mirror of
https://github.com/Unleash/unleash.git
synced 2025-01-11 00:08:30 +01:00
7952d7e240
Bump express to 4.19.2 (same as in enterprise repo). This solves a security report: Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using encodeurl](https://github.com/pillarjs/encodeurl) on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). Patches0867302ddb
0b746953c4
An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.
239 lines
8.3 KiB
JSON
239 lines
8.3 KiB
JSON
{
|
||
"name": "unleash-server",
|
||
"description": "Unleash is an enterprise ready feature toggles service. It provides different strategies for handling feature toggles.",
|
||
"version": "5.12.4+main",
|
||
"keywords": [
|
||
"unleash",
|
||
"feature toggle",
|
||
"feature",
|
||
"toggle",
|
||
"feature flag",
|
||
"flag"
|
||
],
|
||
"files": [
|
||
"dist",
|
||
"docs",
|
||
"frontend/build",
|
||
"frontend/build/*",
|
||
"frontend/index.js",
|
||
"frontend/package.json"
|
||
],
|
||
"repository": {
|
||
"type": "git",
|
||
"url": "ssh://git@github.com:unleash/unleash.git"
|
||
},
|
||
"bugs": {
|
||
"url": "https://github.com/unleash/unleash/issues"
|
||
},
|
||
"types": "./dist/lib/server-impl.d.ts",
|
||
"engines": {
|
||
"node": ">=18 <21"
|
||
},
|
||
"license": "Apache-2.0",
|
||
"main": "./dist/lib/server-impl.js",
|
||
"scripts": {
|
||
"start": "TZ=UTC node ./dist/server.js",
|
||
"copy-templates": "copyfiles -u 1 src/mailtemplates/**/*.mustache dist/",
|
||
"build:backend": "tsc --pretty --strictNullChecks false",
|
||
"build:frontend": "yarn --cwd ./frontend run build",
|
||
"build:frontend:if-needed": "if [ ! -d ./frontend/build ]; then yarn install --cwd ./frontend --frozen-lockfile --ignore-scripts && yarn build:frontend; fi",
|
||
"build": "concurrently \"yarn:copy-templates\" \"yarn:build:frontend\" \"yarn:build:backend\"",
|
||
"dev:backend": "TZ=UTC NODE_ENV=development tsc-watch --strictNullChecks false --onSuccess \"node dist/server-dev.js\"",
|
||
"dev:frontend": "wait-on tcp:4242 && yarn --cwd ./frontend run dev",
|
||
"dev": "concurrently \"yarn:dev:backend\" \"yarn:dev:frontend\"",
|
||
"prepare:backend": "concurrently \"yarn:copy-templates\" \"yarn:build:backend\"",
|
||
"prestart:dev": "yarn run clean",
|
||
"start:dev": "TZ=UTC NODE_ENV=development tsc-watch --strictNullChecks false --onSuccess \"node dist/server-dev.js\"",
|
||
"db-migrate": "db-migrate --migrations-dir ./src/migrations",
|
||
"lint": "biome check .",
|
||
"lint:fix": "biome check . --apply",
|
||
"local:package": "del-cli --force build && mkdir build && cp -r dist docs CHANGELOG.md LICENSE README.md package.json build",
|
||
"prebuild:watch": "yarn run clean",
|
||
"build:watch": "tsc -w --strictNullChecks false",
|
||
"prebuild": "yarn run clean",
|
||
"prepare": "husky && yarn --cwd ./frontend install && if [ ! -d ./dist ]; then yarn build; fi",
|
||
"test": "NODE_ENV=test PORT=4243 node --trace-warnings node_modules/.bin/jest",
|
||
"test:unit": "NODE_ENV=test PORT=4243 jest --testPathIgnorePatterns=src/test/e2e --testPathIgnorePatterns=dist",
|
||
"test:docker": "./scripts/docker-postgres.sh",
|
||
"test:report": "NODE_ENV=test PORT=4243 jest --reporters=\"default\" --reporters=\"jest-junit\"",
|
||
"test:docker:cleanup": "docker rm -f unleash-postgres",
|
||
"test:watch": "yarn test --watch",
|
||
"test:coverage": "NODE_ENV=test PORT=4243 jest --coverage --testLocationInResults --outputFile=\"coverage/report.json\" --forceExit --testTimeout=10000",
|
||
"test:coverage:jest": "NODE_ENV=test PORT=4243 jest --silent --ci --json --coverage --testLocationInResults --outputFile=\"report.json\" --forceExit --testTimeout=10000",
|
||
"seed:setup": "ts-node --compilerOptions '{\"strictNullChecks\": false}' src/test/e2e/seed/segment.seed.ts",
|
||
"seed:serve": "UNLEASH_DATABASE_NAME=unleash_test UNLEASH_DATABASE_SCHEMA=seed yarn run start:dev",
|
||
"clean": "del-cli --force dist",
|
||
"preversion": "./scripts/check-release.sh",
|
||
"heroku-postbuild": "cd frontend && yarn && yarn build"
|
||
},
|
||
"jest-junit": {
|
||
"suiteName": "Unleash Unit Tests",
|
||
"outputDirectory": "./reports",
|
||
"outputName": "jest-junit.xml",
|
||
"uniqueOutputName": "false",
|
||
"classNameTemplate": "{classname}-{title}",
|
||
"titleTemplate": "{classname}-{title}",
|
||
"ancestorSeparator": " › ",
|
||
"usePathForSuiteName": "true"
|
||
},
|
||
"jest": {
|
||
"automock": false,
|
||
"maxWorkers": 4,
|
||
"testTimeout": 10000,
|
||
"globalSetup": "./scripts/jest-setup.js",
|
||
"transform": {
|
||
"^.+\\.tsx?$": ["@swc/jest"]
|
||
},
|
||
"testRegex": "(/__tests__/.*|(\\.|/)(test|spec))\\.(jsx?|tsx?)$",
|
||
"testPathIgnorePatterns": [
|
||
"/dist/",
|
||
"/node_modules/",
|
||
"/frontend/",
|
||
"/website/"
|
||
],
|
||
"moduleFileExtensions": ["ts", "tsx", "js", "jsx", "json"],
|
||
"coveragePathIgnorePatterns": [
|
||
"/node_modules/",
|
||
"/dist/",
|
||
"/src/migrations",
|
||
"/src/test"
|
||
]
|
||
},
|
||
"dependencies": {
|
||
"@slack/web-api": "^6.10.0",
|
||
"@wesleytodd/openapi": "^0.3.0",
|
||
"ajv": "^8.12.0",
|
||
"ajv-formats": "^2.1.1",
|
||
"async": "^3.2.4",
|
||
"bcryptjs": "^2.4.3",
|
||
"compression": "^1.7.4",
|
||
"connect-session-knex": "^3.0.0",
|
||
"cookie-parser": "^1.4.6",
|
||
"cookie-session": "^2.0.0-rc.1",
|
||
"cors": "^2.8.5",
|
||
"date-fns": "^2.25.0",
|
||
"db-migrate": "0.11.14",
|
||
"db-migrate-pg": "1.5.2",
|
||
"db-migrate-shared": "1.2.0",
|
||
"deep-object-diff": "^1.1.9",
|
||
"deepmerge": "^4.3.1",
|
||
"errorhandler": "^1.5.1",
|
||
"express": "4.19.2",
|
||
"express-rate-limit": "^7.1.2",
|
||
"express-session": "^1.17.3",
|
||
"fast-json-patch": "^3.1.0",
|
||
"hash-sum": "^2.0.0",
|
||
"helmet": "^6.0.0",
|
||
"http-errors": "^2.0.0",
|
||
"ip": "^2.0.1",
|
||
"joi": "^17.3.0",
|
||
"js-sha256": "^0.11.0",
|
||
"js-yaml": "^4.1.0",
|
||
"json-diff": "^1.0.6",
|
||
"json-schema-to-ts": "2.12.0",
|
||
"json2csv": "^5.0.7",
|
||
"knex": "^2.5.1",
|
||
"lodash.get": "^4.4.2",
|
||
"lodash.groupby": "^4.6.0",
|
||
"lodash.sortby": "^4.7.0",
|
||
"log4js": "^6.0.0",
|
||
"make-fetch-happen": "^13.0.0",
|
||
"memoizee": "^0.4.15",
|
||
"mime": "^3.0.0",
|
||
"multer": "^1.4.5-lts.1",
|
||
"murmurhash3js": "^3.0.1",
|
||
"mustache": "^4.1.0",
|
||
"nodemailer": "^6.9.9",
|
||
"openapi-types": "^12.0.0",
|
||
"owasp-password-strength-test": "^1.3.0",
|
||
"parse-database-url": "^0.3.0",
|
||
"pg": "^8.7.3",
|
||
"pg-connection-string": "^2.5.0",
|
||
"pkginfo": "^0.4.1",
|
||
"prom-client": "^14.0.0",
|
||
"response-time": "^2.3.2",
|
||
"sanitize-filename": "^1.6.3",
|
||
"semver": "^7.5.4",
|
||
"serve-favicon": "^2.5.0",
|
||
"slug": "^9.0.0",
|
||
"stoppable": "^1.1.0",
|
||
"ts-toolbelt": "^9.6.0",
|
||
"type-is": "^1.6.18",
|
||
"unleash-client": "5.5.3",
|
||
"uuid": "^9.0.0"
|
||
},
|
||
"devDependencies": {
|
||
"@apidevtools/swagger-parser": "10.1.0",
|
||
"@babel/core": "7.24.6",
|
||
"@biomejs/biome": "1.6.4",
|
||
"@swc/core": "1.5.7",
|
||
"@swc/jest": "0.2.36",
|
||
"@types/bcryptjs": "2.4.6",
|
||
"@types/cors": "2.8.17",
|
||
"@types/express": "4.17.21",
|
||
"@types/express-session": "1.18.0",
|
||
"@types/faker": "5.5.9",
|
||
"@types/hash-sum": "^1.0.0",
|
||
"@types/jest": "29.5.12",
|
||
"@types/js-yaml": "4.0.9",
|
||
"@types/lodash.groupby": "4.6.9",
|
||
"@types/make-fetch-happen": "10.0.4",
|
||
"@types/memoizee": "0.4.11",
|
||
"@types/mime": "3.0.4",
|
||
"@types/node": "20.12.13",
|
||
"@types/nodemailer": "6.4.15",
|
||
"@types/owasp-password-strength-test": "1.3.2",
|
||
"@types/pg": "8.11.6",
|
||
"@types/semver": "7.5.8",
|
||
"@types/slug": "^5.0.8",
|
||
"@types/stoppable": "1.1.3",
|
||
"@types/supertest": "6.0.2",
|
||
"@types/type-is": "1.6.6",
|
||
"@types/uuid": "9.0.8",
|
||
"concurrently": "^8.0.1",
|
||
"copyfiles": "2.4.1",
|
||
"coveralls": "3.1.1",
|
||
"del-cli": "5.1.0",
|
||
"faker": "5.5.3",
|
||
"fast-check": "3.17.1",
|
||
"fetch-mock": "9.11.0",
|
||
"husky": "^9.0.11",
|
||
"jest": "29.7.0",
|
||
"jest-junit": "^16.0.0",
|
||
"lint-staged": "15.2.5",
|
||
"nock": "13.5.4",
|
||
"openapi-enforcer": "1.23.0",
|
||
"proxyquire": "2.1.3",
|
||
"source-map-support": "0.5.21",
|
||
"superagent": "9.0.2",
|
||
"supertest": "7.0.0",
|
||
"ts-node": "10.9.2",
|
||
"tsc-watch": "6.2.0",
|
||
"typescript": "5.4.2",
|
||
"wait-on": "^7.2.0"
|
||
},
|
||
"resolutions": {
|
||
"async": "^3.2.4",
|
||
"db-migrate/rc/minimist": "^1.2.5",
|
||
"es5-ext": "0.10.64",
|
||
"knex/liftoff/object.map/**/kind-of": "^6.0.3",
|
||
"knex/liftoff/findup-sync/micromatc/kind-of": "^6.0.3",
|
||
"knex/liftoff/findup-sync/micromatc/nanomatch/kind-of": "^6.0.3",
|
||
"knex/liftoff/findup-sync/micromatch/define-property/**/kind-of": "^6.0.3",
|
||
"node-forge": "^1.0.0",
|
||
"set-value": "^4.0.1",
|
||
"ansi-regex": "^5.0.1",
|
||
"ssh2": "^1.4.0",
|
||
"json-schema": "^0.4.0",
|
||
"ip": "^2.0.1",
|
||
"minimatch": "^5.0.0",
|
||
"semver": "^7.5.3",
|
||
"tough-cookie": "4.1.4"
|
||
},
|
||
"lint-staged": {
|
||
"*.{js,ts}": ["biome check --apply --no-errors-on-unmatched"],
|
||
"*.{jsx,tsx}": ["biome check --apply --no-errors-on-unmatched"],
|
||
"*.json": ["biome format --write --no-errors-on-unmatched"]
|
||
}
|
||
}
|