Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish New NPM version for Node-Static #231

Open
NicholasEllul opened this issue Aug 4, 2021 · 12 comments
Open

Publish New NPM version for Node-Static #231

NicholasEllul opened this issue Aug 4, 2021 · 12 comments
Labels
chore

Comments

@NicholasEllul
Copy link

Hey 👋 I notice its been a while since a new version of node-static has been pushed to NPM, and the version that currently exists there contains the package minimist which has a (github advisory) for it. This package was being used which is used by a package in this project called optimist. In this pull request, @brettz9 removed optimist to resolve this vulnerability. As a result, publishing a new version of node-static will ensure that all users of this package will use a safe version by default.

cc @cloudhead
@brettz9 brettz9 added the chore label Jan 11, 2022
@ibesty
Copy link

ibesty commented Jan 16, 2022

Can anyone publish the latest updates to npm? I see that the latest commit fixes some issues but doesn't publish to npm

@brettz9
Copy link
Collaborator

brettz9 commented Jan 17, 2022
edited
Loading

@cloudhead : I went ahead and replaced the history so as to avoid all the merges (though keeping a copy of the old branch with all of them), so I think it should be ready for your review before a release. (And if accepted, we can also close #232 )

@brettz9
Copy link
Collaborator

brettz9 commented Feb 11, 2022

@cloudhead : Can we go ahead with this?

@brettz9 brettz9 mentioned this issue Mar 8, 2022
Closed
@brettz9
Copy link
Collaborator

brettz9 commented Mar 9, 2022

@cloudhead : Do you want periodic checkbacks like this or do you have an ETA? The commit history should be all cleaned up.

@brettz9 brettz9 mentioned this issue Mar 14, 2022
Closed
@kenjura
Copy link

kenjura commented Mar 31, 2022
edited
Loading

Am I crazy, or did this replace the npm package with the wrong code?

  • using ubuntu 20.04.2 LTS (WSL)
  • npm i node-static
  • observe: package.json and package-lock.json shows 0.7.11
  • more node_modules/bin/node-static/lib/node-static.js
  • observe: line 11 reads var version = [0, 7, 9];
  • observe: missing features, "var"s everywhere, code completely does not match github

image

Maybe I'm losing it, but something is pretty bizarre here, and my only theory is a funky npm registry update.

alternate path to reproduce:

edit:

  • npm i cloudhead/node-static installs the correct version

@brettz9
Copy link
Collaborator

brettz9 commented Mar 31, 2022

If you look at https://www.npmjs.com/package/node-static , it was last published 4 years ago, and the latest version is 0.7.11.

If you use the "blame" feature for the file defining the version, you can see a commit from 12 months ago where it was changed from var to const (but still listing 0.7.9) at the time.

Thus, the version just hadn't been updated despite subsequent releases up to 0.7.11

As to why there is a const, etc., there have been (many) changes on master since that time and we are awaiting a new publishing. The project owner still needs to give final approval on these changes, so these many changes have not been published to npm yet.

FWIW, some of the changes are available on my fork, @brettz9/node-static (using a different (smaller) versioning number as it is an independent project), but as the author of the regular node-static here eventually replied granting access to the project with openness to including my changes, I resumed work here.

@andreeatirgovatustockX
Copy link

Hi. When this upgrade will be done? We get this issue from snyk

Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JS-NODESTATIC-1297183] in [email protected]
    introduced by [email protected]
  No upgrade or patch available

Thank you.

@cloudhead
Copy link
Owner

Hey, sorry, am pretty overwhelmed with other stuff, @brettz9 -- can you point me again to the cleaned up history?

@brettz9
Copy link
Collaborator

brettz9 commented Sep 15, 2022
edited
Loading

Sure, @cloudhead ...Thankfully, we were able to get the history cleaned, so master is already a cleaned history.

If you want the diffs from what is apparently the final commit for the latest published published version, 0.7.11 (there's no tag for it), see https://github.com/cloudhead/node-static/compare/e59fe21dffbee46678362d26d26fdfb241f49506..master , but there's a whole lot of noise if trying to look at all at once.

@francoisihry
Copy link

Hi,
We are concerned by the same issue as @andreeatirgovatustockX .
Is there a workaround we can apply to not be impacted by the SNYK-JS-NODESTATIC-1297183 security issue anymore ?
(waiting until a new version is published)

@brettz9
Copy link
Collaborator

brettz9 commented Sep 15, 2022

@francoisihry : As mentioned at https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183 , this was fixed in master of this project. Ideally, however, @cloudhead may be able to review the commits on master since the last release so a new npm release can be published.

@francoisihry
Copy link

Thank you @brettz9 we look forward for a new version to be released so that we can easily integrate the fix.

@astangelo astangelo mentioned this issue Jan 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@brettz9 @cloudhead @kenjura @francoisihry @ibesty @NicholasEllul @andreeatirgovatustockX