mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 00:43:20 +00:00
hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0 As documented in the Nix expression, I unfortunately had to patch `yarn.lock` manually (the `yarn.nix` result isn't affected by this). By adding a `git+https`-prefix to `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache from `yarn2nix` rather than trying to download a tarball from GitHub. Also, this release contains a fix for CVE-2021-39175 which doesn't seem to be backported to 1.8. To quote NVD[1]: > In versions prior to 1.9.0, an unauthenticated attacker can inject > arbitrary JavaScript into the speaker-notes of the slide-mode feature > by embedding an iframe hosting the malicious code into the slides or by > embedding the HedgeDoc instance into another page. Even though it "only" has a medium rating by NVD (6.1), this seems rather problematic to me (also, GitHub rates this as "High"), so it's actually a candidate for a backport. [1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
This commit is contained in:
parent
d23ff4d6d9
commit
0a10c17c8d
@ -15,34 +15,42 @@ let
|
||||
# we need a different version than the one already available in nixpkgs
|
||||
esbuild-hedgedoc = buildGoModule rec {
|
||||
pname = "esbuild";
|
||||
version = "0.11.20";
|
||||
version = "0.12.27";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "evanw";
|
||||
repo = "esbuild";
|
||||
rev = "v${version}";
|
||||
sha256 = "009f2mfgzkzgxjh3034mzdkcvm5vz17sgy1cs604f0425i22z8qm";
|
||||
sha256 = "sha256-UclUTfm6fxoYEEdEEmO/j+WLZLe8SFzt7+Tej4bR0RU=";
|
||||
};
|
||||
|
||||
vendorSha256 = "1n5538yik72x94vzfq31qaqrkpxds5xys1wlibw2gn2am0z5c06q";
|
||||
vendorSha256 = "sha256-QPkBR+FscUc3jOvH7olcGUhM6OW4vxawmNJuRQxPuGs=";
|
||||
};
|
||||
in
|
||||
|
||||
mkYarnPackage rec {
|
||||
pname = "hedgedoc";
|
||||
version = "1.8.2";
|
||||
version = "1.9.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "hedgedoc";
|
||||
repo = "hedgedoc";
|
||||
rev = version;
|
||||
sha256 = "1h2wyhap264iqm2jh0i05w0hb2j86jsq1plyl7k3an90w7wngyg1";
|
||||
sha256 = "sha256-hSKQGkI1+68Zf05RhgRKZo47buyobzjhURSZ30/h0PA=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ which makeWrapper ];
|
||||
extraBuildInputs = [ python2 esbuild-hedgedoc ];
|
||||
|
||||
yarnNix = ./yarn.nix;
|
||||
|
||||
# FIXME(@Ma27) on the bump to 1.9.0 I had to patch this file manually:
|
||||
# I replaced `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` with
|
||||
# `midi "git+https://github.com/paulrosen/MIDI.js.git#abcjs"` on all occurrences.
|
||||
#
|
||||
# Without this change `yarn` attempted to download the code directly from GitHub, with
|
||||
# the `git+`-prefix it actually uses the `midi.js` version from the offline cache
|
||||
# created by `yarn2nix`. On future bumps this may be necessary as well!
|
||||
yarnLock = ./yarn.lock;
|
||||
packageJSON = ./package.json;
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "HedgeDoc",
|
||||
"version": "1.8.2",
|
||||
"version": "1.9.0",
|
||||
"description": "The best platform to write and share markdown.",
|
||||
"main": "app.js",
|
||||
"license": "AGPL-3.0",
|
||||
@ -21,7 +21,7 @@
|
||||
"Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
|
||||
"archiver": "^5.0.2",
|
||||
"async": "^3.0.0",
|
||||
"aws-sdk": "^2.888.0",
|
||||
"aws-sdk": "^2.987.0",
|
||||
"azure-storage": "^2.7.0",
|
||||
"base64url": "^3.0.0",
|
||||
"body-parser": "^1.15.2",
|
||||
@ -29,7 +29,7 @@
|
||||
"cheerio": "^0.22.0",
|
||||
"compression": "^1.6.2",
|
||||
"connect-flash": "^0.1.1",
|
||||
"connect-session-sequelize": "^7.0.0",
|
||||
"connect-session-sequelize": "^7.1.2",
|
||||
"cookie": "^0.4.0",
|
||||
"cookie-parser": "^1.4.3",
|
||||
"deep-freeze": "^0.0.1",
|
||||
@ -40,7 +40,6 @@
|
||||
"file-type": "^16.1.0",
|
||||
"formidable": "^1.0.17",
|
||||
"graceful-fs": "^4.1.11",
|
||||
"handlebars": "^4.5.2",
|
||||
"helmet": "^4.5.0",
|
||||
"i18n": "^0.13.0",
|
||||
"is-svg": "^4.3.1",
|
||||
@ -66,7 +65,7 @@
|
||||
"meta-marked": "git+https://github.com/hedgedoc/meta-marked",
|
||||
"method-override": "^3.0.0",
|
||||
"minimist": "^1.2.0",
|
||||
"minio": "^7.0.0",
|
||||
"minio": "^7.0.19",
|
||||
"moment": "^2.17.1",
|
||||
"morgan": "^1.7.0",
|
||||
"mysql2": "^2.0.0",
|
||||
@ -80,7 +79,7 @@
|
||||
"passport-ldapauth": "^3.0.0",
|
||||
"passport-local": "^1.0.0",
|
||||
"passport-oauth2": "^1.4.0",
|
||||
"passport-saml": "^2.0.0",
|
||||
"passport-saml": "^3.1.2",
|
||||
"passport-twitter": "^1.0.4",
|
||||
"passport.socketio": "^3.7.0",
|
||||
"pdfobject": "^2.0.201604172",
|
||||
@ -98,13 +97,11 @@
|
||||
"sqlite3": "^5.0.0",
|
||||
"store": "^2.0.12",
|
||||
"string": "^3.3.3",
|
||||
"tedious": "^6.6.0",
|
||||
"toobusy-js": "^0.5.1",
|
||||
"umzug": "^2.3.0",
|
||||
"uuid": "^8.0.0",
|
||||
"validator": "^13.0.0",
|
||||
"winston": "^3.1.0",
|
||||
"ws": "^7.4.4",
|
||||
"xss": "^1.0.3"
|
||||
},
|
||||
"resolutions": {
|
||||
@ -133,7 +130,7 @@
|
||||
"url": "https://shivering-isles.com"
|
||||
},
|
||||
{
|
||||
"name":"David Mehren",
|
||||
"name": "David Mehren",
|
||||
"email": "hedgedoc@herrmehren.de"
|
||||
}
|
||||
],
|
||||
@ -142,6 +139,7 @@
|
||||
"url": "https://github.com/hedgedoc/hedgedoc.git"
|
||||
},
|
||||
"devDependencies": {
|
||||
"abcjs": "5.12.0",
|
||||
"babel-cli": "6.26.0",
|
||||
"babel-core": "6.26.3",
|
||||
"babel-loader": "7.1.5",
|
||||
@ -153,30 +151,31 @@
|
||||
"bootstrap-validator": "0.11.9",
|
||||
"codemirror": "git+https://github.com/hedgedoc/CodeMirror.git",
|
||||
"copy-webpack-plugin": "6.4.1",
|
||||
"css-loader": "5.2.4",
|
||||
"css-loader": "5.2.7",
|
||||
"emojify.js": "1.1.0",
|
||||
"esbuild-loader": "2.13.0",
|
||||
"esbuild-loader": "2.15.1",
|
||||
"escape-html": "1.0.3",
|
||||
"eslint": "7.26.0",
|
||||
"eslint-config-standard": "16.0.2",
|
||||
"eslint-plugin-import": "2.22.1",
|
||||
"eslint": "7.32.0",
|
||||
"eslint-config-standard": "16.0.3",
|
||||
"eslint-plugin-import": "2.24.2",
|
||||
"eslint-plugin-node": "11.1.0",
|
||||
"eslint-plugin-promise": "5.1.0",
|
||||
"eslint-plugin-standard": "4.1.0",
|
||||
"exports-loader": "1.1.1",
|
||||
"expose-loader": "1.0.3",
|
||||
"file-loader": "6.2.0",
|
||||
"file-saver": "2.0.5",
|
||||
"flowchart.js": "1.15.0",
|
||||
"fork-awesome": "1.1.7",
|
||||
"fork-awesome": "1.2.0",
|
||||
"gist-embed": "2.6.0",
|
||||
"highlight.js": "10.7.2",
|
||||
"highlight.js": "10.7.3",
|
||||
"html-webpack-plugin": "4.5.2",
|
||||
"imports-loader": "1.2.0",
|
||||
"ionicons": "2.0.1",
|
||||
"jquery": "3.6.0",
|
||||
"jquery-mousewheel": "3.1.13",
|
||||
"jquery-ui": "1.12.1",
|
||||
"js-cookie": "2.2.1",
|
||||
"js-cookie": "3.0.1",
|
||||
"js-sequence-diagrams": "git+https://github.com/hedgedoc/js-sequence-diagrams.git",
|
||||
"js-yaml": "3.14.1",
|
||||
"jsonlint": "1.6.3",
|
||||
@ -185,29 +184,28 @@
|
||||
"less-loader": "7.3.0",
|
||||
"list.js": "2.3.1",
|
||||
"mathjax": "2.7.9",
|
||||
"mermaid": "8.10.1",
|
||||
"mini-css-extract-plugin": "1.6.0",
|
||||
"mocha": "8.4.0",
|
||||
"mermaid": "8.12.1",
|
||||
"mini-css-extract-plugin": "1.6.2",
|
||||
"mocha": "9.1.1",
|
||||
"mock-require": "3.0.3",
|
||||
"optimize-css-assets-webpack-plugin": "5.0.4",
|
||||
"prismjs": "1.23.0",
|
||||
"optimize-css-assets-webpack-plugin": "6.0.1",
|
||||
"prismjs": "1.24.1",
|
||||
"raphael": "2.3.0",
|
||||
"remark-cli": "9.0.0",
|
||||
"remark-preset-lint-markdown-style-guide": "4.0.0",
|
||||
"remark-cli": "10.0.0",
|
||||
"remark-preset-lint-markdown-style-guide": "5.0.1",
|
||||
"reveal.js": "3.9.2",
|
||||
"script-loader": "0.7.2",
|
||||
"select2": "3.5.2-browserify",
|
||||
"socket.io-client": "2.4.0",
|
||||
"spin.js": "4.1.0",
|
||||
"spin.js": "4.1.1",
|
||||
"string-loader": "0.0.1",
|
||||
"turndown": "7.0.0",
|
||||
"turndown": "7.1.1",
|
||||
"url-loader": "4.1.1",
|
||||
"velocity-animate": "1.5.2",
|
||||
"visibilityjs": "2.0.2",
|
||||
"viz.js": "1.8.2",
|
||||
"webpack": "4.46.0",
|
||||
"webpack-cli": "4.7.0",
|
||||
"webpack-merge": "5.7.3",
|
||||
"webpack-cli": "4.8.0",
|
||||
"webpack-merge": "5.8.0",
|
||||
"wurl": "2.5.4"
|
||||
},
|
||||
"optionalDependencies": {
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user