This upgrade should be backward compatible, but still suffers form major
vulnerabilities in its https-proxy-agent transitive dependency (see
https://www.npmjs.com/advisories/1184).
Changelog:
- https://github.com/npm/cli/releases
6.12.0 (2019-10-08):
Now npm ci runs prepare scripts for git dependencies, and respects the
--no-optional argument. Warnings for engine mismatches are printed again.
Various other fixes and cleanups.
BUG FIXES
890b245dc #252 ci: add dirPacker to options (@claudiahdz)
f3299acd0 #257 npm.community#4792 warn message on engine mismatch
(@ruyadorno)
bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token
(@benblank)
70f54dcb5 #241 doctor: Make OK more consistent (@gemal)
FEATURES
ed993a29c #249 Add CI environment variables to user-agent (@isaacs)
f6b0459a4 #248 Add option to save package-lock without formatting Adds a new
config --format-package-lock, which defaults to true.
(@bl00mber)
DEPENDENCIES
0ca063c5d npm-lifecycle@3.1.4:
fix: filter functions and undefined out of makeEnv (@isaacs)
5df6b0ea2 libcipm@4.0.4:
fix: pack git directories properly (@claudiahdz)
respect no-optional argument (@cruzdanilo)
7e04f728c tar@4.4.12
5c380e5a3 stringify-package@1.0.1 (@isaacs)
62f2ca692 node-gyp@5.0.5 (@isaacs)
0ff0ea47a npm-install-checks@3.0.2 (@isaacs)
f46edae94 hosted-git-info@2.8.5 (@isaacs)
TESTING
44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs)
6.11.3 (2019-09-03):
Fix npm ci regressions and npm outdated depth.
BUG FIXES
235ed1d28 #239 Don't override user specified depth in outdated. Restores
ability to update packages using --depth as suggested by npm audit. (@G-Rath)
1fafb5151 #242 npm.community#9586 Revert "install: do not descend into
directory deps' child modules" (@isaacs)
cebf542e6 #243 npm.community#9720 ci: pass appropriate configs for file/dir
modes (@isaacs)
DEPENDENCIES
e5fbb7ed1 read-cmd-shim@1.0.4 (@claudiahdz)
23ce65616 npm-pick-manifest@3.0.2 (@claudiahdz)
6.11.2 (2019-08-22):
Fix a recent Windows regression, and two long-standing Windows bugs. Also,
get CI running on Windows, so these things are less likely in the future.
DEPENDENCIES
9778a1b87 cmd-shim@3.0.3: Fix regression where shims fail to preserve exit
code (@isaacs)
bf93e91d8 npm-package-arg@6.1.1: Properly handle git+file: urls on Windows
when a drive letter is included. (@isaacs)
BUGFIXES
6cc4cc66f escape args properly on Windows Bash Despite being bash, Node.js
running on windows git mingw bash still executes child processes
using cmd.exe. As a result, arguments in this environment need to
be escaped in the style of cmd.exe, not bash. (@isaacs)
TESTS
291aba7b8 make tests pass on Windows (@isaacs)
fea3a023a travis: run tests on Windows as well (@isaacs)
6.11.1 (2019-08-20):
Fix a regression for windows command shim syntax.
37db29647 cmd-shim@3.0.2 (@isaacs)
v6.11.0 (2019-08-20):
A few meaty bugfixes, and introducing peerDependenciesMeta.
FEATURES
a12341088 #224 Implements peerDependenciesMeta (@arcanis)
2f3b79bba #234 add new forbidden 403 error code (@claudiahdz)
BUGFIXES
24acc9fc8 and 45772af0d #217 npm.community#8863 npm.community#9327 do not
descend into directory deps' child modules, fix shrinkwrap files
that inappropriately list child nodes of symlink packages (@isaacs
and @salomvary)
50cfe113d #229 fixed typo in semver doc (@gall0ws)
e8fb2a1bd #231 Fix spelling mistakes in CHANGELOG-3.md (@XhmikosR)
769d2e057 npm/uid-number#7 Better error on invalid --user/--group configs.
This addresses the issue when people fail to install binary
packages on Docker and other environments where there is no
'nobody' user. (@isaacs)
8b43c9624 nodejs/node#28987 npm.community#6032 npm.community#6658
npm.community#6069 npm.community#9323 Fix the regression where
random config values in a .npmrc file are not passed to lifecycle
scripts, breaking build processes which rely on them. (@isaacs)
8b85eaa47 save files with inferred ownership rather than relying on SUDO_UID
and SUDO_GID. (@isaacs)
b7f6e5f02 Infer ownership of shrinkwrap files (@isaacs)
54b095d77 #235 Add spec to dist-tag remove function (@theberbie)
DEPENDENCIES
dc8f9e52f pacote@9.5.7: Infer the ownership of all unpacked files in
node_modules, so that we never have user-owned files in root-owned
folders, or root-owned files in user-owned folders. (@isaacs)
bb33940c3 cmd-shim@3.0.0:
9c93ac3 #2 npm#3380 Handle environment variables properly (@basbossink)
2d277f8 #25#36#35 Fix 'no shebang' case by always providing $basedir
in shell script (@igorklopov)
adaf20b #26 Fix $* causing an error when arguments contain parentheses
(@satazor)
49f0c13 #30 Fix paths for MSYS/MINGW bash (@dscho)
51a8af3 #34 Add proper support for PowerShell (@ExE-Boss)
4c37e04 #10 Work around quoted batch file names (@isaacs)
a4e279544 npm-lifecycle@3.1.3 (@isaacs):
fail properly if uid-number raises an error
7086a1809 libcipm@4.0.3 (@isaacs)
8845141f9 read-package-json@2.1.0 (@isaacs)
51c028215 bin-links@1.1.3 (@isaacs)
534a5548c read-cmd-shim@1.0.3 (@isaacs)
3038f2fd5 gentle-fs@2.2.1 (@isaacs)
a609a1648 graceful-fs@4.2.2 (@isaacs)
f0346f754 cacache@12.0.3 (@isaacs)
ca9c615c8 npm-pick-manifest@3.0.0 (@isaacs)
b417affbf pacote@9.5.8 (@isaacs)
TESTS
b6df0913c #228 Proper handing of /usr/bin/node lifecycle-path test (@olivr70)
aaf98e88c npm-registry-mock@1.3.0 (@isaacs)
This upgrade should be backward compatible.
Changelog:
- https://github.com/expressjs/session/blob/master/HISTORY.md
1.17.0 / 2019-10-10
deps: cookie@0.4.0
Add SameSite=None support
deps: safe-buffer@5.2.0
1.16.2 / 2019-06-12
Fix restoring cookie.originalMaxAge when store returns Date
deps: parseurl@~1.3.3
This upgrade should be backward compatible.
Changelogs:
- https://expressjs.com/en/changelog/4x.html
- https://github.com/expressjs/express/blob/master/History.md#4171--2019-05-25
4.17.1 - Release date: 2019-05-25
The 4.17.1 patch release includes one bug fix:
The change to the res.status() API has been reverted due to causing
regressions in existing Express 4 applications.
4.17.0 - Release date: 2019-05-16
The 4.17.0 minor release includes bug fixes and some new features, including:
The express.raw() and express.text() middleware have been added to provide
request body parsing for more raw request payloads. This uses the
expressjs/body-parser module module underneath, so apps that are currently
requiring the module separately can switch to the built-in parsers.
The res.cookie() API now supports the "none" value for the sameSite option.
When the "trust proxy" setting is enabled, the req.hostname now supports
multiple X-Forwarded-For headers in a request.
Starting with this version, Express supports Node.js 10.x and 12.x.
The res.sendFile() API now provides and more immediate and easier to
understand error when a non-string is passed as the path argument.
The res.status() API now provides and more immediate and easier to
understand error when null or undefined is passed as the argument.
Nodejs 8 will be EOLed on December 31th, 2019 (https://github.com/nodejs/Release).
This means any future Etherpad version released from 2020 on should require at
least the next LTS (10.13.0). Let's keep some margin and decide that the first
Etherpad version dropping node 8 compatibility will be 1.8.3.
Closes#3650.
Tried to simplify the document, to reduce unneded info, and to use a less
informal language.
For example, the introductory links describing git made sense 10 years ago.
Today they are not needed to understand what Etherpad is.
And mercurial was always better than git, anyways :)
The mailing list and the IRC channel seem pretty dead by now. Let's just
move everything to Github issues, which was the de facto situation anyways.
About the donation links: I am the maintainer, and I do not know the identity of
the owners of the donation links, so it is correct to remove them. The same was
done on the website three months ago:
https://github.com/ether/ether.github.com/commit/d4ef04605da5
Do not touch vendorized files (e.g. libraries that were imported from external
projects).
No functional changes.
Command:
find . -name '*.<EXTENSION>' -type f -print0 | xargs -0 sed -i 's/[[:space:]]*$//'
In preparation for next commit. I was not able to find other non-vendorized
files that were in DOS format and legitimately needed to be converted.
No functional changes.
Added pad_utils sanitization for clean and safe error handling on browsers that
do not encode the path of the URL.
Edited by muxator based on https://github.com/ether/etherpad-lite/pull/3647,
to be able to apply the patch on develop (the PR was for master), and perform
minor cleanups (mainly spurious statements).
Closes#3647.
The vendored jquery version was 1.9.1 from 2013-02-04. Let's replace it with the
most recent one from the 1.x branch (1.12.4 from 2016-05-20).
The modification in rjquery.js is needed because recent jQuery versions changed
their behaviour, and do not set themselves on the global window object.
See: https://github.com/parcel-bundler/parcel/issues/333#issuecomment-357882648
This will be the lastest jQuery 1.x version ever, because 1.x branch is
definitively EOLed (see https://github.com/jquery/jquery.com/issues/162).
This is a stopgap measure to get the latest security fixes. Going forward,
another strategy will be needed.
Closes#3640
When visiting Etherpad's home page with Chrome the "ok" button was not on the
same line as the pad name text box. On Firefox & Safari there was no problem.
Tested on Chrome 74.
Fixes#3604.
This is a non breaking change.
From the changelog (https://github.com/expressjs/session/blob/v1.16.1/HISTORY.md#1161--2019-04-11):
# 1.16.1 / 2019-04-11
- Fix error passing data option to Cookie constructor
- Fix uncaught error from bad session data
# 1.16.0 / 2019-04-10
- Catch invalid cookie.maxAge value earlier
- Deprecate setting cookie.maxAge to a Date object
- Fix issue where resave: false may not save altered sessions
- Remove utils-merge dependency
- Use safe-buffer for improved Buffer API
- Use Set-Cookie as cookie header name for compatibility
- deps: depd@~2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
- perf: remove argument reassignment
- deps: on-headers@~1.0.2
- Fix res.writeHead patch missing return value
This is just a dev dependency, so no real risks, but it's better not to scare
users.
Reported vulnerability before this change:
$ npm audit
=== npm audit security report ===
# Run npm install --save-dev nyc@14.1.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nyc > istanbul-reports > handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/755 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Currently the version is exposed in a 'Server' http headers.
This commit allows to parameterize it in the settings. By defaults it is
not exposed.
Fixes#3423
The current behaviour is to show the chat bubble and hide if chat is
disabled.
Because of this, the bubble appears wrongfully for a short time.
With this PR, by default it is hidden and displayed only if chat is
enabled.
Fixes: #3088
