chore(release): 3.13.1

3.x update dependencies

.circleci/config.yml

@@ -3,9 +3,9 @@ version: 2
 aliases:
   - &defaults
     working_directory: ~/verdaccio
-  - &node6_executor
+  - &node12_executor
     docker:
-      - image: circleci/node:6
+      - image: circleci/node:12
   - &node8_executor
     docker:
       - image: circleci/node:8
@@ -91,9 +91,9 @@ jobs:
           paths:
             - ./*
 
-  test_node6:
+  test_node12:
     <<: *defaults
-    <<: *node6_executor
+    <<: *node12_executor
     steps:
       - *restore_repo
       - run:
@@ -193,7 +193,7 @@ workflows:
     jobs:
       - prepare:
           <<: *ignore_non_dev_branches
-      - test_node6:
+      - test_node12:
           requires:
             - prepare
           <<: *ignore_non_dev_branches
@@ -219,7 +219,7 @@ workflows:
           <<: *ignore_non_dev_branches
       - coverage:
           requires:
-            - test_node6
+            - test_node12
             - test_node8
             - test_node9
             - test_node10

CHANGELOG.md

@@ -2,6 +2,79 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+<a name="3.13.1"></a>
+## [3.13.1](https://github.com/verdaccio/verdaccio/compare/v3.13.0...v3.13.1) (2019-09-30)
+
+
+### Bug Fixes
+
+* rollback verdaccio-audit@1.2.0 ([1ff2225](https://github.com/verdaccio/verdaccio/commit/1ff2225))
+
+
+
+<a name="3.13.0"></a>
+# [3.13.0](https://github.com/verdaccio/verdaccio/compare/v3.12.3...v3.13.0) (2019-09-29)
+
+
+### Features
+
+* bump Node.js v10.16.3 ([6ddf71d](https://github.com/verdaccio/verdaccio/commit/6ddf71d))
+* update core dependencies ([17271ed](https://github.com/verdaccio/verdaccio/commit/17271ed))
+
+
+
+<a name="3.12.3"></a>
+## [3.12.3](https://github.com/verdaccio/verdaccio/compare/v3.12.2...v3.12.3) (2019-08-01)
+
+
+### Bug Fixes
+
+* backport [#1409](https://github.com/verdaccio/verdaccio/issues/1409) to v3.x ([ae5beed](https://github.com/verdaccio/verdaccio/commit/ae5beed))
+* **security:** update dependencies ([bfc4c2c](https://github.com/verdaccio/verdaccio/commit/bfc4c2c))
+
+
+
+<a name="3.12.2"></a>
+## [3.12.2](https://github.com/verdaccio/verdaccio/compare/v3.12.1...v3.12.2) (2019-06-23)
+
+
+### Bug Fixes
+
+* restore express version ([f3e1a50](https://github.com/verdaccio/verdaccio/commit/f3e1a50))
+
+
+
+<a name="3.12.1"></a>
+## [3.12.1](https://github.com/verdaccio/verdaccio/compare/v3.12.0...v3.12.1) (2019-06-22)
+
+
+### Bug Fixes
+
+* update dependencies ([e7178a5](https://github.com/verdaccio/verdaccio/commit/e7178a5))
+
+
+
+<a name="3.12.0"></a>
+# [3.12.0](https://github.com/verdaccio/verdaccio/compare/v3.11.7...v3.12.0) (2019-05-17)
+
+
+### Features
+
+* update readme v3 ([#1311](https://github.com/verdaccio/verdaccio/issues/1311)) ([5abf71c](https://github.com/verdaccio/verdaccio/commit/5abf71c))
+
+
+
+<a name="3.11.7"></a>
+## [3.11.7](https://github.com/verdaccio/verdaccio/compare/v3.11.6...v3.11.7) (2019-05-09)
+
+
+### Bug Fixes
+
+* update dependencies security corcern ([398b839](https://github.com/verdaccio/verdaccio/commit/398b839))
+* update to latest node.js docker image ([cd9f2d5](https://github.com/verdaccio/verdaccio/commit/cd9f2d5))
+
+
+
 <a name="3.11.6"></a>
 ## [3.11.6](https://github.com/verdaccio/verdaccio/compare/v3.11.5...v3.11.6) (2019-02-25)
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:10.14.1-alpine
+FROM node:10.16.3-alpine
 LABEL maintainer="https://github.com/verdaccio/verdaccio"
 
 RUN apk --no-cache add wget openssl && \
@@ -17,9 +17,10 @@ WORKDIR $APPDIR
 
 ADD . $APPDIR
 
-ENV NODE_ENV=production
+ENV NODE_ENV=production \
+    VERDACCIO_BUILD_REGISTRY=https://registry.verdaccio.org
 
-RUN npm config set registry http://registry.npmjs.org/ && \
+RUN npm config set registry $VERDACCIO_BUILD_REGISTRY && \
     yarn global add -s flow-bin@0.69.0 && \
     yarn install --production=false && \
     yarn lint && \

package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio",
-  "version": "3.11.6",
+  "version": "3.13.1",
   "description": "Private npm repository server",
   "author": {
     "name": "Alex Kocharin",
@@ -16,42 +16,43 @@
   },
   "dependencies": {
     "@verdaccio/local-storage": "1.1.7",
-    "@verdaccio/streams": "1.0.0",
+    "@verdaccio/readme": "8.1.1",
+    "@verdaccio/streams": "8.1.1",
     "JSONStream": "1.3.5",
-    "async": "3.0.1-0",
-    "body-parser": "1.18.3",
+    "async": "3.1.0",
+    "body-parser": "1.19.0",
     "bunyan": "1.8.12",
     "chalk": "2.4.2",
-    "commander": "2.19.0",
-    "compression": "1.7.3",
+    "commander": "3.0.2",
+    "compression": "1.7.4",
     "cookies": "0.7.3",
     "cors": "2.8.5",
-    "date-fns": "1.29.0",
-    "express": "4.16.4",
-    "global": "4.3.2",
-    "handlebars": "4.1.0",
-    "http-errors": "1.7.1",
+    "date-fns": "1.30.1",
+    "express": "4.17.1",
+    "global": "4.4.0",
+    "handlebars": "4.4.0",
+    "http-errors": "1.7.3",
     "js-base64": "2.5.1",
     "js-string-escape": "1.0.1",
-    "js-yaml": "3.12.1",
-    "jsonwebtoken": "8.4.0",
+    "js-yaml": "3.13.1",
+    "jsonwebtoken": "8.5.1",
     "lockfile": "1.0.4",
-    "lodash": "4.17.11",
+    "lodash": "4.17.15",
     "lunr": "0.7.0",
-    "marked": "0.6.1",
-    "mime": "2.4.0",
+    "marked": "0.7.0",
+    "mime": "2.4.4",
     "minimatch": "3.0.4",
     "mkdirp": "0.5.1",
     "mv": "2.1.1",
     "pkginfo": "0.4.1",
-    "request": "2.88.0",
-    "semver": "5.6.0",
-    "verdaccio-audit": "1.1.0",
+    "request": "2.87.0",
+    "semver": "6.3.0",
+    "verdaccio-audit": "1.2.0",
     "verdaccio-htpasswd": "0.2.3"
   },
   "devDependencies": {
-    "@commitlint/cli": "7.0.0",
-    "@commitlint/config-conventional": "7.0.1",
+    "@commitlint/cli": "8.2.0",
+    "@commitlint/config-conventional": "8.2.0",
     "@verdaccio/types": "3.4.4",
     "babel-cli": "6.26.0",
     "babel-core": "6.26.3",
@@ -130,6 +131,7 @@
     "stylelint-webpack-plugin": "0.10.5",
     "supertest": "3.1.0",
     "url-loader": "0.6.2",
+    "validator": "10.11.0",
     "verdaccio-auth-memory": "0.0.4",
     "verdaccio-memory": "1.0.3",
     "webpack": "4.16.3",
@@ -137,7 +139,8 @@
     "webpack-cli": "3.1.0",
     "webpack-dev-server": "3.1.11",
     "webpack-merge": "4.1.3",
-    "whatwg-fetch": "2.0.4"
+    "whatwg-fetch": "2.0.4",
+    "xss": "1.0.6"
   },
   "keywords": [
     "private",
@@ -189,7 +192,7 @@
   "bundlesize": [
     {
       "path": "./static/vendor*.js",
-      "maxSize": "200 kB"
+      "maxSize": "220 kB"
     },
     {
       "path": "./static/[0-9].*.js",

scripts/publish.sh

@@ -7,4 +7,4 @@ lastTag=$(git describe --tags $(git rev-list --tags --max-count=1))
 echo "Bumping version to new tag: ${lastTag}"
 
 # Publish to NPM
-npm publish --registry https://registry.npmjs.org/
+npm publish --registry https://registry.npmjs.org/ --tag previous

src/api/endpoint/api/publish.js

@@ -82,6 +82,7 @@ export default function(router: Router, auth: IAuth, storage: IStorageHandler, c
         }
 
         const versionToPublish = Object.keys(metadata.versions)[0];
+
         metadata.versions[versionToPublish].readme = _.isNil(metadata.readme) === false ? String(metadata.readme) : '';
         create_version(versionToPublish, metadata.versions[versionToPublish], function(err) {
           if (err) {

src/api/middleware.js

@@ -26,6 +26,9 @@ export function match(regexp: RegExp) {
 export function securityIframe(req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
   // disable loading in frames (clickjacking, etc.)
   res.header('X-Frame-Options', 'deny');
+  // avoid stablish connections outside of domain
+  res.header('Content-Security-Policy', 'connect-src \'self\'');
+  res.header('X-XSS-Protection', '1; mode=block');
   next();
 }
 

src/api/web/endpoint/package.js

@@ -72,7 +72,9 @@ function addPackageWebApi(route: Router, storage: IStorageHandler, auth: IAuth)
         }
 
         res.set('Content-Type', 'text/plain');
-        next(parseReadme(info.name, info.readme));
+        const readme = parseReadme(info.name, info.readme);
+
+        next(readme);
       },
     });
   });

src/lib/utils.js

@@ -6,7 +6,8 @@ import semver from 'semver';
 import YAML from 'js-yaml';
 import URL from 'url';
 import createError from 'http-errors';
-import marked from 'marked';
+// $FlowFixMe
+import sanitizyReadme from '@verdaccio/readme';
 
 import {
   HTTP_STATUS,
@@ -68,11 +69,20 @@ function validateName(name: string): boolean {
   }
   name = name.toLowerCase();
 
-  // all URL-safe characters and "@" for issue #75
+  /**
+   * Some context about the first regex
+   * - npm used to have a different tarball naming system.
+   * eg: http://registry.npmjs.com/thirty-two
+   * https://registry.npmjs.org/thirty-two/-/thirty-two@0.0.1.tgz
+   * The file name thirty-two@0.0.1.tgz, the version and the pkg name was separated by an at (@)
+   * while nowadays the naming system is based in dashes
+   * https://registry.npmjs.org/verdaccio/-/verdaccio-1.4.0.tgz
+   *
+   * more info here: https://github.com/rlidwka/sinopia/issues/75
+   */
   return !(
     !name.match(/^[-a-zA-Z0-9_.!~*'()@]+$/) ||
     name.charAt(0) === '.' || // ".bin", etc.
-    name.charAt(0) === '-' || // "-" is reserved by couchdb
     name === 'node_modules' ||
     name === '__proto__' ||
     name === 'favicon.ico'
@@ -533,14 +543,14 @@ function addGravatarSupport(pkgInfo: Object): Object {
  * @return {String} converted html template
  */
 function parseReadme(packageName: string, readme: string): string {
-  if (readme) {
-    return marked(readme);
+  if (_.isEmpty(readme) === false) {
+    return sanitizyReadme(readme);
   }
 
   // logs readme not found error
   Logger.logger.error({packageName}, '@{packageName}: No readme found');
 
-  return marked('ERROR: No README data found!');
+  return sanitizyReadme('ERROR: No README data found!');
 }
 
 export function buildToken(type: string, token: string) {

src/webui/components/PackageSidebar/modules/Infos/index.jsx

@@ -2,6 +2,7 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import Module from '../../Module';
 import ModuleContentPlaceholder from '../../ModuleContentPlaceholder';
+import {isURL} from '../../../../utils/url';
 
 import classes from './style.scss';
 
@@ -18,8 +19,8 @@ const Infos = ({homepage, repository, license}) => {
   const showInfo = homepage || repository || license;
   return <Module title="Infos" className={classes.infosModule}>
       {showInfo ? <ul>
-          {homepage && renderSection('Homepage', homepage)}
-          {repository && renderSection('Repository', repository)}
+          {isURL(homepage) && renderSection('Homepage', homepage)}
+          {isURL(repository) && renderSection('Repository', repository)}
           {license && <li>
               <span>License</span>
               <span>{license}</span>

src/webui/components/Readme/index.js

@@ -1,11 +1,14 @@
 
 import React from 'react';
 import PropTypes from 'prop-types';
+import {preventXSS} from '../../utils/url';
 
 import 'github-markdown-css';
 
 const Readme = (props) => {
-  return <div className="markdown-body" dangerouslySetInnerHTML={{__html: props.readMe}}/>;
+  const encodedReadme = preventXSS(props.readMe);
+
+  return <div className="markdown-body" dangerouslySetInnerHTML={{__html: encodedReadme}}/>;
 };
 
 Readme.propTypes = {

src/webui/utils/url.js

@@ -1,8 +1,18 @@
+import validator from 'validator';
+import parseXSS from 'xss';
+
 export function getRegistryURL() {
   // Don't add slash if it's not a sub directory
   return `${location.origin}${location.pathname === '/' ? '' : location.pathname}`;
 }
 
+export function isURL(url) {
+  return validator.isURL(url || '', {
+    protocols: ['http', 'https', 'git+https'],
+    require_protocol: true
+  });
+}
+
 /**
  * Get specified package detail page url
  * @param {string} packageName
@@ -10,3 +20,9 @@ export function getRegistryURL() {
 export function getDetailPageURL(packageName) {
   return `${getRegistryURL()}/#/detail/${packageName}`;
 }
+
+export function preventXSS(text) {
+  const encodedText = parseXSS(text);
+
+  return encodedText;
+}

test/functional/readme/readme.js

@@ -20,7 +20,7 @@ export default function (server, server2) {
         return serverRef.request({
           uri: `/-/verdaccio/package/readme/${pkgName}`
         }).status(HTTP_STATUS.OK).then(function(body) {
-          expect(body).toEqual(`<p>${readmeMessage}</p>\n`);
+          expect(body).toEqual(`<p>${readmeMessage}</p>`);
         });
       };
 

test/unit/api/__snapshots__/utils.spec.js.snap

@@ -37,6 +37,5 @@ exports[`Utilities parseReadme should parse makrdown text to html template 1`] =
 <li>Hat tip to anyone whose code was used</li>
 <li>Inspiration</li>
 <li>etc</li>
-</ul>
-"
+</ul>"
 `;

test/unit/api/api.spec.js

@@ -608,7 +608,7 @@ describe('endpoint unit test', () => {
           .expect(HTTP_STATUS.OK)
           .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.TEXT_CHARSET)
           .end(function(err, res) {
-            expect(res.text).toMatch('<h1 id="test">test</h1>\n');
+            expect(res.text).toMatch('<h1 id="test">test</h1>');
             done();
           });
       });

test/unit/api/utils.spec.js

@@ -52,6 +52,7 @@ describe('Utilities', () => {
       assert(validate('verdaccio'));
       assert(validate('some.weird.package-zzz'));
       assert(validate('old-package@0.1.2.tgz'));
+      assert(validate('-build-infra'));
     });
 
     test('uppercase', () => {
@@ -130,9 +131,7 @@ describe('Utilities', () => {
   describe('parseReadme', () => {
     test('should parse makrdown text to html template', () => {
       const markdown = '# markdown';
-      expect(parseReadme('testPackage', markdown)).toEqual(
-        '<h1 id="markdown">markdown</h1>\n'
-      );
+      expect(parseReadme('testPackage', markdown)).toEqual('<h1 id="markdown">markdown</h1>');
       expect(
         parseReadme('testPackage', String(readmeFile('markdown.md')))
       ).toMatchSnapshot();
@@ -144,22 +143,19 @@ describe('Utilities', () => {
       const randomTextMarkdown = 'simple text \n # markdown';
 
       expect(parseReadme('testPackage', randomText)).toEqual(
-        '<p>%%%%%**##==</p>\n'
+        '<p>%%%%%**##==</p>'
       );
       expect(parseReadme('testPackage', simpleText)).toEqual(
-        '<p>simple text</p>\n'
-      );
-      expect(parseReadme('testPackage', randomTextMarkdown)).toEqual(
-        '<p>simple text </p>\n<h1 id="markdown">markdown</h1>\n'
+        '<p>simple text</p>'
       );
+      expect(parseReadme('testPackage', randomTextMarkdown)).toEqual('<p>simple text </p>\n<h1 id="markdown">markdown</h1>');
     });
 
     test('should show error for no readme data', () => {
       const noData = '';
       const spy = jest.spyOn(Logger.logger, 'error');
       expect(parseReadme('testPackage', noData)).toEqual(
-        '<p>ERROR: No README data found!</p>\n'
-      );
+        '<p>ERROR: No README data found!</p>');
       expect(spy).toHaveBeenCalledWith(
         { packageName: 'testPackage' },
         '@{packageName}: No readme found'