ueberdb2 2.0.4 → 2.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/dependabot.yml +11 -0
- package/.github/workflows/npmpublish.yml +34 -10
- package/CHANGELOG.md +16 -0
- package/databases/memory_db.js +1 -1
- package/lib/CacheAndBufferLayer.js +3 -0
- package/package.json +5 -5
- package/test/test_memory.js +31 -0
- package/test/test_setSub.js +14 -0
|
@@ -52,8 +52,8 @@ jobs:
|
|
|
52
52
|
- 6379:6379
|
|
53
53
|
timeout-minutes: 10
|
|
54
54
|
steps:
|
|
55
|
-
- uses: actions/checkout@
|
|
56
|
-
- uses: actions/setup-node@
|
|
55
|
+
- uses: actions/checkout@v3
|
|
56
|
+
- uses: actions/setup-node@v3
|
|
57
57
|
with:
|
|
58
58
|
node-version: 12
|
|
59
59
|
- run: npm ci
|
|
@@ -78,16 +78,34 @@ jobs:
|
|
|
78
78
|
needs: test
|
|
79
79
|
runs-on: ubuntu-latest
|
|
80
80
|
steps:
|
|
81
|
-
-
|
|
82
|
-
|
|
81
|
+
-
|
|
82
|
+
uses: actions/checkout@v3
|
|
83
|
+
with:
|
|
84
|
+
fetch-depth: 0
|
|
85
|
+
-
|
|
86
|
+
uses: actions/setup-node@v3
|
|
83
87
|
with:
|
|
84
88
|
node-version: 12
|
|
85
89
|
registry-url: https://registry.npmjs.org/
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
-
|
|
90
|
+
cache: 'npm'
|
|
91
|
+
# This is required if the package has a prepare script that uses something
|
|
92
|
+
# in dependencies or devDependencies. This is also needed for bumping the
|
|
93
|
+
# version.
|
|
94
|
+
-
|
|
95
|
+
run: npm ci
|
|
96
|
+
-
|
|
97
|
+
name: Bump version (patch)
|
|
98
|
+
run: |
|
|
99
|
+
LATEST_TAG=$(git describe --tags --abbrev=0) || exit 1
|
|
100
|
+
NEW_COMMITS=$(git rev-list --count "${LATEST_TAG}"..) || exit 1
|
|
101
|
+
[ "${NEW_COMMITS}" -gt 0 ] || exit 0
|
|
102
|
+
git config user.name 'github-actions[bot]'
|
|
103
|
+
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
|
|
104
|
+
npm version patch
|
|
105
|
+
# Update the branch before pushing the tag in case the branch can't be
|
|
106
|
+
# fast-forwarded.
|
|
107
|
+
git push
|
|
108
|
+
git push --follow-tags
|
|
91
109
|
# `npm publish` must come after `git push` otherwise there is a race
|
|
92
110
|
# condition: If two PRs are merged back-to-back then master/main will be
|
|
93
111
|
# updated with the commits from the second PR before the first PR's
|
|
@@ -98,6 +116,12 @@ jobs:
|
|
|
98
116
|
# already-used version number. By running `npm publish` after `git push`,
|
|
99
117
|
# back-to-back merges will cause the first merge's workflow to fail but
|
|
100
118
|
# the second's will succeed.
|
|
101
|
-
-
|
|
119
|
+
-
|
|
120
|
+
run: npm publish
|
|
121
|
+
env:
|
|
122
|
+
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
|
|
123
|
+
-
|
|
124
|
+
name: Add package to etherpad organization
|
|
125
|
+
run: npm access grant read-write etherpad:developers
|
|
102
126
|
env:
|
|
103
127
|
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
|
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# Notable Changes
|
|
2
2
|
|
|
3
|
+
## v2.1.1
|
|
4
|
+
|
|
5
|
+
Security fix:
|
|
6
|
+
|
|
7
|
+
* Fix `setSub()` prototype pollution vulnerability.
|
|
8
|
+
|
|
9
|
+
## v2.1.0
|
|
10
|
+
|
|
11
|
+
* `memory`: New `data` setting that allows users to supply the backing Map
|
|
12
|
+
object (rather than create a new Map).
|
|
13
|
+
|
|
14
|
+
Updated database dependencies:
|
|
15
|
+
|
|
16
|
+
* `dirty_git`: Updated `simple-git` to 3.6.0.
|
|
17
|
+
* `mssql`: Updated `mssql` to 8.1.0.
|
|
18
|
+
|
|
3
19
|
## v2.0.0
|
|
4
20
|
|
|
5
21
|
* When saving an object that has a `.toJSON()` method, the value returned from
|
package/databases/memory_db.js
CHANGED
|
@@ -419,6 +419,9 @@ exports.Database = class {
|
|
|
419
419
|
// Emulate a pointer to the property that should be set to `value`.
|
|
420
420
|
const ptr = {obj: base, prop: 'fullValue'};
|
|
421
421
|
for (let i = 0; i < sub.length; i++) {
|
|
422
|
+
if (sub[i] === '__proto__') {
|
|
423
|
+
throw new Error('Modifying object prototype is not supported for security reasons');
|
|
424
|
+
}
|
|
422
425
|
let o = ptr.obj[ptr.prop];
|
|
423
426
|
if (o == null) ptr.obj[ptr.prop] = o = {};
|
|
424
427
|
// If o is a primitive (string, number, etc.), then setting `o.foo` has no effect because
|
package/package.json
CHANGED
|
@@ -26,13 +26,13 @@
|
|
|
26
26
|
"dirty": "^1.1.3",
|
|
27
27
|
"elasticsearch": "^16.7.2",
|
|
28
28
|
"mongodb": "^3.7.3",
|
|
29
|
-
"mssql": "^
|
|
29
|
+
"mssql": "^8.1.0",
|
|
30
30
|
"mysql": "2.18.1",
|
|
31
31
|
"nano": "^9.0.5",
|
|
32
32
|
"pg": "^8.7.1",
|
|
33
33
|
"redis": "^3.1.2",
|
|
34
34
|
"rethinkdb": "^2.4.2",
|
|
35
|
-
"simple-git": "^3.
|
|
35
|
+
"simple-git": "^3.6.0"
|
|
36
36
|
},
|
|
37
37
|
"optionalDependencies": {
|
|
38
38
|
"sqlite3": "github:mapbox/node-sqlite3#593c9d498be2510d286349134537e3bf89401c4a"
|
|
@@ -40,7 +40,7 @@
|
|
|
40
40
|
"devDependencies": {
|
|
41
41
|
"cli-table": "^0.3.8",
|
|
42
42
|
"eslint": "^7.32.0",
|
|
43
|
-
"eslint-config-etherpad": "^2.0.
|
|
43
|
+
"eslint-config-etherpad": "^2.0.3",
|
|
44
44
|
"eslint-plugin-cypress": "^2.12.1",
|
|
45
45
|
"eslint-plugin-eslint-comments": "^3.2.0",
|
|
46
46
|
"eslint-plugin-mocha": "^9.0.0",
|
|
@@ -48,7 +48,7 @@
|
|
|
48
48
|
"eslint-plugin-prefer-arrow": "^1.2.3",
|
|
49
49
|
"eslint-plugin-promise": "^5.1.1",
|
|
50
50
|
"eslint-plugin-you-dont-need-lodash-underscore": "^6.12.0",
|
|
51
|
-
"mocha": "^9.
|
|
51
|
+
"mocha": "^9.2.2",
|
|
52
52
|
"randexp": "^0.5.3",
|
|
53
53
|
"wtfnode": "^0.9.1"
|
|
54
54
|
},
|
|
@@ -57,7 +57,7 @@
|
|
|
57
57
|
"url": "https://github.com/ether/ueberDB.git"
|
|
58
58
|
},
|
|
59
59
|
"main": "./index",
|
|
60
|
-
"version": "2.
|
|
60
|
+
"version": "2.1.1",
|
|
61
61
|
"bugs": {
|
|
62
62
|
"url": "https://github.com/ether/ueberDB/issues"
|
|
63
63
|
},
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const assert = require('assert').strict;
|
|
4
|
+
const memory = require('../databases/memory_db');
|
|
5
|
+
|
|
6
|
+
describe(__filename, function () {
|
|
7
|
+
describe('data option', function () {
|
|
8
|
+
it('uses existing records from data option', async function () {
|
|
9
|
+
const db = new memory.Database({data: new Map([['foo', 'bar']])});
|
|
10
|
+
await db.init();
|
|
11
|
+
assert.equal(await db.get('foo'), 'bar');
|
|
12
|
+
});
|
|
13
|
+
|
|
14
|
+
it('updates existing map', async function () {
|
|
15
|
+
const data = new Map();
|
|
16
|
+
const db = new memory.Database({data});
|
|
17
|
+
await db.init();
|
|
18
|
+
await db.set('foo', 'bar');
|
|
19
|
+
assert.equal(data.get('foo'), 'bar');
|
|
20
|
+
});
|
|
21
|
+
|
|
22
|
+
it('does not clear map on close', async function () {
|
|
23
|
+
const data = new Map();
|
|
24
|
+
const db = new memory.Database({data});
|
|
25
|
+
await db.init();
|
|
26
|
+
await db.set('foo', 'bar');
|
|
27
|
+
await db.close();
|
|
28
|
+
assert.equal(data.get('foo'), 'bar');
|
|
29
|
+
});
|
|
30
|
+
});
|
|
31
|
+
});
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const assert = require('assert').strict;
|
|
4
|
+
const ueberdb = require('../index');
|
|
5
|
+
const util = require('util');
|
|
6
|
+
|
|
7
|
+
describe(__filename, function () {
|
|
8
|
+
it('setSub rejects __proto__', async function () {
|
|
9
|
+
const db = new ueberdb.Database('memory', {}, {});
|
|
10
|
+
await util.promisify(db.init).call(db);
|
|
11
|
+
await util.promisify(db.set).call(db, 'k', {});
|
|
12
|
+
await assert.rejects(util.promisify(db.setSub).call(db, 'k', ['__proto__'], 'v'));
|
|
13
|
+
});
|
|
14
|
+
});
|