From 393f370db5d1e93bf969bf7579fe6941e9d5dde9 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 07:17:59 +0800 Subject: [PATCH 01/17] [ci skip] --- .github/workflows/semgrep.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 000000000..60a39746b --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,21 @@ +on: + workflow_dispatch: {} + pull_request: {} + +name: Semgrep +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-20.04 + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + container: + image: semgrep/semgrep + + # Skip any PR created by dependabot to avoid permission issues: + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v4 + - run: | + semgrep ci --supply-chain --verbose From f317d09065541c7fc5f768a5256dde9021cd1afa Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 07:20:46 +0800 Subject: [PATCH 02/17] [ci skip] --- .github/workflows/e2e-test.yml | 61 ---------------------------------- 1 file changed, 61 deletions(-) delete mode 100644 .github/workflows/e2e-test.yml diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml deleted file mode 100644 index 4ed7d6aec..000000000 --- a/.github/workflows/e2e-test.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: E2E Test -on: [push, pull_request] - -jobs: - e2e-test: - name: Node.js - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - node-version: ["10.x", "12.x", "14.x"] - - steps: - - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} - uses: actions/checkout@v2 - with: - persist-credentials: false - - - name: Set up Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node-version }} - - - name: Use cache - uses: actions/cache@v2 - with: - path: | - ~/.npm - ~/.cache - key: ${{ runner.os }}-node${{ matrix.node-version }}-E2E-${{ hashFiles('package-lock.json') }} - - - name: Install dependencies - run: | - npm ci - npm run cy:verify - - - name: Start MongoDB - run: | - docker run -d -p 27017:27017 mongo:4.0 - timeout 60s bash -c 'until nc -z -w 2 localhost 27017 && echo MongoDB ready; do sleep 2; done' - - - name: Run E2E test suite - id: test-suite - run: | - NODE_ENV=test npm start -- --silent & - npm run test:ci -- --config video=true - - - name: Prepare cypress artifacts - if: failure() && (steps.test-suite.outcome == 'failure') - working-directory: ./test/e2e - run: > - mkdir -p "screenshots" && find "screenshots" -mindepth 1 -maxdepth 1 -type d - -exec sh -c 'mv -- "videos/$(basename "$1").mp4" "$1"' _ {} \; - - - name: Upload cypress artifacts - if: failure() && (steps.test-suite.outcome == 'failure') - uses: actions/upload-artifact@v2 - with: - name: cypress-artifacts-node${{ matrix.node-version }} - path: test/e2e/screenshots From ec2cb98b36656d0a407349f46019a23d2d6974f5 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 07:21:01 +0800 Subject: [PATCH 03/17] [ci skip] --- .github/workflows/lint.yml | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index e7922ae78..000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Lint -on: [push, pull_request] - -jobs: - lint: - name: Node.js - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - node-version: ["14.x"] - - steps: - - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} - uses: actions/checkout@v2 - with: - persist-credentials: false - - - name: Set up Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node-version }} - - - name: Run linter - run: npx --no-install jshint@2.12.0 . From 40ae3ba42ce757a560ef906370b58679c9919802 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 07:26:27 +0800 Subject: [PATCH 04/17] [ci skip] --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 60a39746b..07d14e0a7 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -18,4 +18,4 @@ jobs: steps: - uses: actions/checkout@v4 - run: | - semgrep ci --supply-chain --verbose + semgrep ci --supply-chain --verbose --debug From b109ded033ddbcace8563b79e226789e8c457a33 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 07:45:38 +0800 Subject: [PATCH 05/17] [ci skip] --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 07d14e0a7..8ad631c3c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -18,4 +18,4 @@ jobs: steps: - uses: actions/checkout@v4 - run: | - semgrep ci --supply-chain --verbose --debug + semgrep ci --supply-chain --debug From 370cb065d93bd3977704b61857d74e7496887f84 Mon Sep 17 00:00:00 2001 From: Shi Chao Date: Wed, 2 Apr 2025 17:04:48 -0700 Subject: [PATCH 06/17] add package.json and also lock json --- package-lock.json | 12 ++++++++++++ package.json | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/package-lock.json b/package-lock.json index 3a26af223..b7c41f6b9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,6 +12,7 @@ "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", "consolidate": "^0.14.1", + "cool-path": "1.1.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", "express": "^4.13.4", @@ -1476,6 +1477,12 @@ "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, + "node_modules/cool-path": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/cool-path/-/cool-path-1.1.1.tgz", + "integrity": "sha512-pAen6Ioixon4BxlP3KzXQgZoDCOC8tH/vtrKx9evHJF5gbPBT6/8Wskm+xXH3ss8HJIqBlMw2DKo8BGaQlgxgw==", + "license": "MIT" + }, "node_modules/copy-descriptor": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz", @@ -16541,6 +16548,11 @@ "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, + "cool-path": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/cool-path/-/cool-path-1.1.1.tgz", + "integrity": "sha512-pAen6Ioixon4BxlP3KzXQgZoDCOC8tH/vtrKx9evHJF5gbPBT6/8Wskm+xXH3ss8HJIqBlMw2DKo8BGaQlgxgw==" + }, "copy-descriptor": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz", diff --git a/package.json b/package.json index b2eb65a04..26071b997 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,8 @@ "node-esapi": "0.0.1", "serve-favicon": "^2.3.0", "swig": "^1.4.2", - "underscore": "^1.8.3" + "underscore": "^1.8.3", + "cool-path": "1.1.1" }, "comments": { "//": "a9 insecure components" From 4cb66c1dbbd32562bbd2e2ddc9ec5a0b72384c62 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 08:25:49 +0800 Subject: [PATCH 07/17] switching to semgrep/semgrep:111 --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8ad631c3c..4c8751532 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -10,7 +10,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep + image: semgrep/semgrep:111 # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') From 60c952bc8453d4b274989b0a59b45c681aabf198 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 08:28:44 +0800 Subject: [PATCH 08/17] [ci skip] --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 4c8751532..eb2d92e78 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -10,7 +10,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep:111 + image: semgrep/semgrep:1.111 # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') From 9f3ed331f0f93835957ffb84b3c7fb4d0f5e26a5 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Thu, 3 Apr 2025 08:47:40 +0800 Subject: [PATCH 09/17] [ci skip] --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index eb2d92e78..8ad631c3c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -10,7 +10,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep:1.111 + image: semgrep/semgrep # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') From 8cf1f48d71a490edaffe173a13db23465b349e29 Mon Sep 17 00:00:00 2001 From: Shi Chao Date: Fri, 4 Apr 2025 12:39:02 -0700 Subject: [PATCH 10/17] reset and removing cool-path --- package-lock.json | 12 ------------ package.json | 3 +-- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/package-lock.json b/package-lock.json index b7c41f6b9..3a26af223 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,6 @@ "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", "consolidate": "^0.14.1", - "cool-path": "1.1.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", "express": "^4.13.4", @@ -1477,12 +1476,6 @@ "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, - "node_modules/cool-path": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/cool-path/-/cool-path-1.1.1.tgz", - "integrity": "sha512-pAen6Ioixon4BxlP3KzXQgZoDCOC8tH/vtrKx9evHJF5gbPBT6/8Wskm+xXH3ss8HJIqBlMw2DKo8BGaQlgxgw==", - "license": "MIT" - }, "node_modules/copy-descriptor": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz", @@ -16548,11 +16541,6 @@ "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, - "cool-path": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/cool-path/-/cool-path-1.1.1.tgz", - "integrity": "sha512-pAen6Ioixon4BxlP3KzXQgZoDCOC8tH/vtrKx9evHJF5gbPBT6/8Wskm+xXH3ss8HJIqBlMw2DKo8BGaQlgxgw==" - }, "copy-descriptor": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz", diff --git a/package.json b/package.json index 26071b997..b2eb65a04 100644 --- a/package.json +++ b/package.json @@ -20,8 +20,7 @@ "node-esapi": "0.0.1", "serve-favicon": "^2.3.0", "swig": "^1.4.2", - "underscore": "^1.8.3", - "cool-path": "1.1.1" + "underscore": "^1.8.3" }, "comments": { "//": "a9 insecure components" From f3eaf133ab2ae42ea61818a1b713e5c3f6507828 Mon Sep 17 00:00:00 2001 From: Shi Chao Date: Tue, 9 Sep 2025 13:14:17 +0800 Subject: [PATCH 11/17] reproducer for GHSA-cust-0000-0007 --- package-lock.json | 95 +++++++++++++++++++++++++++++++++++++++++++++++ package.json | 1 + 2 files changed, 96 insertions(+) diff --git a/package-lock.json b/package-lock.json index 3a26af223..ba2f99596 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,6 +11,7 @@ "dependencies": { "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", + "color": "5.0.1", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", @@ -1256,6 +1257,19 @@ "node": ">=0.10.0" } }, + "node_modules/color": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/color/-/color-5.0.0.tgz", + "integrity": "sha512-16BlyiuyLq3MLxpRWyOTiWsO3ii/eLQLJUQXBSNcxMBBSnyt1ee9YUdaozQp03ifwm5woztEZGDbk9RGVuCsdw==", + "license": "MIT", + "dependencies": { + "color-convert": "^3.0.1", + "color-string": "^2.0.0" + }, + "engines": { + "node": ">=18" + } + }, "node_modules/color-convert": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", @@ -1271,6 +1285,27 @@ "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", "dev": true }, + "node_modules/color-string": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/color-string/-/color-string-2.1.0.tgz", + "integrity": "sha512-gNVoDzpaSwvftp6Y8nqk97FtZoXP9Yj7KGYB8yIXuv0JcfqbYihTrd1OU5iZW9btfXde4YAOCRySBHT7O910MA==", + "license": "MIT", + "dependencies": { + "color-name": "^2.0.0" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/color-string/node_modules/color-name": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", + "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==", + "license": "MIT", + "engines": { + "node": ">=12.20" + } + }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", @@ -1280,6 +1315,27 @@ "color-support": "bin.js" } }, + "node_modules/color/node_modules/color-convert": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.0.tgz", + "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", + "license": "MIT", + "dependencies": { + "color-name": "^2.0.0" + }, + "engines": { + "node": ">=14.6" + } + }, + "node_modules/color/node_modules/color-name": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", + "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==", + "license": "MIT", + "engines": { + "node": ">=12.20" + } + }, "node_modules/colors": { "version": "0.6.2", "resolved": "https://registry.npmjs.org/colors/-/colors-0.6.2.tgz", @@ -16355,6 +16411,30 @@ "object-visit": "^1.0.0" } }, + "color": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/color/-/color-5.0.0.tgz", + "integrity": "sha512-16BlyiuyLq3MLxpRWyOTiWsO3ii/eLQLJUQXBSNcxMBBSnyt1ee9YUdaozQp03ifwm5woztEZGDbk9RGVuCsdw==", + "requires": { + "color-convert": "^3.0.1", + "color-string": "^2.0.0" + }, + "dependencies": { + "color-convert": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.0.tgz", + "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", + "requires": { + "color-name": "^2.0.0" + } + }, + "color-name": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", + "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==" + } + } + }, "color-convert": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", @@ -16370,6 +16450,21 @@ "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", "dev": true }, + "color-string": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/color-string/-/color-string-2.1.0.tgz", + "integrity": "sha512-gNVoDzpaSwvftp6Y8nqk97FtZoXP9Yj7KGYB8yIXuv0JcfqbYihTrd1OU5iZW9btfXde4YAOCRySBHT7O910MA==", + "requires": { + "color-name": "^2.0.0" + }, + "dependencies": { + "color-name": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", + "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==" + } + } + }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", diff --git a/package.json b/package.json index b2eb65a04..0c0733f77 100644 --- a/package.json +++ b/package.json @@ -7,6 +7,7 @@ "dependencies": { "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", + "color": "^5.0.0", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", From ce7fd5640a4afd7a9dd33db5c38d2bb3b25e7f8f Mon Sep 17 00:00:00 2001 From: Shi Chao Date: Tue, 9 Sep 2025 13:27:03 +0800 Subject: [PATCH 12/17] reproducer for GHSA-cust-0000-0007 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 0c0733f77..2f225c95a 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "dependencies": { "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", - "color": "^5.0.0", + "color": "5.0.1", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", From 0dfe559d46179df9d8be34b822040ae22db9b4eb Mon Sep 17 00:00:00 2001 From: Shi Chao Date: Tue, 9 Sep 2025 14:09:13 +0800 Subject: [PATCH 13/17] reproducer for GHSA-cust-0000-0007 --- package-lock.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index ba2f99596..8aafbf3a2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1258,8 +1258,8 @@ } }, "node_modules/color": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/color/-/color-5.0.0.tgz", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/color/-/color-5.0.1.tgz", "integrity": "sha512-16BlyiuyLq3MLxpRWyOTiWsO3ii/eLQLJUQXBSNcxMBBSnyt1ee9YUdaozQp03ifwm5woztEZGDbk9RGVuCsdw==", "license": "MIT", "dependencies": { From 8b084bf3db275a4abda3b89860b7951d19c40a10 Mon Sep 17 00:00:00 2001 From: Shi Chao Date: Tue, 9 Sep 2025 14:24:49 +0800 Subject: [PATCH 14/17] reproducer for GHSA-cust-0000-0007 --- package-lock.json | 131 +++++++++++++++++++++------------------------- package.json | 1 + 2 files changed, 60 insertions(+), 72 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8aafbf3a2..fbe8ca114 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,6 +12,7 @@ "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", "color": "5.0.1", + "color-convert": "3.1.1", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", @@ -265,6 +266,23 @@ "node": ">=4" } }, + "node_modules/ansi-styles/node_modules/color-convert": { + "version": "1.9.3", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", + "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", + "dev": true, + "license": "MIT", + "dependencies": { + "color-name": "1.1.3" + } + }, + "node_modules/ansi-styles/node_modules/color-name": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", + "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==", + "dev": true, + "license": "MIT" + }, "node_modules/anymatch": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-2.0.0.tgz", @@ -1271,19 +1289,25 @@ } }, "node_modules/color-convert": { - "version": "1.9.3", - "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", - "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", - "dev": true, + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.1.tgz", + "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", + "license": "MIT", "dependencies": { - "color-name": "1.1.3" + "color-name": "^2.0.0" + }, + "engines": { + "node": ">=14.6" } }, "node_modules/color-name": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", - "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", - "dev": true + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", + "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==", + "license": "MIT", + "engines": { + "node": ">=12.20" + } }, "node_modules/color-string": { "version": "2.1.0", @@ -1297,15 +1321,6 @@ "node": ">=18" } }, - "node_modules/color-string/node_modules/color-name": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", - "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==", - "license": "MIT", - "engines": { - "node": ">=12.20" - } - }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", @@ -1315,27 +1330,6 @@ "color-support": "bin.js" } }, - "node_modules/color/node_modules/color-convert": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.0.tgz", - "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", - "license": "MIT", - "dependencies": { - "color-name": "^2.0.0" - }, - "engines": { - "node": ">=14.6" - } - }, - "node_modules/color/node_modules/color-name": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", - "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==", - "license": "MIT", - "engines": { - "node": ">=12.20" - } - }, "node_modules/colors": { "version": "0.6.2", "resolved": "https://registry.npmjs.org/colors/-/colors-0.6.2.tgz", @@ -15602,6 +15596,23 @@ "dev": true, "requires": { "color-convert": "^1.9.0" + }, + "dependencies": { + "color-convert": { + "version": "1.9.3", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", + "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", + "dev": true, + "requires": { + "color-name": "1.1.3" + } + }, + "color-name": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", + "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==", + "dev": true + } } }, "anymatch": { @@ -16412,43 +16423,26 @@ } }, "color": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/color/-/color-5.0.0.tgz", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/color/-/color-5.0.1.tgz", "integrity": "sha512-16BlyiuyLq3MLxpRWyOTiWsO3ii/eLQLJUQXBSNcxMBBSnyt1ee9YUdaozQp03ifwm5woztEZGDbk9RGVuCsdw==", "requires": { "color-convert": "^3.0.1", "color-string": "^2.0.0" - }, - "dependencies": { - "color-convert": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.0.tgz", - "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", - "requires": { - "color-name": "^2.0.0" - } - }, - "color-name": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", - "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==" - } } }, "color-convert": { - "version": "1.9.3", - "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", - "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", - "dev": true, + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.0.tgz", + "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", "requires": { - "color-name": "1.1.3" + "color-name": "^2.0.0" } }, "color-name": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", - "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", - "dev": true + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", + "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==" }, "color-string": { "version": "2.1.0", @@ -16456,13 +16450,6 @@ "integrity": "sha512-gNVoDzpaSwvftp6Y8nqk97FtZoXP9Yj7KGYB8yIXuv0JcfqbYihTrd1OU5iZW9btfXde4YAOCRySBHT7O910MA==", "requires": { "color-name": "^2.0.0" - }, - "dependencies": { - "color-name": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", - "integrity": "sha512-SbtvAMWvASO5TE2QP07jHBMXKafgdZz8Vrsrn96fiL+O92/FN/PLARzUW5sKt013fjAprK2d2iCn2hk2Xb5oow==" - } } }, "color-support": { diff --git a/package.json b/package.json index 2f225c95a..9792393c2 100644 --- a/package.json +++ b/package.json @@ -8,6 +8,7 @@ "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", "color": "5.0.1", + "color-convert": "^3.1.0", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", From 7cd5acf3ff0247e6401379dc87a8d5fdc50fd526 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Tue, 16 Sep 2025 10:38:48 +0800 Subject: [PATCH 15/17] Update package-lock.json revert color-convert --- package-lock.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package-lock.json b/package-lock.json index fbe8ca114..9d81ff122 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,6 @@ "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", "color": "5.0.1", - "color-convert": "3.1.1", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", From 67dc082f8f6b944af4499913fc7dfd720993f345 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Tue, 16 Sep 2025 10:54:05 +0800 Subject: [PATCH 16/17] remove color-convert 3.1.1 --- package-lock.json | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9d81ff122..0c6599a22 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1287,18 +1287,6 @@ "node": ">=18" } }, - "node_modules/color-convert": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.1.tgz", - "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", - "license": "MIT", - "dependencies": { - "color-name": "^2.0.0" - }, - "engines": { - "node": ">=14.6" - } - }, "node_modules/color-name": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz", From 77aa1bee9b6d5193b3d96cbce961a620dadbed01 Mon Sep 17 00:00:00 2001 From: semgrep-shichao Date: Tue, 16 Sep 2025 11:36:40 +0800 Subject: [PATCH 17/17] Update package-lock.json --- package-lock.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/package-lock.json b/package-lock.json index 0c6599a22..fbe8ca114 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,6 +12,7 @@ "bcrypt-nodejs": "0.0.3", "body-parser": "^1.15.1", "color": "5.0.1", + "color-convert": "3.1.1", "consolidate": "^0.14.1", "csurf": "^1.8.3", "dont-sniff-mimetype": "^1.0.0", @@ -1287,6 +1288,18 @@ "node": ">=18" } }, + "node_modules/color-convert": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-3.1.1.tgz", + "integrity": "sha512-TVoqAq8ZDIpK5lsQY874DDnu65CSsc9vzq0wLpNQ6UMBq81GSZocVazPiBbYGzngzBOIRahpkTzCLVe2at4MfA==", + "license": "MIT", + "dependencies": { + "color-name": "^2.0.0" + }, + "engines": { + "node": ">=14.6" + } + }, "node_modules/color-name": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/color-name/-/color-name-2.0.0.tgz",