npm - step-node-agent - Versions diffs - 3.29.1 → 3.29.2 - Mend

step-node-agent 3.29.1 → 3.29.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/node_modules/qs/lib/utils.js CHANGED Viewed

@@ -1,10 +1,32 @@
 'use strict';
 var formats = require('./formats');
+var getSideChannel = require('side-channel');
 var has = Object.prototype.hasOwnProperty;
 var isArray = Array.isArray;
+// Track objects created from arrayLimit overflow using side-channel
+// Stores the current max numeric index for O(1) lookup
+var overflowChannel = getSideChannel();
+var markOverflow = function markOverflow(obj, maxIndex) {
+    overflowChannel.set(obj, maxIndex);
+    return obj;
+};
+var isOverflow = function isOverflow(obj) {
+    return overflowChannel.has(obj);
+};
+var getMaxIndex = function getMaxIndex(obj) {
+    return overflowChannel.get(obj);
+};
+var setMaxIndex = function setMaxIndex(obj, maxIndex) {
+    overflowChannel.set(obj, maxIndex);
+};
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
@@ -54,7 +76,12 @@ var merge = function merge(target, source, options) {
         if (isArray(target)) {
             target.push(source);
         } else if (target && typeof target === 'object') {
-            if (
+            if (isOverflow(target)) {
+                // Add at next numeric index for overflow objects
+                var newIndex = getMaxIndex(target) + 1;
+                target[newIndex] = source;
+                setMaxIndex(target, newIndex);
+            } else if (
                 (options && (options.plainObjects || options.allowPrototypes))
                 || !has.call(Object.prototype, source)
             ) {
@@ -68,6 +95,18 @@ var merge = function merge(target, source, options) {
     }
     if (!target || typeof target !== 'object') {
+        if (isOverflow(source)) {
+            // Create new object with target at 0, source values shifted by 1
+            var sourceKeys = Object.keys(source);
+            var result = options && options.plainObjects
+                ? { __proto__: null, 0: target }
+                : { 0: target };
+            for (var m = 0; m < sourceKeys.length; m++) {
+                var oldKey = parseInt(sourceKeys[m], 10);
+                result[oldKey + 1] = source[sourceKeys[m]];
+            }
+            return markOverflow(result, getMaxIndex(source) + 1);
+        }
         return [target].concat(source);
     }
@@ -239,8 +278,20 @@ var isBuffer = function isBuffer(obj) {
     return !!(obj.constructor && obj.constructor.isBuffer && obj.constructor.isBuffer(obj));
 };
-var combine = function combine(a, b) {
-    return [].concat(a, b);
+var combine = function combine(a, b, arrayLimit, plainObjects) {
+    // If 'a' is already an overflow object, add to it
+    if (isOverflow(a)) {
+        var newIndex = getMaxIndex(a) + 1;
+        a[newIndex] = b;
+        setMaxIndex(a, newIndex);
+        return a;
+    }
+    var result = [].concat(a, b);
+    if (result.length > arrayLimit) {
+        return markOverflow(arrayToObject(result, { plainObjects: plainObjects }), result.length - 1);
+    }
+    return result;
 };
 var maybeMap = function maybeMap(val, fn) {
@@ -262,6 +313,7 @@ module.exports = {
     decode: decode,
     encode: encode,
     isBuffer: isBuffer,
+    isOverflow: isOverflow,
     isRegExp: isRegExp,
     maybeMap: maybeMap,
     merge: merge

package/node_modules/qs/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.14.0",
+    "version": "6.14.1",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"
@@ -36,15 +36,15 @@
     "devDependencies": {
         "@browserify/envify": "^6.0.0",
         "@browserify/uglifyify": "^6.0.0",
-        "@ljharb/eslint-config": "^21.1.1",
+        "@ljharb/eslint-config": "^22.1.3",
         "browserify": "^16.5.2",
         "bundle-collapser": "^1.4.0",
         "common-shakeify": "~1.0.0",
         "eclint": "^2.8.1",
-        "es-value-fixtures": "^1.7.0",
-        "eslint": "=8.8.0",
+        "es-value-fixtures": "^1.7.1",
+        "eslint": "^9.39.2",
         "evalmd": "^0.0.19",
-        "for-each": "^0.3.3",
+        "for-each": "^0.3.5",
         "glob": "=10.3.7",
         "has-bigints": "^1.1.0",
         "has-override-mistake": "^1.0.1",
@@ -54,12 +54,13 @@
         "iconv-lite": "^0.5.1",
         "in-publish": "^2.0.1",
         "jackspeak": "=2.1.1",
+        "jiti": "^0.0.0",
         "mkdirp": "^0.5.5",
         "mock-property": "^1.1.0",
         "module-deps": "^6.2.3",
-        "npmignore": "^0.3.1",
+        "npmignore": "^0.3.5",
         "nyc": "^10.3.2",
-        "object-inspect": "^1.13.3",
+        "object-inspect": "^1.13.4",
         "qs-iconv": "^1.0.4",
         "safe-publish-latest": "^2.0.0",
         "safer-buffer": "^2.1.2",
@@ -76,7 +77,7 @@
         "posttest": "npx npm@'>=10.2' audit --production",
         "readme": "evalmd README.md",
         "postlint": "eclint check $(git ls-files | xargs find 2> /dev/null | grep -vE 'node_modules|\\.git' | grep -v dist/)",
-        "lint": "eslint --ext=js,mjs .",
+        "lint": "eslint .",
         "dist": "mkdirp dist && browserify --standalone Qs -g unassertify -g @browserify/envify -g [@browserify/uglifyify --mangle.keep_fnames --compress.keep_fnames --format.indent_level=1 --compress.arrows=false --compress.passes=4 --compress.typeofs=false] -p common-shakeify -p bundle-collapser/plugin lib/index.js > dist/qs.js"
     },
     "license": "BSD-3-Clause",

package/node_modules/qs/test/parse.js CHANGED Viewed

@@ -235,11 +235,11 @@ test('parse()', function (t) {
         st.deepEqual(qs.parse('a=b&a[0]=c'), { a: ['b', 'c'] });
         st.deepEqual(qs.parse('a[1]=b&a=c', { arrayLimit: 20 }), { a: ['b', 'c'] });
-        st.deepEqual(qs.parse('a[]=b&a=c', { arrayLimit: 0 }), { a: ['b', 'c'] });
+        st.deepEqual(qs.parse('a[]=b&a=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } });
         st.deepEqual(qs.parse('a[]=b&a=c'), { a: ['b', 'c'] });
         st.deepEqual(qs.parse('a=b&a[1]=c', { arrayLimit: 20 }), { a: ['b', 'c'] });
-        st.deepEqual(qs.parse('a=b&a[]=c', { arrayLimit: 0 }), { a: ['b', 'c'] });
+        st.deepEqual(qs.parse('a=b&a[]=c', { arrayLimit: 0 }), { a: { 0: 'b', 1: 'c' } });
         st.deepEqual(qs.parse('a=b&a[]=c'), { a: ['b', 'c'] });
         st.end();
@@ -364,7 +364,7 @@ test('parse()', function (t) {
         );
         st.deepEqual(
             qs.parse('a[]=b&a[]&a[]=c&a[]=', { strictNullHandling: true, arrayLimit: 0 }),
-            { a: ['b', null, 'c', ''] },
+            { a: { 0: 'b', 1: null, 2: 'c', 3: '' } },
             'with arrayLimit 0 + array brackets: null then empty string works'
         );
@@ -375,7 +375,7 @@ test('parse()', function (t) {
         );
         st.deepEqual(
             qs.parse('a[]=b&a[]=&a[]=c&a[]', { strictNullHandling: true, arrayLimit: 0 }),
-            { a: ['b', '', 'c', null] },
+            { a: { 0: 'b', 1: '', 2: 'c', 3: null } },
             'with arrayLimit 0 + array brackets: empty string then null works'
         );
@@ -996,6 +996,20 @@ test('parse()', function (t) {
         st.end();
     });
+    t.test('handles a custom decoder returning `null`, with a string key of `null`', function (st) {
+        st.deepEqual(
+            qs.parse('null=1&ToNull=2', {
+                decoder: function (str, defaultDecoder, charset) {
+                    return str === 'ToNull' ? null : defaultDecoder(str, defaultDecoder, charset);
+                }
+            }),
+            { 'null': '1' },
+            '"null" key is not overridden by `null` decoder result'
+        );
+        st.end();
+    });
     t.test('does not interpret numeric entities in iso-8859-1 when `interpretNumericEntities` is absent', function (st) {
         st.deepEqual(qs.parse('foo=' + urlEncodedNumSmiley, { charset: 'iso-8859-1' }), { foo: '&#9786;' });
         st.end();
@@ -1274,3 +1288,109 @@ test('qs strictDepth option - non-throw cases', function (t) {
         st.end();
     });
 });
+test('DOS', function (t) {
+    var arr = [];
+    for (var i = 0; i < 105; i++) {
+        arr[arr.length] = 'x';
+    }
+    var attack = 'a[]=' + arr.join('&a[]=');
+    var result = qs.parse(attack, { arrayLimit: 100 });
+    t.notOk(Array.isArray(result.a), 'arrayLimit is respected: result is an object, not an array');
+    t.equal(Object.keys(result.a).length, 105, 'all values are preserved');
+    t.end();
+});
+test('arrayLimit boundary conditions', function (t) {
+    t.test('exactly at the limit stays as array', function (st) {
+        var result = qs.parse('a[]=1&a[]=2&a[]=3', { arrayLimit: 3 });
+        st.ok(Array.isArray(result.a), 'result is an array when exactly at limit');
+        st.deepEqual(result.a, ['1', '2', '3'], 'all values present');
+        st.end();
+    });
+    t.test('one over the limit converts to object', function (st) {
+        var result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4', { arrayLimit: 3 });
+        st.notOk(Array.isArray(result.a), 'result is not an array when over limit');
+        st.deepEqual(result.a, { 0: '1', 1: '2', 2: '3', 3: '4' }, 'all values preserved as object');
+        st.end();
+    });
+    t.test('arrayLimit 1 with two values', function (st) {
+        var result = qs.parse('a[]=1&a[]=2', { arrayLimit: 1 });
+        st.notOk(Array.isArray(result.a), 'result is not an array');
+        st.deepEqual(result.a, { 0: '1', 1: '2' }, 'both values preserved');
+        st.end();
+    });
+    t.end();
+});
+test('mixed array and object notation', function (t) {
+    t.test('array brackets with object key - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a[]=b&a[c]=d'),
+            { a: { 0: 'b', c: 'd' } },
+            'mixing [] and [key] converts to object'
+        );
+        st.end();
+    });
+    t.test('array index with object key - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a[0]=b&a[c]=d'),
+            { a: { 0: 'b', c: 'd' } },
+            'mixing [0] and [key] produces object'
+        );
+        st.end();
+    });
+    t.test('plain value with array brackets - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a[]=c', { arrayLimit: 20 }),
+            { a: ['b', 'c'] },
+            'plain value combined with [] stays as array under limit'
+        );
+        st.end();
+    });
+    t.test('array brackets with plain value - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a[]=b&a=c', { arrayLimit: 20 }),
+            { a: ['b', 'c'] },
+            '[] combined with plain value stays as array under limit'
+        );
+        st.end();
+    });
+    t.test('plain value with array index - under limit', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a[0]=c', { arrayLimit: 20 }),
+            { a: ['b', 'c'] },
+            'plain value combined with [0] stays as array under limit'
+        );
+        st.end();
+    });
+    t.test('multiple plain values with duplicates combine', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a=c&a=d', { arrayLimit: 20 }),
+            { a: ['b', 'c', 'd'] },
+            'duplicate plain keys combine into array'
+        );
+        st.end();
+    });
+    t.test('multiple plain values exceeding limit', function (st) {
+        st.deepEqual(
+            qs.parse('a=b&a=c&a=d', { arrayLimit: 2 }),
+            { a: { 0: 'b', 1: 'c', 2: 'd' } },
+            'duplicate plain keys convert to object when exceeding limit'
+        );
+        st.end();
+    });
+    t.end();
+});

package/node_modules/qs/test/stringify.js CHANGED Viewed

@@ -1293,13 +1293,17 @@ test('stringifies empty keys', function (t) {
     });
     t.test('stringifies non-string keys', function (st) {
-        var actual = qs.stringify({ a: 'b', 'false': {} }, {
-            filter: ['a', false, null],
+        var S = Object('abc');
+        S.toString = function () {
+            return 'd';
+        };
+        var actual = qs.stringify({ a: 'b', 'false': {}, 1e+22: 'c', d: 'e' }, {
+            filter: ['a', false, null, 10000000000000000000000, S],
             allowDots: true,
             encodeDotInKeys: true
         });
-        st.equal(actual, 'a=b', 'stringifies correctly');
+        st.equal(actual, 'a=b&1e%2B22=c&d=e', 'stringifies correctly');
         st.end();
     });

package/node_modules/qs/test/utils.js CHANGED Viewed

@@ -68,6 +68,60 @@ test('merge()', function (t) {
         }
     );
+    t.test('with overflow objects (from arrayLimit)', function (st) {
+        st.test('merges primitive into overflow object at next index', function (s2t) {
+            // Create an overflow object via combine
+            var overflow = utils.combine(['a'], 'b', 1, false);
+            s2t.ok(utils.isOverflow(overflow), 'overflow object is marked');
+            var merged = utils.merge(overflow, 'c');
+            s2t.deepEqual(merged, { 0: 'a', 1: 'b', 2: 'c' }, 'adds primitive at next numeric index');
+            s2t.end();
+        });
+        st.test('merges primitive into regular object with numeric keys normally', function (s2t) {
+            var obj = { 0: 'a', 1: 'b' };
+            s2t.notOk(utils.isOverflow(obj), 'plain object is not marked as overflow');
+            var merged = utils.merge(obj, 'c');
+            s2t.deepEqual(merged, { 0: 'a', 1: 'b', c: true }, 'adds primitive as key (not at next index)');
+            s2t.end();
+        });
+        st.test('merges primitive into object with non-numeric keys normally', function (s2t) {
+            var obj = { foo: 'bar' };
+            var merged = utils.merge(obj, 'baz');
+            s2t.deepEqual(merged, { foo: 'bar', baz: true }, 'adds primitive as key with value true');
+            s2t.end();
+        });
+        st.test('merges overflow object into primitive', function (s2t) {
+            // Create an overflow object via combine
+            var overflow = utils.combine([], 'b', 0, false);
+            s2t.ok(utils.isOverflow(overflow), 'overflow object is marked');
+            var merged = utils.merge('a', overflow);
+            s2t.ok(utils.isOverflow(merged), 'result is also marked as overflow');
+            s2t.deepEqual(merged, { 0: 'a', 1: 'b' }, 'creates object with primitive at 0, source values shifted');
+            s2t.end();
+        });
+        st.test('merges overflow object with multiple values into primitive', function (s2t) {
+            // Create an overflow object via combine
+            var overflow = utils.combine(['b'], 'c', 1, false);
+            s2t.ok(utils.isOverflow(overflow), 'overflow object is marked');
+            var merged = utils.merge('a', overflow);
+            s2t.deepEqual(merged, { 0: 'a', 1: 'b', 2: 'c' }, 'shifts all source indices by 1');
+            s2t.end();
+        });
+        st.test('merges regular object into primitive as array', function (s2t) {
+            var obj = { foo: 'bar' };
+            var merged = utils.merge('a', obj);
+            s2t.deepEqual(merged, ['a', { foo: 'bar' }], 'creates array with primitive and object');
+            s2t.end();
+        });
+        st.end();
+    });
     t.end();
 });
@@ -132,6 +186,71 @@ test('combine()', function (t) {
         st.end();
     });
+    t.test('with arrayLimit', function (st) {
+        st.test('under the limit', function (s2t) {
+            var combined = utils.combine(['a', 'b'], 'c', 10, false);
+            s2t.deepEqual(combined, ['a', 'b', 'c'], 'returns array when under limit');
+            s2t.ok(Array.isArray(combined), 'result is an array');
+            s2t.end();
+        });
+        st.test('exactly at the limit stays as array', function (s2t) {
+            var combined = utils.combine(['a', 'b'], 'c', 3, false);
+            s2t.deepEqual(combined, ['a', 'b', 'c'], 'stays as array when exactly at limit');
+            s2t.ok(Array.isArray(combined), 'result is an array');
+            s2t.end();
+        });
+        st.test('over the limit', function (s2t) {
+            var combined = utils.combine(['a', 'b', 'c'], 'd', 3, false);
+            s2t.deepEqual(combined, { 0: 'a', 1: 'b', 2: 'c', 3: 'd' }, 'converts to object when over limit');
+            s2t.notOk(Array.isArray(combined), 'result is not an array');
+            s2t.end();
+        });
+        st.test('with arrayLimit 0', function (s2t) {
+            var combined = utils.combine([], 'a', 0, false);
+            s2t.deepEqual(combined, { 0: 'a' }, 'converts single element to object with arrayLimit 0');
+            s2t.notOk(Array.isArray(combined), 'result is not an array');
+            s2t.end();
+        });
+        st.test('with plainObjects option', function (s2t) {
+            var combined = utils.combine(['a'], 'b', 1, true);
+            var expected = { __proto__: null, 0: 'a', 1: 'b' };
+            s2t.deepEqual(combined, expected, 'converts to object with null prototype');
+            s2t.equal(Object.getPrototypeOf(combined), null, 'result has null prototype when plainObjects is true');
+            s2t.end();
+        });
+        st.end();
+    });
+    t.test('with existing overflow object', function (st) {
+        st.test('adds to existing overflow object at next index', function (s2t) {
+            // Create overflow object first via combine
+            var overflow = utils.combine(['a'], 'b', 1, false);
+            s2t.ok(utils.isOverflow(overflow), 'initial object is marked as overflow');
+            var combined = utils.combine(overflow, 'c', 10, false);
+            s2t.equal(combined, overflow, 'returns the same object (mutated)');
+            s2t.deepEqual(combined, { 0: 'a', 1: 'b', 2: 'c' }, 'adds value at next numeric index');
+            s2t.end();
+        });
+        st.test('does not treat plain object with numeric keys as overflow', function (s2t) {
+            var plainObj = { 0: 'a', 1: 'b' };
+            s2t.notOk(utils.isOverflow(plainObj), 'plain object is not marked as overflow');
+            // combine treats this as a regular value, not an overflow object to append to
+            var combined = utils.combine(plainObj, 'c', 10, false);
+            s2t.deepEqual(combined, [{ 0: 'a', 1: 'b' }, 'c'], 'concatenates as regular values');
+            s2t.end();
+        });
+        st.end();
+    });
     t.end();
 });

package/node_modules/send/HISTORY.md CHANGED Viewed

@@ -1,3 +1,10 @@
+0.19.2 / 2025-12-15
+===================
+* deps: use tilde notation for dependencies
+* deps: http-errors@~2.0.1
+* deps: statuses@~2.0.2
 0.19.1 / 2024-10-09
 ===================

package/node_modules/send/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "send",
   "description": "Better streaming static file server with Range and conditional-GET support",
-  "version": "0.19.1",
+  "version": "0.19.2",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>",
@@ -22,13 +22,13 @@
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
     "etag": "~1.8.1",
-    "fresh": "0.5.2",
-    "http-errors": "2.0.0",
+    "fresh": "~0.5.2",
+    "http-errors": "~2.0.1",
     "mime": "1.6.0",
     "ms": "2.1.3",
-    "on-finished": "2.4.1",
+    "on-finished": "~2.4.1",
     "range-parser": "~1.2.1",
-    "statuses": "2.0.1"
+    "statuses": "~2.0.2"
   },
   "devDependencies": {
     "after": "0.8.2",

package/node_modules/serve-static/HISTORY.md CHANGED Viewed

@@ -1,3 +1,9 @@
+1.16.3 / 2024-12-15
+===================
+* deps: send@~0.19.1
+  - deps: encodeurl@~2.0.0
 1.16.2 / 2024-09-11
 ===================

package/node_modules/serve-static/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "serve-static",
   "description": "Serve static files",
-  "version": "1.16.2",
+  "version": "1.16.3",
   "author": "Douglas Christopher Wilson <doug@somethingdoug.com>",
   "license": "MIT",
   "repository": "expressjs/serve-static",
@@ -9,7 +9,7 @@
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
     "parseurl": "~1.3.3",
-    "send": "0.19.0"
+    "send": "~0.19.1"
   },
   "devDependencies": {
     "eslint": "7.32.0",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "step-node-agent",
-  "version": "3.29.1",
+  "version": "3.29.2",
   "description": "The official STEP Agent implementation for Node.js",
   "main": "index.js",
   "scripts": {

package/node_modules/qs/.eslintrc DELETED Viewed

@@ -1,39 +0,0 @@
-{
-    "root": true,
-    "extends": "@ljharb",
-    "ignorePatterns": [
-        "dist/",
-    ],
-    "rules": {
-        "complexity": 0,
-        "consistent-return": 1,
-        "func-name-matching": 0,
-        "id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
-        "indent": [2, 4],
-        "max-lines": 0,
-        "max-lines-per-function": [2, { "max": 150 }],
-        "max-params": [2, 18],
-        "max-statements": [2, 100],
-        "multiline-comment-style": 0,
-        "no-continue": 1,
-        "no-magic-numbers": 0,
-        "no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"],
-    },
-    "overrides": [
-        {
-            "files": "test/**",
-            "rules": {
-                "function-paren-newline": 0,
-                "max-lines-per-function": 0,
-                "max-statements": 0,
-                "no-buffer-constructor": 0,
-                "no-extend-native": 0,
-                "no-throw-literal": 0,
-            },
-        },
-    ],
-}