@elliemae/pui-cli 8.40.0 → 8.40.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/cjs/commands/utils.js +10 -1
  2. package/dist/cjs/server/csp.js +34 -19
  3. package/dist/esm/commands/utils.js +10 -1
  4. package/dist/esm/server/csp.js +34 -19
  5. package/dist/types/tsconfig.tsbuildinfo +1 -1
  6. package/package.json +12 -12
package/dist/cjs/commands/utils.js CHANGED
@@ -153,6 +153,7 @@ const updateManifestWithVersionInfo = async (dest) => {
153
153
  };
154
154
  const updateRuntimeFile = async (src, dest, version) => {
155
155
  const latestJSFolder = "latest/js";
156
+ const latestCSSFolder = "latest/css";
156
157
  const pipe = (0, import_node_util.promisify)(import_node_stream.pipeline);
157
158
  const results = await (0, import_fast_glob.default)([
158
159
  import_node_path.default.join(src, "runtime~app.*.js").replace(/\\/g, "/")
@@ -162,17 +163,25 @@ const updateRuntimeFile = async (src, dest, version) => {
162
163
  const runtimeFileName = import_node_path.default.basename(runtimeFilePath);
163
164
  const destRuntimeFilePath = import_node_path.default.join(dest, runtimeFileName);
164
165
  const runtimeFileData = await (0, import_promises.readFile)(runtimeFilePath, "utf8");
165
- if (runtimeFileData.includes(latestJSFolder)) {
166
+ if (runtimeFileData.includes(latestJSFolder) || runtimeFileData.includes(latestCSSFolder)) {
166
167
  await (0, import_promises.writeFile)(
167
168
  destRuntimeFilePath,
168
169
  runtimeFileData.replace(latestJSFolder, `${version}/js`)
169
170
  );
171
+ await (0, import_promises.writeFile)(
172
+ destRuntimeFilePath,
173
+ runtimeFileData.replace(latestCSSFolder, `${version}/css`)
174
+ );
170
175
  const sourceMapFile = `${runtimeFilePath}.map`;
171
176
  const sourcemap = await (0, import_promises.readFile)(sourceMapFile, "utf8");
172
177
  await (0, import_promises.writeFile)(
173
178
  `${destRuntimeFilePath}.map`,
174
179
  sourcemap.replace(latestJSFolder, `${version}/js`)
175
180
  );
181
+ await (0, import_promises.writeFile)(
182
+ `${destRuntimeFilePath}.map`,
183
+ sourcemap.replace(latestCSSFolder, `${version}/css`)
184
+ );
176
185
  const gzip = (0, import_node_zlib.createGzip)();
177
186
  let source = (0, import_node_fs.createReadStream)(destRuntimeFilePath);
178
187
  let destination = (0, import_node_fs.createWriteStream)(`${destRuntimeFilePath}.gz`);
package/dist/cjs/server/csp.js CHANGED
@@ -36,11 +36,12 @@ var import_node_fs = __toESM(require("node:fs"), 1);
36
36
  var import_node_path = __toESM(require("node:path"), 1);
37
37
  var import_crypto = __toESM(require("crypto"), 1);
38
38
  var import_express = __toESM(require("express"), 1);
39
- var import_helmet_csp = __toESM(require("helmet-csp"), 1);
39
+ var import_helmet = __toESM(require("helmet"), 1);
40
40
  const CSP_REPORT_URI = "/diagnostics/v1/csp";
41
41
  const sources = [
42
42
  "'self'",
43
43
  "http://localhost:*",
44
+ "https://localhost:*",
44
45
  "ws://localhost:*",
45
46
  "*.ice.com",
46
47
  "*.elliemae.io",
@@ -76,30 +77,44 @@ const getScriptSrc = () => {
76
77
  };
77
78
  const csp = (app) => {
78
79
  app.use((req, res, next) => {
79
- res.locals.cspNonce = import_crypto.default.randomBytes(16).toString("hex");
80
+ res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("hex");
80
81
  next();
81
82
  });
82
83
  app.use(
83
- (0, import_helmet_csp.default)({
84
- directives: {
85
- defaultSrc: ["'self'"],
86
- baseUri: ["'self'"],
87
- blockAllMixedContent: [],
88
- connectSrc: sources,
89
- fontSrc: sources.concat(["data:"]),
90
- frameAncestors: sources,
91
- imgSrc: sources.concat(["data:"]),
92
- objectSrc: ["'none'"],
93
- scriptSrc: getScriptSrc(),
94
- scriptSrcAttr: ["'none'"],
95
- styleSrc: sources.concat(["'unsafe-inline'"]),
96
- upgradeInsecureRequests: [],
97
- reportUri: CSP_REPORT_URI
84
+ (0, import_helmet.default)({
85
+ contentSecurityPolicy: {
86
+ directives: {
87
+ baseUri: ["'self'"],
88
+ connectSrc: sources,
89
+ defaultSrc: ["'self'"],
90
+ fontSrc: sources.concat(["data:"]),
91
+ formAction: ["'self'"],
92
+ frameAncestors: sources,
93
+ frameSrc: sources,
94
+ imgSrc: sources.concat(["data:"]),
95
+ objectSrc: ["'none'"],
96
+ scriptSrc: getScriptSrc(),
97
+ scriptSrcAttr: ["'none'"],
98
+ styleSrc: sources.concat(["'unsafe-inline'"]),
99
+ workerSrc: sources,
100
+ upgradeInsecureRequests: [],
101
+ reportUri: CSP_REPORT_URI,
102
+ reportTo: CSP_REPORT_URI
103
+ },
104
+ reportOnly: true
98
105
  },
99
- reportOnly: true
106
+ xFrameOptions: false,
107
+ xPermittedCrossDomainPolicies: false,
108
+ xDownloadOptions: false,
109
+ xXssProtection: false
110
+ })
111
+ );
112
+ app.use(
113
+ CSP_REPORT_URI,
114
+ import_express.default.json({
115
+ type: ["application/csp-report", "application/reports+json"]
100
116
  })
101
117
  );
102
- app.use(CSP_REPORT_URI, import_express.default.json({ type: "application/csp-report" }));
103
118
  app.use(CSP_REPORT_URI, (req, res) => {
104
119
  console.log("CSP Violation: ", req.body);
105
120
  res.status(204).end();
package/dist/esm/commands/utils.js CHANGED
@@ -122,6 +122,7 @@ const updateManifestWithVersionInfo = async (dest) => {
122
122
  };
123
123
  const updateRuntimeFile = async (src, dest, version) => {
124
124
  const latestJSFolder = "latest/js";
125
+ const latestCSSFolder = "latest/css";
125
126
  const pipe = promisify(pipeline);
126
127
  const results = await fg([
127
128
  path.join(src, "runtime~app.*.js").replace(/\\/g, "/")
@@ -131,17 +132,25 @@ const updateRuntimeFile = async (src, dest, version) => {
131
132
  const runtimeFileName = path.basename(runtimeFilePath);
132
133
  const destRuntimeFilePath = path.join(dest, runtimeFileName);
133
134
  const runtimeFileData = await readFile(runtimeFilePath, "utf8");
134
- if (runtimeFileData.includes(latestJSFolder)) {
135
+ if (runtimeFileData.includes(latestJSFolder) || runtimeFileData.includes(latestCSSFolder)) {
135
136
  await writeFile(
136
137
  destRuntimeFilePath,
137
138
  runtimeFileData.replace(latestJSFolder, `${version}/js`)
138
139
  );
140
+ await writeFile(
141
+ destRuntimeFilePath,
142
+ runtimeFileData.replace(latestCSSFolder, `${version}/css`)
143
+ );
139
144
  const sourceMapFile = `${runtimeFilePath}.map`;
140
145
  const sourcemap = await readFile(sourceMapFile, "utf8");
141
146
  await writeFile(
142
147
  `${destRuntimeFilePath}.map`,
143
148
  sourcemap.replace(latestJSFolder, `${version}/js`)
144
149
  );
150
+ await writeFile(
151
+ `${destRuntimeFilePath}.map`,
152
+ sourcemap.replace(latestCSSFolder, `${version}/css`)
153
+ );
145
154
  const gzip = createGzip();
146
155
  let source = createReadStream(destRuntimeFilePath);
147
156
  let destination = createWriteStream(`${destRuntimeFilePath}.gz`);
package/dist/esm/server/csp.js CHANGED
@@ -2,11 +2,12 @@ import fs from "node:fs";
2
2
  import path from "node:path";
3
3
  import crypto from "crypto";
4
4
  import express from "express";
5
- import cspPolicy from "helmet-csp";
5
+ import helmet from "helmet";
6
6
  const CSP_REPORT_URI = "/diagnostics/v1/csp";
7
7
  const sources = [
8
8
  "'self'",
9
9
  "http://localhost:*",
10
+ "https://localhost:*",
10
11
  "ws://localhost:*",
11
12
  "*.ice.com",
12
13
  "*.elliemae.io",
@@ -42,30 +43,44 @@ const getScriptSrc = () => {
42
43
  };
43
44
  const csp = (app) => {
44
45
  app.use((req, res, next) => {
45
- res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
46
+ res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
46
47
  next();
47
48
  });
48
49
  app.use(
49
- cspPolicy({
50
- directives: {
51
- defaultSrc: ["'self'"],
52
- baseUri: ["'self'"],
53
- blockAllMixedContent: [],
54
- connectSrc: sources,
55
- fontSrc: sources.concat(["data:"]),
56
- frameAncestors: sources,
57
- imgSrc: sources.concat(["data:"]),
58
- objectSrc: ["'none'"],
59
- scriptSrc: getScriptSrc(),
60
- scriptSrcAttr: ["'none'"],
61
- styleSrc: sources.concat(["'unsafe-inline'"]),
62
- upgradeInsecureRequests: [],
63
- reportUri: CSP_REPORT_URI
50
+ helmet({
51
+ contentSecurityPolicy: {
52
+ directives: {
53
+ baseUri: ["'self'"],
54
+ connectSrc: sources,
55
+ defaultSrc: ["'self'"],
56
+ fontSrc: sources.concat(["data:"]),
57
+ formAction: ["'self'"],
58
+ frameAncestors: sources,
59
+ frameSrc: sources,
60
+ imgSrc: sources.concat(["data:"]),
61
+ objectSrc: ["'none'"],
62
+ scriptSrc: getScriptSrc(),
63
+ scriptSrcAttr: ["'none'"],
64
+ styleSrc: sources.concat(["'unsafe-inline'"]),
65
+ workerSrc: sources,
66
+ upgradeInsecureRequests: [],
67
+ reportUri: CSP_REPORT_URI,
68
+ reportTo: CSP_REPORT_URI
69
+ },
70
+ reportOnly: true
64
71
  },
65
- reportOnly: true
72
+ xFrameOptions: false,
73
+ xPermittedCrossDomainPolicies: false,
74
+ xDownloadOptions: false,
75
+ xXssProtection: false
76
+ })
77
+ );
78
+ app.use(
79
+ CSP_REPORT_URI,
80
+ express.json({
81
+ type: ["application/csp-report", "application/reports+json"]
66
82
  })
67
83
  );
68
- app.use(CSP_REPORT_URI, express.json({ type: "application/csp-report" }));
69
84
  app.use(CSP_REPORT_URI, (req, res) => {
70
85
  console.log("CSP Violation: ", req.body);
71
86
  res.status(204).end();