nixpkgs/pkgs/servers/web-apps/hedgedoc/package.json
Maximilian Bosch 0a10c17c8d
hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0

As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.

Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:

> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.

Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
2021-09-19 00:18:18 +02:00

215 lines
6.5 KiB
JSON

{
"name": "HedgeDoc",
"version": "1.9.0",
"description": "The best platform to write and share markdown.",
"main": "app.js",
"license": "AGPL-3.0",
"scripts": {
"test": "npm run-script eslint && npm run-script jsonlint && npm run-script mocha-suite",
"eslint": "node_modules/.bin/eslint --max-warnings 0 lib public test app.js",
"jsonlint": "find . -not -path './node_modules/*' -type f -name '*.json' -o -type f -name '*.json.example' | while read json; do echo $json ; jq . $json; done",
"markdownlint": "remark .",
"mocha-suite": "NODE_ENV=test CMD_DB_URL=\"sqlite::memory:\" mocha --exit",
"standard": "echo 'standard is no longer being used, use `npm run eslint` instead!' && exit 1",
"dev": "webpack --config webpack.dev.js --progress --watch",
"heroku-prebuild": "bin/heroku",
"build": "webpack --config webpack.prod.js --progress",
"start": "node app.js"
},
"dependencies": {
"@passport-next/passport-openid": "^1.0.0",
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
"archiver": "^5.0.2",
"async": "^3.0.0",
"aws-sdk": "^2.987.0",
"azure-storage": "^2.7.0",
"base64url": "^3.0.0",
"body-parser": "^1.15.2",
"chance": "^1.0.4",
"cheerio": "^0.22.0",
"compression": "^1.6.2",
"connect-flash": "^0.1.1",
"connect-session-sequelize": "^7.1.2",
"cookie": "^0.4.0",
"cookie-parser": "^1.4.3",
"deep-freeze": "^0.0.1",
"diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git",
"ejs": "^3.0.0",
"express": ">=4.14",
"express-session": "^1.14.2",
"file-type": "^16.1.0",
"formidable": "^1.0.17",
"graceful-fs": "^4.1.11",
"helmet": "^4.5.0",
"i18n": "^0.13.0",
"is-svg": "^4.3.1",
"jsdom-nogyp": "^0.8.3",
"lodash": "^4.17.20",
"lutim": "^1.0.2",
"lz-string": "git+https://github.com/hackmdio/lz-string.git",
"mariadb": "^2.1.2",
"markdown-it": "^12.0.0",
"markdown-it-abbr": "^1.0.4",
"markdown-it-container": "^3.0.0",
"markdown-it-deflist": "^2.0.1",
"markdown-it-emoji": "^2.0.0",
"markdown-it-footnote": "^3.0.1",
"markdown-it-imsize": "^2.0.1",
"markdown-it-ins": "^3.0.0",
"markdown-it-mark": "^3.0.0",
"markdown-it-mathjax": "^2.0.0",
"markdown-it-regexp": "^0.4.0",
"markdown-it-sub": "^1.0.0",
"markdown-it-sup": "^1.0.0",
"mattermost": "^3.4.0",
"meta-marked": "git+https://github.com/hedgedoc/meta-marked",
"method-override": "^3.0.0",
"minimist": "^1.2.0",
"minio": "^7.0.19",
"moment": "^2.17.1",
"morgan": "^1.7.0",
"mysql2": "^2.0.0",
"node-fetch": "^2.6.1",
"passport": "^0.4.0",
"passport-dropbox-oauth2": "^1.1.0",
"passport-facebook": "^3.0.0",
"passport-github": "^1.1.0",
"passport-gitlab2": "^5.0.0",
"passport-google-oauth20": "^2.0.0",
"passport-ldapauth": "^3.0.0",
"passport-local": "^1.0.0",
"passport-oauth2": "^1.4.0",
"passport-saml": "^3.1.2",
"passport-twitter": "^1.0.4",
"passport.socketio": "^3.7.0",
"pdfobject": "^2.0.201604172",
"pg": "^8.2.1",
"pg-hstore": "^2.3.3",
"prom-client": "^13.1.0",
"prometheus-api-metrics": "^3.2.0",
"randomcolor": "^0.6.0",
"readline-sync": "^1.4.7",
"rimraf": "^3.0.2",
"scrypt-kdf": "^2.0.1",
"sequelize": "^5.21.1",
"shortid": "2.2.16",
"socket.io": "^2.1.1",
"sqlite3": "^5.0.0",
"store": "^2.0.12",
"string": "^3.3.3",
"toobusy-js": "^0.5.1",
"umzug": "^2.3.0",
"uuid": "^8.0.0",
"validator": "^13.0.0",
"winston": "^3.1.0",
"xss": "^1.0.3"
},
"resolutions": {
"**/tough-cookie": "~2.5.0",
"**/minimatch": "^3.0.2",
"**/request": "^2.88.0"
},
"engines": {
"node": ">=12"
},
"bugs": "https://github.com/hedgedoc/hedgedoc/issues",
"keywords": [
"Collaborative",
"Markdown",
"Notes"
],
"homepage": "https://hedgedoc.org",
"maintainers": [
{
"name": "Claudius Coenen",
"url": "https://www.claudiuscoenen.de/"
},
{
"name": "Christoph (Sheogorath) Kern",
"email": "codimd@sheogorath.shivering-isles.com",
"url": "https://shivering-isles.com"
},
{
"name": "David Mehren",
"email": "hedgedoc@herrmehren.de"
}
],
"repository": {
"type": "git",
"url": "https://github.com/hedgedoc/hedgedoc.git"
},
"devDependencies": {
"abcjs": "5.12.0",
"babel-cli": "6.26.0",
"babel-core": "6.26.3",
"babel-loader": "7.1.5",
"babel-plugin-transform-runtime": "6.23.0",
"babel-polyfill": "6.26.0",
"babel-preset-env": "1.7.0",
"babel-runtime": "6.26.0",
"bootstrap": "3.4.1",
"bootstrap-validator": "0.11.9",
"codemirror": "git+https://github.com/hedgedoc/CodeMirror.git",
"copy-webpack-plugin": "6.4.1",
"css-loader": "5.2.7",
"emojify.js": "1.1.0",
"esbuild-loader": "2.15.1",
"escape-html": "1.0.3",
"eslint": "7.32.0",
"eslint-config-standard": "16.0.3",
"eslint-plugin-import": "2.24.2",
"eslint-plugin-node": "11.1.0",
"eslint-plugin-promise": "5.1.0",
"eslint-plugin-standard": "4.1.0",
"exports-loader": "1.1.1",
"expose-loader": "1.0.3",
"file-loader": "6.2.0",
"file-saver": "2.0.5",
"flowchart.js": "1.15.0",
"fork-awesome": "1.2.0",
"gist-embed": "2.6.0",
"highlight.js": "10.7.3",
"html-webpack-plugin": "4.5.2",
"imports-loader": "1.2.0",
"ionicons": "2.0.1",
"jquery": "3.6.0",
"jquery-mousewheel": "3.1.13",
"jquery-ui": "1.12.1",
"js-cookie": "3.0.1",
"js-sequence-diagrams": "git+https://github.com/hedgedoc/js-sequence-diagrams.git",
"js-yaml": "3.14.1",
"jsonlint": "1.6.3",
"keymaster": "1.6.2",
"less": "4.1.1",
"less-loader": "7.3.0",
"list.js": "2.3.1",
"mathjax": "2.7.9",
"mermaid": "8.12.1",
"mini-css-extract-plugin": "1.6.2",
"mocha": "9.1.1",
"mock-require": "3.0.3",
"optimize-css-assets-webpack-plugin": "6.0.1",
"prismjs": "1.24.1",
"raphael": "2.3.0",
"remark-cli": "10.0.0",
"remark-preset-lint-markdown-style-guide": "5.0.1",
"reveal.js": "3.9.2",
"select2": "3.5.2-browserify",
"socket.io-client": "2.4.0",
"spin.js": "4.1.1",
"string-loader": "0.0.1",
"turndown": "7.1.1",
"url-loader": "4.1.1",
"velocity-animate": "1.5.2",
"visibilityjs": "2.0.2",
"viz.js": "1.8.2",
"webpack": "4.46.0",
"webpack-cli": "4.8.0",
"webpack-merge": "5.8.0",
"wurl": "2.5.4"
},
"optionalDependencies": {
"bufferutil": "^4.0.0",
"utf-8-validate": "^5.0.1"
}
}