fryuni / inox-tools Goto Github PK

From Discord conversation

PatrickJ — Today at 10:46 AM
I'm a bit new to authoring content in markdown. I wonder how you guys ensure that redirects are made when changing slugs or folders of the content? Typically CMS can handle making those redirects but it seems a bit painful and manual with markdown. Are out there any tools that make that easier? I don't believe Astro has anything built in for it, right? I was thinking about Github action that gives heads up about changed urls?

Fryuni (Luiz Ferraz) — Today at 10:56 AM
You can get the history of renames from your git history and generate the redirects configuration
Interesting idea to publish as an integration or at least as a Starlight plugin...
git diff --stat=200 --diff-filter=R <COMMIT> src/content/<collectionName>
Will give you an output like this:

src/content/docs/ar/{core-concepts => basics}/astro-components.mdx
src/content/docs/de/{core-concepts => basics}/astro-components.mdx
src/content/docs/de/{core-concepts => basics}/astro-pages.mdx
src/content/docs/de/{core-concepts => basics}/astro-syntax.mdx
src/content/docs/de/{core-concepts => basics}/layouts.mdx

You can then parse that into and either make individual redirects or extract patterns to make a dynamic redirect

Page: https://inox-tools.vercel.app/sitemap-ext
Docs in source:

Line 53: sitemap(true); // opt-out

I think for opt-out we should use sitemap(false);

Vulnerable Library - @inox-tools/inline-mod-0.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: a9cb8defe37b46081c9a24790b7aadd85305d356

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (@inox-tools/inline-mod version)	Remediation Possible**
CVE-2024-23331	High	7.5	vite-3.2.7.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-23331

Vulnerable Library - vite-3.2.7.tgz

Library home page: https://registry.npmjs.org/vite/-/vite-3.2.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @inox-tools/inline-mod-0.1.2.tgz (Root Library)
  • ❌ vite-3.2.7.tgz (Vulnerable Library)

Found in HEAD commit: a9cb8defe37b46081c9a24790b7aadd85305d356

Found in base branch: main

Vulnerability Details

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in [email protected], [email protected], [email protected], and [email protected]. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Publish Date: 2024-01-19

URL: CVE-2024-23331

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c24v-8rfc-w8vw

Release Date: 2024-01-19

Fix Resolution: vite - 2.9.17,3.2.8,4.5.2,5.0.12

Step up your Open Source Security Game with Mend here

Circular array references are getting wrapped into a non-cyclical array before being exposed to other data entries.

Circular object references currently hang forever during inspection.

Barrel files in Astro cause the styles and scripts from all the re-exported components to be included in any page that uses any one of them.

// src/components/index.ts
export Foo from './Foo.astro';
export Bar from './Bar.astro';

Then on a page:

// src/pages/index.astro
---
import {Foo} from '../components';
---
<Foo/>

That index page will include the styles and client-side scripts from the Bar component.

While this is not fixed in Astro core, it could be provided as a virtual import that dynamically (and lazily) expands into the powerset of possible imports.

For the example above:

• import {Foo} from '~anyComponent'; would resolve to a module containing:

  export Foo from '/src/components/Foo.astro';

• import {Bar} from '~anyComponent'; would resolve to a module containing:

  export Bar from '/src/components/Bar.astro';

• import {Foo, Bar} from '~anyComponent'; would resolve to a module containing:

  export Bar from '/src/components/Bar.astro';
  export Foo from '/src/components/Bar.astro';

Vulnerable Library - inline-mod-0.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 553f61239a69b8deddec7676598b8f92996d1a78

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (inline-mod version)	Remediation Possible**
CVE-2024-23331	High	7.5	vite-3.2.7.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-23331

Vulnerable Library - vite-3.2.7.tgz

Library home page: https://registry.npmjs.org/vite/-/vite-3.2.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• inline-mod-0.1.1.tgz (Root Library)
  • ❌ vite-3.2.7.tgz (Vulnerable Library)

Found in HEAD commit: 553f61239a69b8deddec7676598b8f92996d1a78

Found in base branch: main

Vulnerability Details

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in [email protected], [email protected], [email protected], and [email protected]. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Publish Date: 2024-01-19

URL: CVE-2024-23331

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c24v-8rfc-w8vw

Release Date: 2024-01-19

Fix Resolution: vite - 2.9.17,3.2.8,4.5.2,5.0.12

Step up your Open Source Security Game with Mend here

Imports to CJS dependencies are serialized as import to their full import path instead of the minimal lib name.

Currently all root entries in the serialized virtual module are immutable, even if they were mutable on the original code.

Example:

let count = 0;

inlineMod({
  constExport: {
    increment() { count++; },
    decrement() { count++; },
  },
});

In this case the count won't change across invocations because it is included immutably into the virtual module.

The workaround for this is to have the mutable property inside of an object. This works:

const state = { count: 0 };

inlineMod({
  constExport: {
    increment() { state.count++; },
    decrement() { state.count++; },
  },
});

Maybe the first case could work out-of-the-box.

Add hints for the inspector to know which file a value comes from and inspect the code to enable simpler definitions

Currently a non-capturing arrow function serializes to this:

function __f0() {
  return (function() {
    return () => "read value";
  }).apply(undefined, undefined).apply(this, arguments);
}

While it could be this:

const __f0 = () => "read value";

Arrow functions do not receive the this parameter from the apply call, so the double apply can be ellided. Since it is not capturing, the double function to re-create its captured scope at runtime is also unnecessary and can be removed.

https://canary.discord.com/channels/830184174198718474/1197638002764152843/1227275530529800232

// Use the getStaticPaths and prerender those paths, but also deploy the renderer
// to handle any other matching route.
// For example: `/blog/[slug].astro` could prerender all the existing posts
//              but also handle dynamically any unknown slug to redirect to the closest match
//              or show a custom 404 page just for the /blog/ subpath
export const prerender = 'partial';

// Prerenders the page but bundles the HTML into the SSR renderer, so it is served by the on-demand
// renderer and goes through the middleware.
export const prerender = 'bundled';

Original idea on Discord