npm - trim-safe - Versions diffs - 1.0.1 → 1.0.2 - Mend

trim-safe 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +1 -1
package/package.json +25 -3
package/.github/workflows/test.yml +0 -20
package/SECURITY.md +0 -22

package/README.md CHANGED Viewed

@@ -6,7 +6,7 @@ Safe, drop-in replacement for the abandoned [`trim`](https://www.npmjs.com/packa
 The `trim` package (1M+ weekly downloads) has been effectively abandoned since 2013. Its canonical GitHub repo is dormant, the patch fork was archived in 2023, and the original source was never updated with the CVE fix.
-The package contains **CVE-2020-7753** — a ReDoS vulnerability in the regex `/^\s*|\s*$/g`. An attacker can craft an input string that causes catastrophic regex backtracking, consuming all CPU and hanging your process.
+The package contains **CVE-2020-7753** / **GHSA-cmr6-74hv-c9fg** — a ReDoS vulnerability (CVSS 7.5 HIGH) in the regex `/^\s*|\s*$/g`. An attacker can craft an input string that causes catastrophic regex backtracking, consuming all CPU and hanging your process.
 `trim-safe` fixes the vulnerability using a loop-based approach with no regex backtracking. Same API, zero security debt.

package/package.json CHANGED Viewed

@@ -1,25 +1,47 @@
 {
   "name": "trim-safe",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Safe, drop-in replacement for the abandoned trim package. Fixed ReDoS vulnerability (CVE-2020-7753).",
   "main": "index.js",
+  "types": "index.d.ts",
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "README.md",
+    "test.js",
+    "scripts"
+  ],
   "scripts": {
     "test": "node test.js",
-    "postinstall": "node scripts/migrate-check.js"
+    "postinstall": "node scripts/migrate-check.js",
+    "prepare": "npm run test",
+    "prepublishOnly": "npm run test"
   },
   "keywords": [
+    "trim-safe",
     "trim",
     "string",
     "whitespace",
     "safe",
     "regex",
-    "redos"
+    "redos",
+    "cve",
+    "security",
+    "javascript",
+    "typescript",
+    "nodejs",
+    "utility"
   ],
+  "author": "Jay Suryawanshi",
   "license": "MIT",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Jay-Suryawansh7/trim-safe.git"
   },
+  "bugs": {
+    "url": "https://github.com/Jay-Suryawansh7/trim-safe/issues"
+  },
+  "homepage": "https://github.com/Jay-Suryawansh7/trim-safe#readme",
   "engines": {
     "node": ">=0.10.0"
   }

package/.github/workflows/test.yml DELETED Viewed

@@ -1,20 +0,0 @@
-name: Test
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [18, 20, 22]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm test

package/SECURITY.md DELETED Viewed

@@ -1,22 +0,0 @@
-# Security Policy
-## Supported Versions
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.x     | :white_check_mark: |
-## Reporting a Vulnerability
-If you discover a security vulnerability in `trim-safe`, please report it via:
-1. **GitHub Issues** (preferred for non-critical issues)
-2. **Email** — open an issue first and we'll respond within 48 hours
-Please do not disclose security vulnerabilities publicly until a fix is available.
-## Security Model
-`trim-safe` intentionally contains **no external dependencies** — only stdlib JavaScript. The attack surface is zero network calls, zero file reads, and no dynamic code execution.
-The package has no `postinstall`, `preinstall`, `prepare`, or any other lifecycle hooks.