step-node-agent 3.28.4 → 3.29.1

package/node_modules/raw-body/package.json

@@ -1,7 +1,7 @@
 {
   "name": "raw-body",
   "description": "Get and validate the raw body of a readable stream.",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>",
@@ -10,10 +10,10 @@
   "license": "MIT",
   "repository": "stream-utils/raw-body",
   "dependencies": {
-    "bytes": "3.1.2",
-    "http-errors": "2.0.0",
-    "iconv-lite": "0.4.24",
-    "unpipe": "1.0.0"
+    "bytes": "~3.1.2",
+    "http-errors": "~2.0.1",
+    "iconv-lite": "~0.4.24",
+    "unpipe": "~1.0.0"
   },
   "devDependencies": {
     "bluebird": "3.7.2",
@@ -33,10 +33,8 @@
     "node": ">= 0.8"
   },
   "files": [
-    "HISTORY.md",
     "LICENSE",
     "README.md",
-    "SECURITY.md",
     "index.d.ts",
     "index.js"
   ],

package/node_modules/resolve/.eslintrc

@@ -14,7 +14,7 @@
         "func-style": 0,
         "global-require": 1,
         "id-length": [2, { "min": 1, "max": 40 }],
-        "max-lines": [2, 350],
+        "max-lines": [2, 360],
         "max-lines-per-function": 0,
         "max-nested-callbacks": 0,
         "max-params": 0,

package/node_modules/resolve/.github/INCIDENT_RESPONSE_PROCESS.md

@@ -0,0 +1,119 @@
+# Incident Response Process for **resolve**
+
+## Reporting a Vulnerability
+
+We take the security of **resolve** very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure.
+
+### How to Report
+
+> **Do not** report security vulnerabilities through public GitHub issues, discussions, or social media.
+
+Instead, please use one of these secure channels:
+
+1. **GitHub Security Advisories**
+   Use the **Report a vulnerability** button in the Security tab of the [browserify/resolve repository](https://github.com/browserify/resolve).
+
+2. **Email**
+   Follow the posted [Security Policy](https://github.com/browserify/resolve/security/policy).
+
+### What to Include
+
+**Required Information:**
+- Brief description of the vulnerability type
+- Affected version(s) and components
+- Steps to reproduce the issue
+- Impact assessment (what an attacker could achieve)
+- Confirm the issue is not present in test files (in other words, only via the official entry points in `exports`)
+
+**Helpful Additional Details:**
+- Full paths of affected source files
+- Specific commit or branch where the issue exists
+- Required configuration to reproduce
+- Proof-of-concept code (if available)
+- Suggested mitigation or fix
+
+## Our Response Process
+
+**Timeline Commitments:**
+- **Initial acknowledgment**: Within 24 hours
+- **Detailed response**: Within 3 business days
+- **Status updates**: Every 7 days until resolved
+- **Resolution target**: 90 days for most issues
+
+**What We’ll Do:**
+1. Acknowledge your report and assign a tracking ID
+2. Assess the vulnerability and determine severity
+3. Develop and test a fix
+4. Coordinate disclosure timeline with you
+5. Release a security update and publish an advisory and CVE
+6. Credit you in our security advisory (if desired)
+
+## Disclosure Policy
+
+- **Coordinated disclosure**: We’ll work with you on timing
+- **Typical timeline**: 90 days from report to public disclosure
+- **Early disclosure**: If actively exploited
+- **Delayed disclosure**: For complex issues
+
+## Scope
+
+**In Scope:**
+- **resolve** package (all supported versions)
+- Official examples and documentation
+- Core resolution APIs
+- Dependencies with direct security implications
+
+**Out of Scope:**
+- Third-party wrappers or extensions
+- Bundler-specific integrations
+- Social engineering or physical attacks
+- Theoretical vulnerabilities without practical exploitation
+- Issues in non-production files
+
+## Security Measures
+
+**Our Commitments:**
+- Regular vulnerability scanning via `npm audit`
+- Automated security checks in CI/CD (GitHub Actions)
+- Secure coding practices and mandatory code review
+- Prompt patch releases for critical issues
+
+**User Responsibilities:**
+- Keep **resolve** updated
+- Monitor dependency vulnerabilities
+- Follow secure configuration guidelines for module resolution
+
+## Legal Safe Harbor
+
+**We will NOT:**
+- Initiate legal action
+- Contact law enforcement
+- Suspend or terminate your access
+
+**You must:**
+- Only test against your own installations
+- Not access, modify, or delete user data
+- Not degrade service availability
+- Not publicly disclose before coordinated disclosure
+- Act in good faith
+
+## Recognition
+
+- **Advisory Credits**: Credit in GitHub Security Advisories (unless anonymous)
+
+## Security Updates
+
+**Stay Informed:**
+- Subscribe to npm updates for **resolve**
+- Enable GitHub Security Advisory notifications
+
+**Update Process:**
+- Patch releases (e.g., 1.22.10 → 1.22.11)
+- Out-of-band releases for critical issues
+- Advisories via GitHub Security Advisories
+
+## Contact Information
+
+- **Security reports**: Security tab of [browserify/resolve](https://github.com/browserify/resolve/security)
+- **General inquiries**: GitHub Discussions or Issues
+

package/node_modules/resolve/.github/THREAT_MODEL.md

@@ -0,0 +1,74 @@
+## Threat Model for resolve (module path resolution library)
+
+### 1. Library Overview
+
+- **Library Name:** resolve
+- **Brief Description:** Implements Node.js `require.resolve()` algorithm for synchronous and asynchronous file path resolution. Used to locate modules and files in Node.js projects.
+- **Key Public APIs/Functions:** `resolve.sync()` / `resolve/sync`, `resolve()` / `resolve/async`
+
+### 2. Define Scope
+
+This threat model focuses on the core path resolution algorithm, including filesystem interaction, option handling, and cache management.
+
+### 3. Conceptual System Diagram
+
+```
+Caller Application → resolve(id, options) → Resolution Algorithm → File System
+                           │
+                           └→ Options Handling
+                           └→ Cache System
+```
+
+**Trust Boundaries:**
+- **Input module IDs:** May come from untrusted sources (user input, configuration)
+- **Filesystem access:** The library interacts with the filesystem to resolve paths
+- **Options:** Provided by the caller
+- **Cache:** Used to improve performance, but could be a vector for tampering or information disclosure if not handled securely
+
+### 4. Identify Assets
+
+- **Integrity of resolution output:** Ensure correct and safe file path matching.
+- **Confidentiality of configuration:** Prevent sensitive path information from being leaked.
+- **Availability/performance for host application:** Prevent crashes or resource exhaustion.
+- **Security of host application:** Prevent path traversal or unintended filesystem access.
+- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1][3][4].
+
+### 5. Identify Threats
+
+| Component / API / Interaction                       | S  | T  | R  | I  | D  | E  |
+|-----------------------------------------------------|----|----|----|----|----|----|
+| Public API Call (`resolve/async`, `resolve/sync`)   | ✓  | ✓  | –  | ✓  | –  | –  |
+| Filesystem Access                                   | –  | ✓  | –  | ✓  | ✓  | –  |
+| Options Handling                                    | ✓  | ✓  | –  | ✓  | –  | –  |
+| Cache System                                        | –  | ✓  | –  | ✓  | –  | –  |
+
+**Key Threats:**
+- **Spoofing:** Malicious module IDs mimicking legitimate packages, or spoofing configuration options[1].
+- **Tampering:** Caller-provided paths altering resolution order, or cache tampering leading to incorrect results[1][4].
+- **Information Disclosure:** Error messages revealing filesystem structure or sensitive paths[1].
+- **Denial of Service:** Recursive or excessive resolution exhausting filesystem handles or causing application crashes[1].
+- **Path Traversal:** Malicious input allowing access to files outside the intended directory[4].
+
+### 6. Mitigation/Countermeasures
+
+| Threat Identified                          | Proposed Mitigation |
+|--------------------------------------------|---------------------|
+| Spoofing (malicious module IDs/config)     | Sanitize input IDs; validate against known patterns; restrict `basedir` to app-controlled paths[1][4]. |
+| Tampering (path traversal, cache)          | Validate input IDs for directory escapes; secure cache reads/writes; restrict cache to trusted sources[1][4]. |
+| Information Disclosure (error messages)    | Generic "not found" errors without internal paths; avoid exposing sensitive configuration in errors[1]. |
+| Denial of Service (resource exhaustion)    | Limit recursive resolution depth; implement timeout; monitor for excessive filesystem operations[1]. |
+
+### 7. Risk Ranking
+
+- **High:** Path traversal via malicious IDs (if not properly mitigated)
+- **Medium:** Cache tampering or spoofing (if cache is not secured)
+- **Low:** Information disclosure in errors (if error handling is generic)
+
+### 8. Next Steps & Review
+
+1. **Implement input sanitization for module IDs and configuration.**
+2. **Add resolution depth limiting and timeout.**
+3. **Audit cache handling for race conditions and tampering.**
+4. **Regularly review dependencies for vulnerabilities.**
+5. **Keep documentation and threat model up to date.**
+6. **Monitor for new threats as the ecosystem and library evolve[1][3].**

package/node_modules/resolve/SECURITY.md

@@ -1,3 +1,11 @@
 # Security
 
-Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
+Please file a private vulnerability via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
+
+## Incident Response
+
+See our [Incident Response Process](.github/INCIDENT_RESPONSE_PROCESS.md).
+
+## Threat Model
+
+See [THREAT_MODEL.md](./THREAT_MODEL.md).

package/node_modules/resolve/lib/async.js

@@ -8,6 +8,10 @@ var isCore = require('is-core-module');
 
 var realpathFS = process.platform !== 'win32' && fs.realpath && typeof fs.realpath.native === 'function' ? fs.realpath.native : fs.realpath;
 
+var relativePathRegex = /^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/;
+var windowsDriveRegex = /^\w:[/\\]*$/;
+var nodeModulesRegex = /[/\\]node_modules[/\\]*$/;
+
 var homedir = getHomedir();
 var defaultPaths = function () {
     return [
@@ -124,10 +128,10 @@ module.exports = function resolve(x, options, callback) {
 
     var res;
     function init(basedir) {
-        if ((/^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/).test(x)) {
+        if (relativePathRegex.test(x)) {
             res = path.resolve(basedir, x);
             if (x === '.' || x === '..' || x.slice(-1) === '/') res += '/';
-            if ((/\/$/).test(x) && res === basedir) {
+            if (x.slice(-1) === '/' && res === basedir) {
                 loadAsDirectory(res, opts.package, onfile);
             } else loadAsFile(res, opts.package, onfile);
         } else if (includeCoreModules && isCore(x)) {
@@ -215,10 +219,10 @@ module.exports = function resolve(x, options, callback) {
 
     function loadpkg(dir, cb) {
         if (dir === '' || dir === '/') return cb(null);
-        if (process.platform === 'win32' && (/^\w:[/\\]*$/).test(dir)) {
+        if (process.platform === 'win32' && windowsDriveRegex.test(dir)) {
             return cb(null);
         }
-        if ((/[/\\]node_modules[/\\]*$/).test(dir)) return cb(null);
+        if (nodeModulesRegex.test(dir)) return cb(null);
 
         maybeRealpath(realpath, dir, opts, function (unwrapErr, pkgdir) {
             if (unwrapErr) return loadpkg(path.dirname(dir), cb);

package/node_modules/resolve/lib/core.json

@@ -91,7 +91,7 @@
 	"node:repl": [">= 14.18 && < 15", ">= 16"],
 	"node:sea": [">= 20.12 && < 21", ">= 21.7"],
 	"smalloc": ">= 0.11.5 && < 3",
-	"node:sqlite": ">= 23.4",
+	"node:sqlite": [">= 22.13 && < 23", ">= 23.4"],
 	"_stream_duplex": ">= 0.9.4",
 	"node:_stream_duplex": [">= 14.18 && < 15", ">= 16"],
 	"_stream_transform": ">= 0.9.4",

package/node_modules/resolve/lib/node-modules-paths.js

@@ -1,11 +1,14 @@
 var path = require('path');
 var parse = path.parse || require('path-parse'); // eslint-disable-line global-require
 
+var driveLetterRegex = /^([A-Za-z]:)/;
+var uncPathRegex = /^\\\\/;
+
 var getNodeModulesDirs = function getNodeModulesDirs(absoluteStart, modules) {
     var prefix = '/';
-    if ((/^([A-Za-z]:)/).test(absoluteStart)) {
+    if (driveLetterRegex.test(absoluteStart)) {
         prefix = '';
-    } else if ((/^\\\\/).test(absoluteStart)) {
+    } else if (uncPathRegex.test(absoluteStart)) {
         prefix = '\\\\';
     }
 

package/node_modules/resolve/lib/sync.js

@@ -8,6 +8,10 @@ var normalizeOptions = require('./normalize-options');
 
 var realpathFS = process.platform !== 'win32' && fs.realpathSync && typeof fs.realpathSync.native === 'function' ? fs.realpathSync.native : fs.realpathSync;
 
+var relativePathRegex = /^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/;
+var windowsDriveRegex = /^\w:[/\\]*$/;
+var nodeModulesRegex = /[/\\]node_modules[/\\]*$/;
+
 var homedir = getHomedir();
 var defaultPaths = function () {
     return [
@@ -96,7 +100,7 @@ module.exports = function resolveSync(x, options) {
     // ensure that `basedir` is an absolute path at this point, resolving against the process' current working directory
     var absoluteStart = maybeRealpathSync(realpathSync, path.resolve(basedir), opts);
 
-    if ((/^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/).test(x)) {
+    if (relativePathRegex.test(x)) {
         var res = path.resolve(absoluteStart, x);
         if (x === '.' || x === '..' || x.slice(-1) === '/') res += '/';
         var m = loadAsFileSync(res) || loadAsDirectorySync(res);
@@ -137,10 +141,10 @@ module.exports = function resolveSync(x, options) {
 
     function loadpkg(dir) {
         if (dir === '' || dir === '/') return;
-        if (process.platform === 'win32' && (/^\w:[/\\]*$/).test(dir)) {
+        if (process.platform === 'win32' && windowsDriveRegex.test(dir)) {
             return;
         }
-        if ((/[/\\]node_modules[/\\]*$/).test(dir)) return;
+        if (nodeModulesRegex.test(dir)) return;
 
         var pkgfile = path.join(maybeRealpathSync(realpathSync, dir, opts), 'package.json');
 

package/node_modules/resolve/package.json

@@ -1,10 +1,10 @@
 {
 	"name": "resolve",
 	"description": "resolve like require.resolve() on behalf of files asynchronously and synchronously",
-	"version": "1.22.10",
+	"version": "1.22.11",
 	"repository": {
 		"type": "git",
-		"url": "git://github.com/browserify/resolve.git"
+		"url": "ssh://github.com/browserify/resolve.git"
 	},
 	"bin": {
 		"resolve": "./bin/resolve"
@@ -30,8 +30,8 @@
 		"test:multirepo": "cd ./test/resolver/multirepo && npm install && npm test"
 	},
 	"devDependencies": {
-		"@ljharb/eslint-config": "^21.1.1",
-		"array.prototype.map": "^1.0.7",
+		"@ljharb/eslint-config": "^21.2.0",
+		"array.prototype.map": "^1.0.8",
 		"copy-dir": "^1.3.0",
 		"eclint": "^2.8.1",
 		"eslint": "=8.8.0",
@@ -57,7 +57,7 @@
 		"url": "https://github.com/sponsors/ljharb"
 	},
 	"dependencies": {
-		"is-core-module": "^2.16.0",
+		"is-core-module": "^2.16.1",
 		"path-parse": "^1.0.7",
 		"supports-preserve-symlinks-flag": "^1.0.0"
 	},

package/node_modules/send/HISTORY.md

@@ -1,3 +1,8 @@
+0.19.1 / 2024-10-09
+===================
+
+* deps: encodeurl@~2.0.0
+
 0.19.0 / 2024-09-10
 ===================
 
@@ -485,37 +490,37 @@
 
  * update range-parser and fresh
 
-0.1.4 / 2013-08-11 
+0.1.4 / 2013-08-11
 ==================
 
  * update fresh
 
-0.1.3 / 2013-07-08 
+0.1.3 / 2013-07-08
 ==================
 
  * Revert "Fix fd leak"
 
-0.1.2 / 2013-07-03 
+0.1.2 / 2013-07-03
 ==================
 
  * Fix fd leak
 
-0.1.0 / 2012-08-25 
+0.1.0 / 2012-08-25
 ==================
 
   * add options parameter to send() that is passed to fs.createReadStream() [kanongil]
 
-0.0.4 / 2012-08-16 
+0.0.4 / 2012-08-16
 ==================
 
   * allow custom "Accept-Ranges" definition
 
-0.0.3 / 2012-07-16 
+0.0.3 / 2012-07-16
 ==================
 
   * fix normalization of the root directory. Closes #3
 
-0.0.2 / 2012-07-09 
+0.0.2 / 2012-07-09
 ==================
 
   * add passing of req explicitly for now (YUCK)

package/node_modules/send/node_modules/http-errors/HISTORY.md

@@ -0,0 +1,180 @@
+2.0.0 / 2021-12-17
+==================
+
+  * Drop support for Node.js 0.6
+  * Remove `I'mateapot` export; use `ImATeapot` instead
+  * Remove support for status being non-first argument
+  * Rename `UnorderedCollection` constructor to `TooEarly`
+  * deps: depd@2.0.0
+    - Replace internal `eval` usage with `Function` constructor
+    - Use instance methods on `process` to check for listeners
+  * deps: statuses@2.0.1
+    - Fix messaging casing of `418 I'm a Teapot`
+    - Remove code 306
+    - Rename `425 Unordered Collection` to standard `425 Too Early`
+
+2021-11-14 / 1.8.1
+==================
+
+  * deps: toidentifier@1.0.1
+
+2020-06-29 / 1.8.0
+==================
+
+  * Add `isHttpError` export to determine if value is an HTTP error
+  * deps: setprototypeof@1.2.0
+
+2019-06-24 / 1.7.3
+==================
+
+  * deps: inherits@2.0.4
+
+2019-02-18 / 1.7.2
+==================
+
+  * deps: setprototypeof@1.1.1
+
+2018-09-08 / 1.7.1
+==================
+
+  * Fix error creating objects in some environments
+
+2018-07-30 / 1.7.0
+==================
+
+  * Set constructor name when possible
+  * Use `toidentifier` module to make class names
+  * deps: statuses@'>= 1.5.0 < 2'
+
+2018-03-29 / 1.6.3
+==================
+
+  * deps: depd@~1.1.2
+    - perf: remove argument reassignment
+  * deps: setprototypeof@1.1.0
+  * deps: statuses@'>= 1.4.0 < 2'
+
+2017-08-04 / 1.6.2
+==================
+
+  * deps: depd@1.1.1
+    - Remove unnecessary `Buffer` loading
+
+2017-02-20 / 1.6.1
+==================
+
+  * deps: setprototypeof@1.0.3
+    - Fix shim for old browsers
+
+2017-02-14 / 1.6.0
+==================
+
+  * Accept custom 4xx and 5xx status codes in factory
+  * Add deprecation message to `"I'mateapot"` export
+  * Deprecate passing status code as anything except first argument in factory
+  * Deprecate using non-error status codes
+  * Make `message` property enumerable for `HttpError`s
+
+2016-11-16 / 1.5.1
+==================
+
+  * deps: inherits@2.0.3
+    - Fix issue loading in browser
+  * deps: setprototypeof@1.0.2
+  * deps: statuses@'>= 1.3.1 < 2'
+
+2016-05-18 / 1.5.0
+==================
+
+  * Support new code `421 Misdirected Request`
+  * Use `setprototypeof` module to replace `__proto__` setting
+  * deps: statuses@'>= 1.3.0 < 2'
+    - Add `421 Misdirected Request`
+    - perf: enable strict mode
+  * perf: enable strict mode
+
+2016-01-28 / 1.4.0
+==================
+
+  * Add `HttpError` export, for `err instanceof createError.HttpError`
+  * deps: inherits@2.0.1
+  * deps: statuses@'>= 1.2.1 < 2'
+    - Fix message for status 451
+    - Remove incorrect nginx status code
+
+2015-02-02 / 1.3.1
+==================
+
+  * Fix regression where status can be overwritten in `createError` `props`
+
+2015-02-01 / 1.3.0
+==================
+
+  * Construct errors using defined constructors from `createError`
+  * Fix error names that are not identifiers
+    - `createError["I'mateapot"]` is now `createError.ImATeapot`
+  * Set a meaningful `name` property on constructed errors
+
+2014-12-09 / 1.2.8
+==================
+
+  * Fix stack trace from exported function
+  * Remove `arguments.callee` usage
+
+2014-10-14 / 1.2.7
+==================
+
+  * Remove duplicate line
+
+2014-10-02 / 1.2.6
+==================
+
+  * Fix `expose` to be `true` for `ClientError` constructor
+
+2014-09-28 / 1.2.5
+==================
+
+  * deps: statuses@1
+
+2014-09-21 / 1.2.4
+==================
+
+  * Fix dependency version to work with old `npm`s
+
+2014-09-21 / 1.2.3
+==================
+
+  * deps: statuses@~1.1.0
+
+2014-09-21 / 1.2.2
+==================
+
+  * Fix publish error
+
+2014-09-21 / 1.2.1
+==================
+
+  * Support Node.js 0.6
+  * Use `inherits` instead of `util`
+
+2014-09-09 / 1.2.0
+==================
+
+  * Fix the way inheriting functions
+  * Support `expose` being provided in properties argument
+
+2014-09-08 / 1.1.0
+==================
+
+  * Default status to 500
+  * Support provided `error` to extend
+
+2014-09-08 / 1.0.1
+==================
+
+  * Fix accepting string message
+
+2014-09-08 / 1.0.0
+==================
+
+  * Initial release

package/node_modules/send/node_modules/http-errors/LICENSE

@@ -0,0 +1,23 @@
+
+The MIT License (MIT)
+
+Copyright (c) 2014 Jonathan Ong me@jongleberry.com
+Copyright (c) 2016 Douglas Christopher Wilson doug@somethingdoug.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.