@checkstack/backend 0.10.0 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +49 -0
- package/package.json +12 -12
- package/src/services/ws-route-registry.ts +3 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,54 @@
|
|
|
1
1
|
# @checkstack/backend
|
|
2
2
|
|
|
3
|
+
## 0.10.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 1909a61: Address open CodeQL code-scanning findings:
|
|
8
|
+
|
|
9
|
+
- **`@checkstack/ui` (`LinksEditor`)**: validate URL scheme on render and on
|
|
10
|
+
add; only `http:` / `https:` URLs are accepted, defeating stored XSS via
|
|
11
|
+
`javascript:` / `data:` schemes in user-supplied hotlinks
|
|
12
|
+
(`js/xss-through-dom`).
|
|
13
|
+
- **`@checkstack/backend-api` (`markdownToPlainText`)**: decode HTML entities
|
|
14
|
+
before stripping tags, then strip tags in a loop until the output
|
|
15
|
+
stabilizes. Decoding `&` last avoids reintroducing tag delimiters
|
|
16
|
+
via `<` round-trips (`js/double-escaping`,
|
|
17
|
+
`js/incomplete-multi-character-sanitization`).
|
|
18
|
+
- **`@checkstack/backend` (`createScopedWsRegistry`)**: drop the
|
|
19
|
+
identity-replacement on the path suffix; the leading-slash invariant
|
|
20
|
+
is documented on `WebSocketRouteRegistry` (`js/identity-replacement`).
|
|
21
|
+
|
|
22
|
+
- b33fb4d: Refresh `bun.lock` to clear MEDIUM-severity Trivy advisories on transitive
|
|
23
|
+
runtime dependencies. No public API change — bumping every workspace
|
|
24
|
+
package that lists `@orpc/server` as a direct dep so consumers re-resolve
|
|
25
|
+
the optional `ws` peer to the patched release on their next install.
|
|
26
|
+
|
|
27
|
+
- `ws` `8.20.0` → `8.20.1` (CVE-2026-45736). Pulled into the install tree
|
|
28
|
+
as `@orpc/server`'s optional WebSocket peer; Bun auto-installs it into
|
|
29
|
+
every backend package that depends on `@orpc/server`, so a stale 8.20.0
|
|
30
|
+
ships in the consumer's `node_modules` until the parent package
|
|
31
|
+
re-resolves.
|
|
32
|
+
- `brace-expansion` `5.0.5` → `5.0.6` (CVE-2026-45149). Pulled in only
|
|
33
|
+
through dev tooling (`minimatch@10` via `@typescript-eslint` and
|
|
34
|
+
`storybook`'s `glob@13`), so it does not ship to consumers and no
|
|
35
|
+
workspace `package.json` lists it; the lockfile bump alone clears the
|
|
36
|
+
finding for the Docker image and the local dev tree. No version bump
|
|
37
|
+
is attributed to this advisory.
|
|
38
|
+
|
|
39
|
+
The fix lives entirely in `bun.lock` — no `package.json`, `overrides`, or
|
|
40
|
+
`resolutions` change is needed because both parent ranges (`minimatch@10
|
|
41
|
+
→ brace-expansion@^5.0.5`, `@orpc/server / storybook / happy-dom →
|
|
42
|
+
ws@>=8.18.x`) already accept the patched releases, and `bun install`
|
|
43
|
+
keeps the resolved versions sticky after the initial `bun update`.
|
|
44
|
+
|
|
45
|
+
- Updated dependencies [1909a61]
|
|
46
|
+
- Updated dependencies [b33fb4d]
|
|
47
|
+
- @checkstack/backend-api@0.15.3
|
|
48
|
+
- @checkstack/cache-api@0.3.2
|
|
49
|
+
- @checkstack/queue-api@0.3.2
|
|
50
|
+
- @checkstack/signal-backend@0.2.6
|
|
51
|
+
|
|
3
52
|
## 0.10.0
|
|
4
53
|
|
|
5
54
|
### Minor Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@checkstack/backend",
|
|
3
|
-
"version": "0.10.
|
|
3
|
+
"version": "0.10.1",
|
|
4
4
|
"license": "Elastic-2.0",
|
|
5
5
|
"checkstack": {
|
|
6
6
|
"type": "backend"
|
|
@@ -14,16 +14,16 @@
|
|
|
14
14
|
"lint:code": "eslint . --max-warnings 0"
|
|
15
15
|
},
|
|
16
16
|
"dependencies": {
|
|
17
|
-
"@checkstack/api-docs-common": "0.1.
|
|
18
|
-
"@checkstack/auth-common": "0.
|
|
19
|
-
"@checkstack/backend-api": "0.15.
|
|
20
|
-
"@checkstack/common": "0.
|
|
17
|
+
"@checkstack/api-docs-common": "0.1.13",
|
|
18
|
+
"@checkstack/auth-common": "0.7.0",
|
|
19
|
+
"@checkstack/backend-api": "0.15.2",
|
|
20
|
+
"@checkstack/common": "0.10.0",
|
|
21
21
|
"@checkstack/drizzle-helper": "0.0.5",
|
|
22
|
-
"@checkstack/cache-api": "0.3.
|
|
23
|
-
"@checkstack/queue-api": "0.3.
|
|
24
|
-
"@checkstack/signal-backend": "0.2.
|
|
25
|
-
"@checkstack/signal-common": "0.2.
|
|
26
|
-
"@checkstack/pluginmanager-common": "0.2.
|
|
22
|
+
"@checkstack/cache-api": "0.3.1",
|
|
23
|
+
"@checkstack/queue-api": "0.3.1",
|
|
24
|
+
"@checkstack/signal-backend": "0.2.5",
|
|
25
|
+
"@checkstack/signal-common": "0.2.3",
|
|
26
|
+
"@checkstack/pluginmanager-common": "0.2.2",
|
|
27
27
|
"@hono/zod-validator": "^0.7.6",
|
|
28
28
|
"@orpc/client": "^1.13.14",
|
|
29
29
|
"@orpc/contract": "^1.13.14",
|
|
@@ -45,8 +45,8 @@
|
|
|
45
45
|
"@types/bun": "latest",
|
|
46
46
|
"@types/semver": "^7.5.0",
|
|
47
47
|
"@checkstack/tsconfig": "0.0.7",
|
|
48
|
-
"@checkstack/scripts": "0.3.
|
|
49
|
-
"@checkstack/test-utils-backend": "0.1.
|
|
48
|
+
"@checkstack/scripts": "0.3.2",
|
|
49
|
+
"@checkstack/test-utils-backend": "0.1.26",
|
|
50
50
|
"drizzle-kit": "^0.31.10"
|
|
51
51
|
}
|
|
52
52
|
}
|
|
@@ -37,8 +37,9 @@ export function createScopedWsRegistry(
|
|
|
37
37
|
): WebSocketRouteRegistry {
|
|
38
38
|
return {
|
|
39
39
|
register(path: string, handler: WebSocketRouteHandler): void {
|
|
40
|
-
// Normalize: "/" maps to just the pluginId, "/foo" maps to "pluginId/foo"
|
|
41
|
-
|
|
40
|
+
// Normalize: "/" maps to just the pluginId, "/foo" maps to "pluginId/foo".
|
|
41
|
+
// Paths are documented to start with `/` (see WebSocketRouteRegistry).
|
|
42
|
+
const suffix = path === "/" ? "" : path;
|
|
42
43
|
const fullPath = `${pluginId}${suffix}`;
|
|
43
44
|
store.registerHandler(fullPath, handler);
|
|
44
45
|
},
|