"faker": "5.5.3",
"fast-check": "3.17.1",
"fetch-mock": "9.11.0",
"husky": "^9.0.11",
"jest": "29.7.0",
"jest-junit": "^16.0.0",
"lint-staged": "15.2.5",
"nock": "13.5.4",
"openapi-enforcer": "1.23.0",
"proxyquire": "2.1.3",
"source-map-support": "0.5.21",
"superagent": "9.0.2",
"supertest": "7.0.0",
"ts-node": "10.9.2",
"tsc-watch": "6.2.0",
"typescript": "5.4.2",
"wait-on": "^7.2.0"
"resolutions": {
"async": "^3.2.4",
"db-migrate/rc/minimist": "^1.2.5",
"es5-ext": "0.10.64",
"knex/liftoff/object.map/**/kind-of": "^6.0.3",
"knex/liftoff/findup-sync/micromatc/kind-of": "^6.0.3",
"knex/liftoff/findup-sync/micromatc/nanomatch/kind-of": "^6.0.3",
"knex/liftoff/findup-sync/micromatch/define-property/**/kind-of": "^6.0.3",
"node-forge": "^1.0.0",
"set-value": "^4.0.1",
"ansi-regex": "^5.0.1",
"ssh2": "^1.4.0",
"json-schema": "^0.4.0",
"ip": "^2.0.1",
"minimatch": "^5.0.0",
"semver": "^7.5.3",
"tough-cookie": "4.1.4"
"lint-staged": {
"*.{js,ts}": ["biome check --apply --no-errors-on-unmatched"],
"*.{jsx,tsx}": ["biome check --apply --no-errors-on-unmatched"],
"*.json": ["biome format --write --no-errors-on-unmatched"]