@saltcorn/server 1.0.0-beta.13 → 1.0.0-beta.15

package/app.js

@@ -447,6 +447,9 @@ Sitemap: ${base}sitemap.xml
   app.get("*", function (req, res) {
     res.status(404).sendWrap(req.__("Not found"), h1(req.__("Page not found")));
   });
+
+  //prevent prototype pollution
+  delete Object.prototype.__proto__;
   return app;
 };
 module.exports = getApp;

package/load_plugins.js

@@ -19,17 +19,46 @@ const {
   resolveLatest,
 } = require("@saltcorn/plugins-loader/stable_versioning");
 
+const isFixedPlugin = (plugin) =>
+  plugin.location === "@saltcorn/sbadmin2" ||
+  plugin.location === "@saltcorn/base-plugin";
+
+/**
+ * return the cached engine infos or fetch them from npm and update the cache
+ * @param plugin plugin to load
+ */
+const getEngineInfos = async (plugin, forceFetch) => {
+  const rootState = getRootState();
+  const cached = rootState.getConfig("engines_cache", {}) || {};
+  if (cached[plugin.location] && !forceFetch) {
+    return cached[plugin.location];
+  } else {
+    getState().log(5, `Fetching versions for '${plugin.location}'`);
+    const pkgInfo = await npmFetch.json(
+      `https://registry.npmjs.org/${plugin.location}`
+    );
+    const versions = pkgInfo.versions;
+    const newCached = {};
+    for (const [k, v] of Object.entries(versions)) {
+      newCached[k] = v.engines?.saltcorn
+        ? { engines: { saltcorn: v.engines.saltcorn } }
+        : {};
+    }
+    cached[plugin.location] = newCached;
+    await rootState.setConfig("engines_cache", { ...cached });
+    return newCached;
+  }
+};
+
 /**
  * checks the saltcorn engine property and changes the plugin version if necessary
  * @param plugin plugin to load
  */
-const ensurePluginSupport = async (plugin) => {
-  const pkgInfo = await npmFetch.json(
-    `https://registry.npmjs.org/${plugin.location}`
-  );
+const ensurePluginSupport = async (plugin, forceFetch) => {
+  const versions = await getEngineInfos(plugin, forceFetch);
   const supported = supportedVersion(
     plugin.version || "latest",
-    pkgInfo.versions,
+    versions,
     packagejson.version
   );
   if (!supported)
@@ -38,8 +67,7 @@ const ensurePluginSupport = async (plugin) => {
     );
   else if (
     supported !== plugin.version ||
-    (plugin.version === "latest" &&
-      supported !== resolveLatest(pkgInfo.versions))
+    (plugin.version === "latest" && supported !== resolveLatest(versions))
   )
     plugin.version = supported;
 };
@@ -50,10 +78,10 @@ const ensurePluginSupport = async (plugin) => {
  * @param plugin - plugin to load
  * @param force - force flag
  */
-const loadPlugin = async (plugin, force) => {
-  if (plugin.source === "npm" && isRoot()) {
+const loadPlugin = async (plugin, force, forceFetch) => {
+  if (plugin.source === "npm" && !isFixedPlugin(plugin)) {
     try {
-      await ensurePluginSupport(plugin);
+      await ensurePluginSupport(plugin, forceFetch);
     } catch (e) {
       console.log(
         `Warning: Unable to find a supported version for '${plugin.location}' Continuing with the installed version`
@@ -145,7 +173,7 @@ const loadAllPlugins = async (force) => {
     }
   }
   await getState().refreshUserLayouts();
-  await getState().refresh(true);
+  await getState().refresh(true, true);
   if (!isRoot()) reloadAuthFromRoot();
 };
 
@@ -279,6 +307,6 @@ module.exports = {
   loadAllPlugins,
   loadPlugin,
   requirePlugin,
-  supportedVersion,
+  getEngineInfos,
   ensurePluginSupport,
 };

package/locales/en.json

@@ -1468,5 +1468,10 @@
 	"Time to run": "Time to run",
 	"Mobile": "Mobile",
 	"Plain password trigger row": "Plain password trigger row",
-	"Send plaintext password changes to Users table triggers (Insert, Update and Validate).": "Send plaintext password changes to Users table triggers (Insert, Update and Validate)."
-}
+	"Send plaintext password changes to Users table triggers (Insert, Update and Validate).": "Send plaintext password changes to Users table triggers (Insert, Update and Validate).",
+	"Minimum user role required to create a new tenant<div class=\"alert alert-danger fst-normal\" role=\"alert\" data-show-if=\"showIfFormulaInputs($('select[name=role_to_create_tenant]'), '+role_to_create_tenant>1')\">Giving non-trusted users access to create tenants is a security risk and not recommended.</div>": "Minimum user role required to create a new tenant<div class=\"alert alert-danger fst-normal\" role=\"alert\" data-show-if=\"showIfFormulaInputs($('select[name=role_to_create_tenant]'), '+role_to_create_tenant>1')\">Giving non-trusted users access to create tenants is a security risk and not recommended.</div>",
+	"Select tag": "Select tag",
+	"Invalid build directory path": "Invalid build directory path",
+	"Invalid build directory name": "Invalid build directory name",
+	"clean node_modules": "clean node_modules"
+}

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@saltcorn/server",
-  "version": "1.0.0-beta.13",
+  "version": "1.0.0-beta.15",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
     "@aws-sdk/client-s3": "^3.451.0",
-    "@saltcorn/base-plugin": "1.0.0-beta.13",
-    "@saltcorn/builder": "1.0.0-beta.13",
-    "@saltcorn/data": "1.0.0-beta.13",
-    "@saltcorn/admin-models": "1.0.0-beta.13",
-    "@saltcorn/filemanager": "1.0.0-beta.13",
-    "@saltcorn/markup": "1.0.0-beta.13",
-    "@saltcorn/plugins-loader": "1.0.0-beta.13",
-    "@saltcorn/sbadmin2": "1.0.0-beta.13",
+    "@saltcorn/base-plugin": "1.0.0-beta.15",
+    "@saltcorn/builder": "1.0.0-beta.15",
+    "@saltcorn/data": "1.0.0-beta.15",
+    "@saltcorn/admin-models": "1.0.0-beta.15",
+    "@saltcorn/filemanager": "1.0.0-beta.15",
+    "@saltcorn/markup": "1.0.0-beta.15",
+    "@saltcorn/plugins-loader": "1.0.0-beta.15",
+    "@saltcorn/sbadmin2": "1.0.0-beta.15",
     "@socket.io/cluster-adapter": "^0.2.1",
     "@socket.io/sticky": "^1.0.1",
     "adm-zip": "0.5.10",

package/public/saltcorn-common.js

@@ -18,7 +18,7 @@ function monospace_block_click(e) {
 function copy_monospace_block(e) {
   let e1 = $(e).next("pre");
   let e2 = $(e1).next("pre");
-  if (!e2.length) return navigator.clipboard.writeText($(el).text());
+  if (!e2.length) return navigator.clipboard.writeText($(e1).text());
   const e1t = e1.text();
   const e2t = e2.text();
   if (e1t.length > e2t.length) return navigator.clipboard.writeText(e1t);
@@ -184,8 +184,21 @@ function apply_showif() {
     var current = e.attr("data-selected") || e.val();
     //console.log({ field: e.attr("name"), target: data[0], val, current });
     e.empty();
+    //TODO clean repetition in following cose
     (options || []).forEach((o) => {
-      if (
+      if (o && o.optgroup) {
+        const opts = o.options
+          .map(
+            (innero) =>
+              `<option ${
+                `${current}` === `${innero.value || innero}` ? "selected " : ""
+              }value="${innero.value || innero}">${
+                innero.label || innero
+              }</option>`
+          )
+          .join("");
+        e.append($(`<optgroup label="${o.label}">` + opts + "</optgroup>"));
+      } else if (
         !(o && typeof o.label !== "undefined" && typeof o.value !== "undefined")
       ) {
         if (`${current}` === `${o}`)

package/public/saltcorn.js

@@ -225,8 +225,10 @@ function ajax_done(res, viewname) {
 function spin_action_link(e) {
   const $e = $(e);
   const width = $e.width();
+  const height = $e.height();
+
   $e.attr("data-innerhtml-prespin", $e.html());
-  $e.html('<i class="fas fa-spinner fa-spin"></i>').width(width);
+  $e.html('<i class="fas fa-spinner fa-spin"></i>').width(width).height(height);
 }
 
 function reset_spinners() {
@@ -870,7 +872,7 @@ function build_mobile_app(button) {
 
   if (
     params.useDocker &&
-    !cordovaBuilderAvailable &&
+    !window.cordovaBuilderAvailable &&
     !confirm(
       "Docker is selected but the Cordova builder seems not to be installed. " +
         "Do you really want to continue?"
@@ -878,6 +880,21 @@ function build_mobile_app(button) {
   ) {
     return;
   }
+
+  const notSupportedPlugins = params.includedPlugins.filter(
+    (plugin) => !window.pluginsReadyForMobile.includes(plugin)
+  );
+  if (
+    notSupportedPlugins.length > 0 &&
+    !confirm(
+      `It seems that the plugins '${notSupportedPlugins.join(
+        ", "
+      )}' are not ready for mobile. Do you really want to continue?`
+    )
+  ) {
+    return;
+  }
+
   ajax_post("/admin/build-mobile-app", {
     data: params,
     success: (data) => {
@@ -949,8 +966,8 @@ function check_cordova_builder() {
   $.ajax("/admin/mobile-app/check-cordova-builder", {
     type: "GET",
     success: function (res) {
-      cordovaBuilderAvailable = !!res.installed;
-      if (cordovaBuilderAvailable) {
+      window.cordovaBuilderAvailable = !!res.installed;
+      if (window.cordovaBuilderAvailable) {
         $("#dockerBuilderStatusId").html(
           `<span>
             installed<i class="ps-2 fas fa-check text-success"></i>
@@ -1044,7 +1061,7 @@ function toggle_tbl_sync() {
 function toggle_android_platform() {
   if ($("#androidCheckboxId")[0].checked === true) {
     $("#dockerCheckboxId").attr("hidden", false);
-    $("#dockerCheckboxId").attr("checked", cordovaBuilderAvailable);
+    $("#dockerCheckboxId").attr("checked", window.cordovaBuilderAvailable);
     $("#dockerLabelId").removeClass("d-none");
   } else {
     $("#dockerCheckboxId").attr("hidden", true);

package/routes/actions.js

@@ -57,21 +57,6 @@ const {
   blocklyToolbox,
 } = require("../markup/blockly.js");
 
-/**
- * @returns {Promise<object>}
- */
-const getActions = async () => {
-  return Object.entries(getState().actions).map(([k, v]) => {
-    const hasConfig = !!v.configFields;
-    const requireRow = !!v.requireRow;
-    return {
-      name: k,
-      hasConfig,
-      requireRow,
-    };
-  });
-};
-
 /**
  * Show list of Actions (Triggers) (HTTP GET)
  * @name get
@@ -96,7 +81,7 @@ router.get(
       triggers = triggers.filter((t) => tagged_trigger_ids.has(t.id));
       filterOnTag = await Tag.findOne({ id: +req.query._tag });
     }
-    const actions = await getActions();
+    const actions = Trigger.abbreviated_actions;
     send_events_page({
       res,
       req,
@@ -156,7 +141,7 @@ const triggerForm = async (req, trigger) => {
     value: r.id,
     label: r.role,
   }));
-  const actions = await getActions();
+  const actions = Trigger.abbreviated_actions;
   const tables = await Table.find({});
   let id;
   let form_action;
@@ -168,14 +153,13 @@ const triggerForm = async (req, trigger) => {
   const hasChannel = Object.entries(getState().eventTypes)
     .filter(([k, v]) => v.hasChannel)
     .map(([k, v]) => k);
-  const allActions = actions.map((t) => t.name);
-  allActions.push("Multi-step action");
+
+  const allActions = Trigger.action_options({ notRequireRow: false });
   const table_triggers = ["Insert", "Update", "Delete", "Validate"];
   const action_options = {};
-  const actionsNotRequiringRow = actions
-    .filter((a) => !a.requireRow)
-    .map((t) => t.name);
-  actionsNotRequiringRow.push("Multi-step action");
+  const actionsNotRequiringRow = Trigger.action_options({
+    notRequireRow: true,
+  });
 
   Trigger.when_options.forEach((t) => {
     if (table_triggers.includes(t)) action_options[t] = allActions;

package/routes/admin.js

@@ -673,7 +673,10 @@ router.get(
     const backup_file_prefix = getState().getConfig("backup_file_prefix");
     if (
       !isRoot ||
-      !(filename.startsWith(backup_file_prefix) && filename.endsWith(".zip"))
+      !(
+        path.resolve(filename).startsWith(backup_file_prefix) &&
+        filename.endsWith(".zip")
+      )
     ) {
       res.redirect("/admin/backup");
       return;
@@ -1278,6 +1281,7 @@ router.get(
         throw new Error(req.__("Unable to fetch versions"));
       const versions = Object.keys(pkgInfo.versions);
       if (versions.length === 0) throw new Error(req.__("No versions found"));
+      const tags = pkgInfo["dist-tags"] || {};
       res.set("Page-Title", req.__("%s versions", "Saltcorn"));
       let selected = packagejson.version;
       res.send(
@@ -1287,6 +1291,7 @@ router.get(
             method: "post",
           },
           input({ type: "hidden", name: "_csrf", value: req.csrfToken() }),
+          // version select
           div(
             { class: "form-group" },
             label(
@@ -1312,6 +1317,54 @@ router.get(
               )
             )
           ),
+          // tag select
+          div(
+            { class: "form-group" },
+            label(
+              {
+                for: "tag_select",
+                class: "form-label fw-bold",
+              },
+              req.__("Tags")
+            ),
+            select(
+              {
+                id: "tag_select",
+                class: "form-control form-select",
+              },
+              option({
+                id: "empty_opt",
+                value: "",
+                label: req.__("Select tag"),
+                selected: true,
+              }),
+              Object.keys(tags).map((tag) =>
+                option({
+                  id: `${tag}_opt`,
+                  value: tags[tag],
+                  label: `${tag} (${tags[tag]})`,
+                })
+              )
+            )
+          ),
+          // deep clean checkbox
+          div(
+            { class: "form-group" },
+            input({
+              id: "deep_clean",
+              class: "form-check-input",
+              type: "checkbox",
+              name: "deep_clean",
+              checked: false,
+            }),
+            label(
+              {
+                for: "deep_clean",
+                class: "form-label ms-2",
+              },
+              req.__("clean node_modules")
+            )
+          ),
           div(
             { class: "d-flex justify-content-end" },
             button(
@@ -1331,7 +1384,18 @@ router.get(
               req.__("Install")
             )
           )
-        )
+        ) +
+          script(
+            domReady(`
+document.getElementById('tag_select').addEventListener('change', () => {
+  const version = document.getElementById('tag_select').value;
+  if (version) document.getElementById('version_select').value = version;
+});
+document.getElementById('version_select').addEventListener('change', () => {
+  document.getElementById('tag_select').value = '';
+});
+`)
+          )
       );
     } catch (error) {
       getState().log(
@@ -1343,7 +1407,17 @@ router.get(
   })
 );
 
-const doInstall = async (req, res, version, runPull) => {
+const cleanNodeModules = async () => {
+  const topSaltcornDir = path.join(__dirname, "..", "..", "..", "..", "..");
+  if (path.basename(topSaltcornDir) === "@saltcorn")
+    await fs.promises.rm(topSaltcornDir, { recursive: true, force: true });
+  else
+    throw new Error(
+      `'${topSaltcornDir}' is not a Saltcorn installation directory`
+    );
+};
+
+const doInstall = async (req, res, version, deepClean, runPull) => {
   if (db.getTenantSchema() !== db.connectObj.default_schema) {
     req.flash("error", req.__("Not possible for tenant"));
     res.redirect("/admin");
@@ -1353,6 +1427,14 @@ const doInstall = async (req, res, version, runPull) => {
         ? req.__("Starting upgrade, please wait...\n")
         : req.__("Installing %s, please wait...\n", version)
     );
+    if (deepClean) {
+      res.write(req.__("Cleaning node_modules...\n"));
+      try {
+        await cleanNodeModules();
+      } catch (e) {
+        res.write(req.__("Error cleaning node_modules: %s\n", e.message));
+      }
+    }
     const child = spawn(
       "npm",
       ["install", "-g", `@saltcorn/cli@${version}`, "--unsafe"],
@@ -1390,8 +1472,8 @@ const doInstall = async (req, res, version, runPull) => {
 };
 
 router.post("/install", isAdmin, async (req, res) => {
-  const { version } = req.body;
-  await doInstall(req, res, version, false);
+  const { version, deep_clean } = req.body;
+  await doInstall(req, res, version, deep_clean === "on", false);
 });
 
 /**
@@ -1404,7 +1486,7 @@ router.post(
   "/upgrade",
   isAdmin,
   error_catcher(async (req, res) => {
-    await doInstall(req, res, "latest", true);
+    await doInstall(req, res, "latest", false, true);
   })
 );
 /**
@@ -1742,8 +1824,8 @@ router.get(
     });
   })
 );
-const buildDialogScript = (cordovaBuilderAvailable) => {
-  return `<script>
+const buildDialogScript = (cordovaBuilderAvailable) =>
+  `<script>
   var cordovaBuilderAvailable = ${cordovaBuilderAvailable};
   function showEntrySelect(type) {
     for( const currentType of ["view", "page", "pagegroup"]) {
@@ -1769,7 +1851,6 @@ const buildDialogScript = (cordovaBuilderAvailable) => {
     notifyAlert("Building the app, please wait.", true)
   }
   </script>`;
-};
 
 const imageAvailable = async () => {
   try {
@@ -1827,6 +1908,9 @@ router.get(
     const plugins = (await Plugin.find()).filter(
       (plugin) => ["base", "sbadmin2"].indexOf(plugin.name) < 0
     );
+    const pluginsReadyForMobile = plugins
+      .filter((plugin) => plugin.ready_for_mobile())
+      .map((plugin) => plugin.name);
     const builderSettings =
       getState().getConfig("mobile_builder_settings") || {};
     const dockerAvailable = await imageAvailable();
@@ -1841,6 +1925,11 @@ router.get(
         {
           headerTag: buildDialogScript(dockerAvailable),
         },
+        {
+          headerTag: `<script>var pluginsReadyForMobile = ${JSON.stringify(
+            pluginsReadyForMobile
+          )}</script>`,
+        },
       ],
       contents: {
         above: [
@@ -2877,17 +2966,66 @@ router.get(
   })
 );
 
+const validateBuildDirName = (buildDirName) => {
+  // ensure characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(buildDirName)) {
+    getState().log(
+      4,
+      `Invalid characters in build directory name '${buildDirName}'`
+    );
+    return false;
+  }
+  // ensure format is 'build_1234567890'
+  if (!/^build_\d+$/.test(buildDirName)) {
+    getState().log(4, `Invalid build directory name format '${buildDirName}'`);
+    return false;
+  }
+  return true;
+};
+
+const validateBuildDir = (buildDir, rootPath) => {
+  const resolvedBuildDir = path.resolve(buildDir);
+  if (!resolvedBuildDir.startsWith(path.join(rootPath, "mobile_app"))) {
+    getState().log(4, `Invalid build directory path '${buildDir}'`);
+    return false;
+  }
+  return true;
+};
+
 router.get(
   "/build-mobile-app/result",
   isAdmin,
   error_catcher(async (req, res) => {
     const { build_dir_name } = req.query;
+    if (!validateBuildDirName(build_dir_name)) {
+      return res.sendWrap(req.__(`Admin`), {
+        above: [
+          {
+            type: "card",
+            title: req.__("Build Result"),
+            contents: div(req.__("Invalid build directory name")),
+          },
+        ],
+      });
+    }
     const rootFolder = await File.rootFolder();
     const buildDir = path.join(
       rootFolder.location,
       "mobile_app",
       build_dir_name
     );
+    if (!validateBuildDir(buildDir, rootFolder.location)) {
+      return res.sendWrap(req.__(`Admin`), {
+        above: [
+          {
+            type: "card",
+            title: req.__("Build Result"),
+            contents: div(req.__("Invalid build directory path")),
+          },
+        ],
+      });
+    }
+
     const files = await Promise.all(
       fs
         .readdirSync(buildDir)

package/routes/infoarch.js

@@ -234,7 +234,14 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const { lang, defstring } = req.params;
-
+    if (
+      lang === "__proto__" ||
+      defstring === "__proto__" ||
+      lang === "constructor"
+    ) {
+      res.redirect(`/`);
+      return;
+    }
     const cfgStrings = getState().getConfigCopy("localizer_strings");
     if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value);
     else cfgStrings[lang] = { [defstring]: text(req.body.value) };

package/routes/menu.js

@@ -269,6 +269,9 @@ const menuForm = async (req) => {
         name: "icon",
         class: "item-menu",
         input_type: "hidden",
+        showIf: {
+          type: ["View", "Page", "Page Group", "Link", "Header", "Action"],
+        },
       },
       {
         name: "tooltip",

package/routes/pageedit.js

@@ -183,6 +183,12 @@ const pageBuilderData = async (req, context) => {
       });
     }
   }
+  const actionsNotRequiringRow = Trigger.action_options({
+    notRequireRow: true,
+    apiNeverTriggers: true,
+    builtInLabel: "Page Actions",
+    builtIns: ["GoBack"],
+  });
   const library = (await Library.find({})).filter((l) => l.suitableFor("page"));
   const fixed_state_fields = {};
   for (const view of views) {
@@ -228,7 +234,7 @@ const pageBuilderData = async (req, context) => {
     images,
     pages,
     page_groups,
-    actions,
+    actions: actionsNotRequiringRow,
     builtInActions: ["GoBack"],
     library,
     min_role: context.min_role,

package/routes/plugins.js

@@ -49,6 +49,8 @@ const {
   input,
   label,
   text,
+  script,
+  domReady,
 } = require("@saltcorn/markup/tags");
 const { search_bar } = require("@saltcorn/markup/helpers");
 const fs = require("fs");
@@ -614,13 +616,14 @@ router.get(
         res.set("Page-Title", req.__("%s versions", text(withoutOrg)));
         const versions = Object.keys(pkgInfo.versions);
         if (versions.length === 0) throw new Error(req.__("No versions found"));
+        const tags = pkgInfo["dist-tags"] || {};
         let selected = null;
         if (getState().plugins[plugin.name]) {
           const mod = await load_plugins.requirePlugin(plugin);
           if (mod) selected = mod.version;
         }
         if (!selected) selected = versions[versions.length - 1];
-        const packageJson = require("../package.json");
+        const scVersion = getState().scVersion;
         return res.send(
           form(
             {
@@ -630,6 +633,7 @@ router.get(
             input({ type: "hidden", name: "_csrf", value: req.csrfToken() }),
             div(
               { class: "form-group" },
+              // version
               label(
                 {
                   for: "version_select",
@@ -645,7 +649,7 @@ router.get(
                 },
                 versions
                   .filter((v) =>
-                    isVersionSupported(v, pkgInfo.versions, packageJson.version)
+                    isVersionSupported(v, pkgInfo.versions, scVersion)
                   )
                   .map((version) =>
                     option({
@@ -655,6 +659,37 @@ router.get(
                       selected: version === selected,
                     })
                   )
+              ),
+              // tag
+              label(
+                {
+                  for: "tag_select",
+                  class: "form-label fw-bold mt-2",
+                },
+                req.__("Tags")
+              ),
+              select(
+                {
+                  id: "tag_select",
+                  class: "form-control form-select",
+                },
+                option({
+                  id: "empty_opt",
+                  value: "",
+                  label: req.__("Select tag"),
+                  selected: true,
+                }),
+                Object.keys(tags)
+                  .filter((tag) =>
+                    isVersionSupported(tags[tag], pkgInfo.versions, scVersion)
+                  )
+                  .map((tag) =>
+                    option({
+                      id: `${tag}_opt`,
+                      value: tags[tag],
+                      label: `${tag} (${tags[tag]})`,
+                    })
+                  )
               )
             ),
             div(
@@ -676,7 +711,19 @@ router.get(
                 req.__("Install")
               )
             )
-          )
+          ) +
+            script(
+              domReady(`
+document.getElementById('tag_select').onchange = () => {
+  const version = document.getElementById('tag_select').value;
+  if (version) document.getElementById('version_select').value = version;
+};
+document.getElementById('version_select').onchange = () => {
+  const tagSelect = document.getElementById('tag_select');
+  tagSelect.value = '';
+}; 
+`)
+            )
         );
       } catch (error) {
         getState().log(
@@ -1184,9 +1231,20 @@ router.get(
     const update_permitted =
       db.getTenantSchema() === db.connectObj.default_schema &&
       plugin_db.source === "npm";
-    const latest =
+
+    let latest =
       update_permitted &&
       (await get_latest_npm_version(plugin_db.location, 1000));
+    if (
+      latest &&
+      !isVersionSupported(latest, await load_plugins.getEngineInfos(plugin_db)) // with cache
+    ) {
+      // with force fetch
+      latest = supportedVersion(
+        latest,
+        await load_plugins.getEngineInfos(plugin_db, true)
+      );
+    }
     const can_update = update_permitted && latest && mod.version !== latest;
     const can_select_version = update_permitted && plugin_db.source === "npm";
     let pkgjson;
@@ -1332,8 +1390,8 @@ router.get(
   error_catcher(async (req, res) => {
     const schema = db.getTenantSchema();
     if (schema === db.connectObj.default_schema) {
-      await upgrade_all_tenants_plugins((p, f) =>
-        load_plugins.loadPlugin(p, f)
+      await upgrade_all_tenants_plugins((p, f, forceFetch) =>
+        load_plugins.loadPlugin(p, f, forceFetch)
       );
       req.flash(
         "success",
@@ -1344,7 +1402,9 @@ router.get(
     } else {
       const installed_plugins = await Plugin.find({});
       for (const plugin of installed_plugins) {
-        await plugin.upgrade_version((p, f) => load_plugins.loadPlugin(p, f));
+        await plugin.upgrade_version((p, f, forceFetch) =>
+          load_plugins.loadPlugin(p, f, forceFetch)
+        );
       }
       req.flash("success", req.__(`Modules up-to-date`));
       await restart_tenant(loadAllPlugins);
@@ -1370,16 +1430,11 @@ router.get(
     const { name } = req.params;
 
     const plugin = await Plugin.findOne({ name });
-    const pkgInfo = await npmFetch.json(
-      `https://registry.npmjs.org/${plugin.location}`
-    );
+    const versions = await load_plugins.getEngineInfos(plugin, true);
+
     await plugin.upgrade_version(
       (p, f) => load_plugins.loadPlugin(p, f),
-      supportedVersion(
-        "latest",
-        pkgInfo.versions,
-        require("../package.json").version
-      )
+      supportedVersion("latest", versions, require("../package.json").version)
     );
     req.flash("success", req.__(`Module up-to-date`));
 

package/routes/tables.js

@@ -670,7 +670,10 @@ router.get(
  * @param {string} lbl
  * @returns {string}
  */
-const badge = (col, lbl) => `<span class="badge bg-${col}">${lbl}</span>&nbsp;`;
+const badge = (col, lbl, title) =>
+  `<span ${
+    title ? `title="${title}" ` : ""
+  }class="badge bg-${col}">${lbl}</span>&nbsp;`;
 
 /**
  * @param {object} f
@@ -708,8 +711,11 @@ const attribBadges = (f) => {
         ].includes(k)
       )
         return;
-      if(Array.isArray(v) && !v.length) return;
-      if (v || v === 0) s += badge("secondary", k);
+      if (Array.isArray(v) && !v.length) return;
+      const title = ["string", "number", "boolean"].includes(typeof v)
+        ? `${v}`
+        : null;
+      if (v || v === 0) s += badge("secondary", k, title);
     });
   }
   return s;

package/serve.js

@@ -27,7 +27,7 @@ const {
   loadAndSaveNewPlugin,
   loadPlugin,
 } = require("./load_plugins");
-const { getConfig } = require("@saltcorn/data/models/config");
+const { getConfig, setConfig } = require("@saltcorn/data/models/config");
 const { migrate } = require("@saltcorn/data/migrate");
 const socketio = require("socket.io");
 const { createAdapter, setupPrimary } = require("@socket.io/cluster-adapter");
@@ -77,6 +77,17 @@ const ensureJwtSecret = () => {
   }
 };
 
+/**
+ * Ensure the engines cache is up to date with the current sc version
+ */
+const ensureEnginesCache = async () => {
+  const cacheScVersion = await getConfig("engines_cache_sc_version", "");
+  if (!cacheScVersion || cacheScVersion !== getState().scVersion) {
+    await setConfig("engines_cache", {});
+    await setConfig("engines_cache_sc_version", getState().scVersion);
+  }
+};
+
 // helpful https://gist.github.com/jpoehls/2232358
 /**
  * @param {object} opts
@@ -222,7 +233,10 @@ module.exports =
     dev,
     ...appargs
   } = {}) => {
-    ensureJwtSecret();
+    if (cluster.isMaster) {
+      ensureJwtSecret();
+      await ensureEnginesCache();
+    }
     process.on("unhandledRejection", (reason, p) => {
       console.error(reason, "Unhandled Rejection at Promise");
     });