npm - step-node-agent - Versions diffs - 3.24.4 → 3.24.5 - Mend

step-node-agent 3.24.4 → 3.24.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/node_modules/cookie/HISTORY.md +10 -5
package/node_modules/cookie/README.md +63 -48
package/node_modules/cookie/index.js +5 -1
package/node_modules/cookie/package.json +5 -5
package/node_modules/express/History.md +19 -1
package/node_modules/express/lib/response.js +12 -3
package/node_modules/express/package.json +2 -2
package/package.json +1 -1

package/node_modules/cookie/HISTORY.md CHANGED Viewed

@@ -1,16 +1,21 @@
+0.6.0 / 2023-11-06
+==================
+  * Add `partitioned` option
 0.5.0 / 2022-04-11
 ==================
   * Add `priority` option
   * Fix `expires` option to reject invalid dates
-  * pref: improve default decode speed
-  * pref: remove slow string split in parse
+  * perf: improve default decode speed
+  * perf: remove slow string split in parse
 0.4.2 / 2022-02-02
 ==================
-  * pref: read value only when assigning in parse
-  * pref: remove unnecessary regexp in parse
+  * perf: read value only when assigning in parse
+  * perf: remove unnecessary regexp in parse
 0.4.1 / 2020-04-21
 ==================
@@ -41,7 +46,7 @@
   * perf: enable strict mode
   * perf: use for loop in parse
-  * perf: use string concatination for serialization
+  * perf: use string concatenation for serialization
 0.2.3 / 2015-10-25
 ==================

package/node_modules/cookie/README.md CHANGED Viewed

@@ -2,9 +2,9 @@
 [![NPM Version][npm-version-image]][npm-url]
 [![NPM Downloads][npm-downloads-image]][npm-url]
-[![Node.js Version][node-version-image]][node-version-url]
-[![Build Status][github-actions-ci-image]][github-actions-ci-url]
-[![Test Coverage][coveralls-image]][coveralls-url]
+[![Node.js Version][node-image]][node-url]
+[![Build Status][ci-image]][ci-url]
+[![Coverage Status][coveralls-image]][coveralls-url]
 Basic HTTP cookie parser and serializer for HTTP servers.
@@ -107,6 +107,17 @@ The given number will be converted to an integer by rounding down. By default, n
 `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
 so if both are set, they should point to the same date and time.
+##### partitioned
+Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](rfc-cutler-httpbis-partitioned-cookies)
+attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
+`Partitioned` attribute is not set.
+**note** This is an attribute that has not yet been fully standardized, and may change in the future.
+This also means many clients may ignore this attribute until they understand it.
+More information about can be found in [the proposal](https://github.com/privacycg/CHIPS).
 ##### path
 Specifies the value for the [`Path` `Set-Cookie` attribute][rfc-6265-5.2.4]. By default, the path
@@ -212,49 +223,52 @@ $ npm test
 ```
 $ npm run bench
-> cookie@0.4.2 bench
+> cookie@0.5.0 bench
 > node benchmark/index.js
-  node@16.14.0
-  v8@9.4.146.24-node.20
-  uv@1.43.0
-  zlib@1.2.11
+  node@18.18.2
+  acorn@8.10.0
+  ada@2.6.0
+  ares@1.19.1
   brotli@1.0.9
-  ares@1.18.1
-  modules@93
-  nghttp2@1.45.1
-  napi@8
-  llhttp@6.0.4
-  openssl@1.1.1m+quic
-  cldr@40.0
-  icu@70.1
-  tz@2021a3
-  unicode@14.0
-  ngtcp2@0.1.0-DEV
-  nghttp3@0.1.0-DEV
+  cldr@43.1
+  icu@73.2
+  llhttp@6.0.11
+  modules@108
+  napi@9
+  nghttp2@1.57.0
+  nghttp3@0.7.0
+  ngtcp2@0.8.1
+  openssl@3.0.10+quic
+  simdutf@3.2.14
+  tz@2023c
+  undici@5.26.3
+  unicode@15.0
+  uv@1.44.2
+  uvwasi@0.0.18
+  v8@10.2.154.26-node.26
+  zlib@1.2.13.1-motley
 > node benchmark/parse-top.js
   cookie.parse - top sites
-  15 tests completed.
-  parse accounts.google.com x 2,421,245 ops/sec ±0.80% (188 runs sampled)
-  parse apple.com           x 2,684,710 ops/sec ±0.59% (189 runs sampled)
-  parse cloudflare.com      x 2,231,418 ops/sec ±0.76% (186 runs sampled)
-  parse docs.google.com     x 2,316,357 ops/sec ±1.28% (187 runs sampled)
-  parse drive.google.com    x 2,363,543 ops/sec ±0.49% (189 runs sampled)
-  parse en.wikipedia.org    x   839,414 ops/sec ±0.53% (189 runs sampled)
-  parse linkedin.com        x   553,797 ops/sec ±0.63% (190 runs sampled)
-  parse maps.google.com     x 1,314,779 ops/sec ±0.72% (189 runs sampled)
-  parse microsoft.com       x   153,783 ops/sec ±0.53% (190 runs sampled)
-  parse play.google.com     x 2,249,574 ops/sec ±0.59% (187 runs sampled)
-  parse plus.google.com     x 2,258,682 ops/sec ±0.60% (188 runs sampled)
-  parse sites.google.com    x 2,247,069 ops/sec ±0.68% (189 runs sampled)
-  parse support.google.com  x 1,456,840 ops/sec ±0.70% (187 runs sampled)
-  parse www.google.com      x 1,046,028 ops/sec ±0.58% (188 runs sampled)
-  parse youtu.be            x   937,428 ops/sec ±1.47% (190 runs sampled)
-  parse youtube.com         x   963,878 ops/sec ±0.59% (190 runs sampled)
+  14 tests completed.
+  parse accounts.google.com x 2,588,913 ops/sec ±0.74% (186 runs sampled)
+  parse apple.com           x 2,370,002 ops/sec ±0.69% (186 runs sampled)
+  parse cloudflare.com      x 2,213,102 ops/sec ±0.88% (188 runs sampled)
+  parse docs.google.com     x 2,194,157 ops/sec ±1.03% (184 runs sampled)
+  parse drive.google.com    x 2,265,084 ops/sec ±0.79% (187 runs sampled)
+  parse en.wikipedia.org    x   457,099 ops/sec ±0.81% (186 runs sampled)
+  parse linkedin.com        x   504,407 ops/sec ±0.89% (186 runs sampled)
+  parse maps.google.com     x 1,230,959 ops/sec ±0.98% (186 runs sampled)
+  parse microsoft.com       x   926,294 ops/sec ±0.88% (184 runs sampled)
+  parse play.google.com     x 2,311,338 ops/sec ±0.83% (185 runs sampled)
+  parse support.google.com  x 1,508,850 ops/sec ±0.86% (186 runs sampled)
+  parse www.google.com      x 1,022,582 ops/sec ±1.32% (182 runs sampled)
+  parse youtu.be            x   332,136 ops/sec ±1.02% (185 runs sampled)
+  parse youtube.com         x   323,833 ops/sec ±0.77% (183 runs sampled)
 > node benchmark/parse.js
@@ -262,12 +276,12 @@ $ npm run bench
   6 tests completed.
-  simple      x 2,745,604 ops/sec ±0.77% (185 runs sampled)
-  decode      x   557,287 ops/sec ±0.60% (188 runs sampled)
-  unquote     x 2,498,475 ops/sec ±0.55% (189 runs sampled)
-  duplicates  x   868,591 ops/sec ±0.89% (187 runs sampled)
-  10 cookies  x   306,745 ops/sec ±0.49% (190 runs sampled)
-  100 cookies x    22,414 ops/sec ±2.38% (182 runs sampled)
+  simple      x 3,214,032 ops/sec ±1.61% (183 runs sampled)
+  decode      x   587,237 ops/sec ±1.16% (187 runs sampled)
+  unquote     x 2,954,618 ops/sec ±1.35% (183 runs sampled)
+  duplicates  x   857,008 ops/sec ±0.89% (187 runs sampled)
+  10 cookies  x   292,133 ops/sec ±0.89% (187 runs sampled)
+  100 cookies x    22,610 ops/sec ±0.68% (187 runs sampled)
 ```
 ## References
@@ -275,6 +289,7 @@ $ npm run bench
 - [RFC 6265: HTTP State Management Mechanism][rfc-6265]
 - [Same-site Cookies][rfc-6265bis-09-5.4.7]
+[rfc-cutler-httpbis-partitioned-cookies]: https://tools.ietf.org/html/draft-cutler-httpbis-partitioned-cookies/
 [rfc-west-cookie-priority-00-4.1]: https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1
 [rfc-6265bis-09-5.4.7]: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7
 [rfc-6265]: https://tools.ietf.org/html/rfc6265
@@ -291,12 +306,12 @@ $ npm run bench
 [MIT](LICENSE)
+[ci-image]: https://badgen.net/github/checks/jshttp/cookie/master?label=ci
+[ci-url]: https://github.com/jshttp/cookie/actions/workflows/ci.yml
 [coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/cookie/master
 [coveralls-url]: https://coveralls.io/r/jshttp/cookie?branch=master
-[github-actions-ci-image]: https://img.shields.io/github/workflow/status/jshttp/cookie/ci/master?label=ci
-[github-actions-ci-url]: https://github.com/jshttp/cookie/actions/workflows/ci.yml
-[node-version-image]: https://badgen.net/npm/node/cookie
-[node-version-url]: https://nodejs.org/en/download
+[node-image]: https://badgen.net/npm/node/cookie
+[node-url]: https://nodejs.org/en/download
 [npm-downloads-image]: https://badgen.net/npm/dm/cookie
 [npm-url]: https://npmjs.org/package/cookie
 [npm-version-image]: https://badgen.net/npm/v/cookie

package/node_modules/cookie/index.js CHANGED Viewed

@@ -172,6 +172,10 @@ function serialize(name, val, options) {
     str += '; Secure';
   }
+  if (opt.partitioned) {
+    str += '; Partitioned'
+  }
   if (opt.priority) {
     var priority = typeof opt.priority === 'string'
       ? opt.priority.toLowerCase()
@@ -233,7 +237,7 @@ function decode (str) {
 /**
  * URL-encode value.
  *
- * @param {string} str
+ * @param {string} val
  * @returns {string}
  */

package/node_modules/cookie/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "cookie",
   "description": "HTTP server cookie parsing and serialization",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "author": "Roman Shtylman <shtylman@gmail.com>",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>"
@@ -15,12 +15,12 @@
   "devDependencies": {
     "beautify-benchmark": "0.2.4",
     "benchmark": "2.1.4",
-    "eslint": "7.32.0",
-    "eslint-plugin-markdown": "2.2.1",
-    "mocha": "9.2.2",
+    "eslint": "8.53.0",
+    "eslint-plugin-markdown": "3.0.1",
+    "mocha": "10.2.0",
     "nyc": "15.1.0",
     "safe-buffer": "5.2.1",
-    "top-sites": "1.1.97"
+    "top-sites": "1.1.194"
   },
   "files": [
     "HISTORY.md",

package/node_modules/express/History.md CHANGED Viewed

@@ -1,4 +1,20 @@
-4.18.3 / 2024-02-26
+4.19.2 / 2024-03-25
+==========
+  * Improved fix for open redirect allow list bypass
+4.19.1 / 2024-03-20
+==========
+  * Allow passing non-strings to res.location with new encoding handling checks
+4.19.0 / 2024-03-20
+==========
+  * Prevent open redirect allow list bypass due to encodeurl
+  * deps: cookie@0.6.0
+4.18.3 / 2024-02-29
 ==========
   * Fix routing requests without method
@@ -6,6 +22,8 @@
     - Fix strict json error message on Node.js 19+
     - deps: content-type@~1.0.5
     - deps: raw-body@2.5.2
+  * deps: cookie@0.6.0
+    - Add `partitioned` option
 4.18.2 / 2022-10-08
 ===================

package/node_modules/express/lib/response.js CHANGED Viewed

@@ -55,6 +55,7 @@ module.exports = res
  */
 var charsetRegExp = /;\s*charset\s*=/;
+var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;
 /**
  * Set status `code`.
@@ -904,15 +905,23 @@ res.cookie = function (name, value, options) {
  */
 res.location = function location(url) {
-  var loc = url;
+  var loc;
   // "back" is an alias for the referrer
   if (url === 'back') {
     loc = this.req.get('Referrer') || '/';
+  } else {
+    loc = String(url);
   }
-  // set location
-  return this.set('Location', encodeUrl(loc));
+  var m = schemaAndHostRegExp.exec(loc);
+  var pos = m ? m[0].length + 1 : 0;
+  // Only encode after host to avoid invalid encoding which can introduce
+  // vulnerabilities (e.g. `\\` to `%5C`).
+  loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));
+  return this.set('Location', loc);
 };
 /**

package/node_modules/express/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.18.3",
+  "version": "4.19.2",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -33,7 +33,7 @@
     "body-parser": "1.20.2",
     "content-disposition": "0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.5.0",
+    "cookie": "0.6.0",
     "cookie-signature": "1.0.6",
     "debug": "2.6.9",
     "depd": "2.0.0",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "step-node-agent",
-  "version": "3.24.4",
+  "version": "3.24.5",
   "description": "The official STEP Agent implementation for Node.js",
   "main": "index.js",
   "scripts": {