npm - @micha.bigler/ui-core-micha - Versions diffs - 2.3.3 → 2.4.3 - Mend

@micha.bigler/ui-core-micha 2.3.3 → 2.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/.github/workflows/publish.yml +5 -5
package/dist/auth/authApi.js +5 -1
package/dist/utils/authService.js +24 -1
package/package.json +15 -14
package/renovate.json +10 -0
package/src/auth/authApi.jsx +5 -1
package/src/utils/authService.js +25 -1
package/tsconfig.build.json +2 -0

package/.github/workflows/publish.yml CHANGED Viewed

@@ -20,14 +20,14 @@ jobs:
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 2
       - name: Set up Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version: '20.x'
+          node-version: '24.15.0'
           registry-url: 'https://registry.npmjs.org'
       - name: Decide whether to publish
@@ -93,9 +93,9 @@ jobs:
       - name: Set up pnpm
         if: steps.version_check.outputs.should_publish == 'true'
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v6
         with:
-          version: 10.18.1
+          version: 11.1.2
       - name: Show version from package.json
         if: steps.version_check.outputs.should_publish == 'true'

package/dist/auth/authApi.js CHANGED Viewed

@@ -412,7 +412,11 @@ export async function rejectRecoveryRequest(id, supportNote) {
 }
 export async function loginWithRecoveryPassword(email, password, token) {
     try {
-        await apiClient.post(`/api/support/recovery-requests/recovery-login/${token}/`, {
+        // S50 (django-core-micha >=2.13.1): token wird im POST-Body übergeben,
+        // nicht mehr als URL-Path-Segment. Vermeidet Token-Leak in Referer-Headern,
+        // Server-Access-Logs und Browser-History (POST-Credentials-Exchange).
+        await apiClient.post('/api/support/recovery-requests/recovery-login/', {
+            token,
             email,
             password
         });

package/dist/utils/authService.js CHANGED Viewed

@@ -148,6 +148,29 @@ export async function startSocialLogin(provider, options = {}) {
     if (originUrl.hostname.startsWith('www.')) {
         originUrl.hostname = originUrl.hostname.slice(4);
     }
-    const callbackUrl = options.callbackUrl || `${originUrl.origin}/login`;
+    // S62: Same-Origin-Validation für `callbackUrl`. Verhindert, dass künftige
+    // Konsumenten mit tainted Wert (z.B. `?next=https://evil.example/`) einen
+    // Open-Redirect via OAuth-Callback-Pfad erzeugen. Caller heute safe
+    // (`options.callbackUrl` wird nur intern gesetzt), aber defensive depth.
+    let callbackUrl = `${originUrl.origin}/login`;
+    if (options.callbackUrl) {
+        try {
+            const candidate = new URL(options.callbackUrl, window.location.origin);
+            if (candidate.origin === originUrl.origin) {
+                callbackUrl = candidate.toString();
+            }
+            else {
+                // Cross-origin → silent fallback auf Default; OAuth-Flows laufen
+                // weiter, nur ohne tainted URL. Symptom-Diagnose via Console-Warning.
+                // eslint-disable-next-line no-console
+                console.warn(`[startSocialLogin] callbackUrl cross-origin rejected: ${candidate.origin} != ${originUrl.origin}. Falling back to /login.`);
+            }
+        }
+        catch (_b) {
+            // Invalid URL → fallback, gleiche Rationale.
+            // eslint-disable-next-line no-console
+            console.warn('[startSocialLogin] callbackUrl is not a valid URL — falling back to /login.');
+        }
+    }
     submitSocialRedirectForm({ provider, callbackUrl, csrfToken, process });
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@micha.bigler/ui-core-micha",
-  "version": "2.3.3",
+  "version": "2.4.3",
   "main": "dist/index.js",
   "module": "dist/index.js",
   "repository": {
@@ -9,25 +9,26 @@
   },
   "private": false,
   "peerDependencies": {
-    "@emotion/react": "^11.0.0",
-    "@emotion/styled": "^11.0.0",
-    "@mui/material": "^7.3.5",
-    "@mui/x-data-grid": "^8.4.0",
-    "axios": "^1.0.0",
+    "@emotion/react": "^11.14.0",
+    "@emotion/styled": "^11.14.1",
+    "@mui/material": "^7.3.11",
+    "@mui/x-data-grid": "^8.28.6",
+    "axios": "^1.16.1",
+    "i18next": "^25.10.10 || ^26.0.0",
     "qrcode.react": "^4.2.0",
-    "react": "^19.2.1",
-    "react-dom": "^19.2.1",
-    "react-helmet": "^6.0.0",
-    "react-router-dom": "^7.9.6"
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
+    "react-helmet": "^6.1.0",
+    "react-i18next": "^16.3.5 || ^17.0.0",
+    "react-router-dom": "^7.15.1"
   },
   "scripts": {
     "build": "tsc -p tsconfig.build.json"
   },
   "devDependencies": {
     "@mui/icons-material": "^7.3.11",
-    "typescript": "^5.9.3"
-  },
-  "dependencies": {
-    "react-i18next": "^16.3.5"
+    "i18next": "^26.2.0",
+    "react-i18next": "^17.0.8",
+    "typescript": "^6.0.3"
   }
 }

package/renovate.json ADDED Viewed

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "github>bigler-webapps/renovate-config",
+    "github>bigler-webapps/renovate-config:auto-merge"
+  ],
+  "baseBranchPatterns": [
+    "main"
+  ]
+}

package/src/auth/authApi.jsx CHANGED Viewed

@@ -435,7 +435,11 @@ export async function rejectRecoveryRequest(id, supportNote) {
 export async function loginWithRecoveryPassword(email, password, token) {
   try {
-    await apiClient.post(`/api/support/recovery-requests/recovery-login/${token}/`, {
+    // S50 (django-core-micha >=2.13.1): token wird im POST-Body übergeben,
+    // nicht mehr als URL-Path-Segment. Vermeidet Token-Leak in Referer-Headern,
+    // Server-Access-Logs und Browser-History (POST-Credentials-Exchange).
+    await apiClient.post('/api/support/recovery-requests/recovery-login/', {
+      token,
       email,
       password
     });

package/src/utils/authService.js CHANGED Viewed

@@ -194,6 +194,30 @@ export async function startSocialLogin(provider, options = {}) {
   if (originUrl.hostname.startsWith('www.')) {
     originUrl.hostname = originUrl.hostname.slice(4);
   }
-  const callbackUrl = options.callbackUrl || `${originUrl.origin}/login`;
+  // S62: Same-Origin-Validation für `callbackUrl`. Verhindert, dass künftige
+  // Konsumenten mit tainted Wert (z.B. `?next=https://evil.example/`) einen
+  // Open-Redirect via OAuth-Callback-Pfad erzeugen. Caller heute safe
+  // (`options.callbackUrl` wird nur intern gesetzt), aber defensive depth.
+  let callbackUrl = `${originUrl.origin}/login`;
+  if (options.callbackUrl) {
+    try {
+      const candidate = new URL(options.callbackUrl, window.location.origin);
+      if (candidate.origin === originUrl.origin) {
+        callbackUrl = candidate.toString();
+      } else {
+        // Cross-origin → silent fallback auf Default; OAuth-Flows laufen
+        // weiter, nur ohne tainted URL. Symptom-Diagnose via Console-Warning.
+        // eslint-disable-next-line no-console
+        console.warn(
+          `[startSocialLogin] callbackUrl cross-origin rejected: ${candidate.origin} != ${originUrl.origin}. Falling back to /login.`
+        );
+      }
+    } catch {
+      // Invalid URL → fallback, gleiche Rationale.
+      // eslint-disable-next-line no-console
+      console.warn('[startSocialLogin] callbackUrl is not a valid URL — falling back to /login.');
+    }
+  }
   submitSocialRedirectForm({ provider, callbackUrl, csrfToken, process });
 }

package/tsconfig.build.json CHANGED Viewed

@@ -1,5 +1,6 @@
 {
   "compilerOptions": {
+    "rootDir": "./src",
     "outDir": "dist",
     "allowJs": true,
     "checkJs": false,
@@ -7,6 +8,7 @@
     "module": "ESNext",
     "target": "ES2017",
     "moduleResolution": "Node",
+    "ignoreDeprecations": "6.0",
     "esModuleInterop": true,
     "skipLibCheck": true,
     "noEmit": false,