mathigon / studio Goto Github PK

View Code? Open in Web Editor NEW

35.0 8.0 20.0 5.68 MB

A customisable NodeJS server for creating and hosting highly interactive online courses.

Home Page: https://mathigon.io

License: Other

JavaScript 18.31% Pug 11.97% SCSS 25.39% TypeScript 44.33%

education edtech textbook nodejs course mathigon

studio's People

Contributors

Stargazers

Watchers

Forkers

dingbig pjhenning cogitovsmachina matheharry vabarbosa fossabot isumitg aestrella87 tansito lexuelib macwang123 jeliot aednichols trung-dtt zetixar nutanc chorylee exploring-infinities raju5595

studio's Issues

html-minifier-4.0.0.tgz: 2 vulnerabilities (highest severity is: 9.8) reachable

Vulnerable Library - html-minifier-4.0.0.tgz

Highly configurable, well-tested, JavaScript-based HTML minifier.

Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-4.0.0.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (html-minifier version)	Remediation Possible**	Reachability
CVE-2022-37620	High	7.5	html-minifier-4.0.0.tgz	Direct	N/A	❌	Reachable
CVE-2022-37598	Critical	9.8	uglify-js-3.13.1.tgz	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37620

Vulnerable Library - html-minifier-4.0.0.tgz

Highly configurable, well-tested, JavaScript-based HTML minifier.

Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-4.0.0.tgz

Dependency Hierarchy:

❌ html-minifier-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

@mathigon/studio-0.1.42/build/markdown/parser.js (Application)
  -> html-minifier-4.0.0/src/htmlminifier.js (Extension)
   -> ❌ html-minifier-4.0.0/src/htmlparser.js (Vulnerable Component)

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

Publish Date: 2022-10-31

URL: CVE-2022-37620

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-37598

Vulnerable Library - uglify-js-3.13.1.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.13.1.tgz

Dependency Hierarchy:

html-minifier-4.0.0.tgz (Root Library)
- ❌ uglify-js-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution: uglify-js - 3.13.10

Generate RTL CSS files for Arabic

Right now, this is disabled here: https://github.com/mathigon/studio/blob/main/build/assets.js#L63

We either need to generate separate .rtl.css files, or merge both styles into a single file usinghtml[dir].

Typescript errors in 0.1.36

✘ [ERROR] Transforming JavaScript decorators to the configured target environment ("es2016") is not supported yet

node_modules/@mathigon/studio/frontend/course.ts:38:0:
38 │ @register('x-course')
╵ ^

✘ [ERROR] Transforming JavaScript decorators to the configured target environment ("es2016") is not supported yet

node_modules/@mathigon/studio/frontend/accounts.ts:54:0:
54 │ @register('x-password', {template})

Also this:

TSError: ⨯ Unable to compile TypeScript:
node_modules/@mathigon/studio/server/utilities/utilities.ts:79:21 - error TS2345: Argument of type '{}' is not assignable to parameter of type 'Obj'.
Index signature for type 'string' is missing in type '{}'.

79 deep ? deepExtend(studio, project, (a, b) => b) : Object.assign(studio as any, project);
at createTSError (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:859:12)
at reportTSError (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:863:19)
at getOutput (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1077:36)
at Object.compile (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1433:41)
at Module.m._compile (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1617:30)
at Module._extensions..js (node:internal/modules/cjs/loader:1308:10)
at Object.require.extensions. [as .ts] (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1117:32)
at Function.Module._load (node:internal/modules/cjs/loader:958:12)
at Module.require (node:internal/modules/cjs/loader:1141:19) {
diagnosticCodes: [ 2345 ]
}

I see this error when running npm start for the latest commit in the textbooks repo which changed studio dependency from 0.1.35 to 0.1.36.

node -v
v18.15.0

npm -v
9.5.0

Migrate build and utility scripts from JS to TS

Our entire codebase should be in TS, to enable better type checking and code-reusability, especially across subfolders like build/ and server/.

Compile error starting example app

Running directly in the studio/docs/example/server directory. Node v16.14.2, npm 8.5.0, ts-node v10.7.0

> npm run build

> @mathigon/[email protected] build
> mgon-build --assets --minify --search

  ✔ Built icons.svg in 27ms
  ✔ Built frontend/accounts.scss in 5408ms
  ✔ Built docs/example/content/geography/styles.scss in 3450ms
  ✔ Built frontend/main.scss in 4209ms
  ✔ Built docs/example/frontend/custom.scss in 3585ms
  ✔ Built docs/example/content/science/styles.scss in 3445ms
  ✔ Built frontend/dashboard.scss in 4401ms
  ✔ Built docs/example/frontend/course.scss in 4025ms
  ✔ Built docs/example/frontend/custom.ts in 5432ms
  ✔ Built frontend/main.ts in 5436ms
  ✔ Built frontend/dashboard.ts in 5442ms
  ✔ Built frontend/accounts.ts in 5458ms
  ✔ Built docs/example/content/geography/functions.ts in 3467ms
  ✔ Built docs/example/content/science/functions.ts in 3466ms
  ✔ Built docs/example/frontend/course.ts in 5444ms
  ✔ Built search-index.json and search-docs.json in 6ms
  DONE!

> npm start

> @mathigon/[email protected] start
> ts-node -s server/app.ts

/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:840
    return new TSError(diagnosticText, diagnosticCodes);
           ^
TSError: ⨯ Unable to compile TypeScript:
../../server/models/progress.ts:119:39 - error TS7006: Parameter 'm' implicitly has an 'any' type.

119   const messages = this.messages?.map(m => ({content: m.content, type: m.kind}));
                                          ~
../../server/models/progress.ts:180:34 - error TS7006: Parameter 'm' implicitly has an 'any' type.

180     messages: this.messages?.map(m => ({content: m.content, kind: m.kind})),
                                     ~

    at createTSError (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:840:12)
    at reportTSError (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:844:19)
    at getOutput (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1034:36)
    at Object.compile (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1342:43)
    at Module.m._compile (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1474:30)
    at Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
    at Object.require.extensions.<computed> [as .ts] (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1478:12)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19) {
  diagnosticCodes: [ 7006, 7006 ]
}

Schema Validation for YAML Files

We should use the schema in server/interfaces.ts to type check all YAML configuration files (e.g. config.yaml and glossary.yaml).

Unable to launch example app

I copied docs/example to a new directory, modified the version of @mathigon/studio in package.json to 0.1.18, ran npm install and then ran npm run dev. I expected some sort of webapp to open but the logs showed this:

helix ~/code/example  $ npm run dev

> @mathigon/[email protected] dev
> npm-run-all --parallel watch start-dev


> @mathigon/[email protected] watch
> mgon-build --assets --watch


> @mathigon/[email protected] start-dev
> nodemon --watch 'server/**/*.ts' --exec 'ts-node' -s server/app.ts

[nodemon] 2.0.15
[nodemon] to restart at any time, enter `rs`
[nodemon] watching path(s): server/**/*.ts
[nodemon] watching extensions: js,mjs,json
[nodemon] starting `ts-node`
  ✔ Built icons.svg in 23ms
  ✖ [ERROR] Building /Users/helix/code/example/node_modules/@mathigon/studio/frontend/accounts.scss:
 Error: Can't find stylesheet to import.
  ╷
9 │ @import "../../node_modules/@mathigon/boost/src/components/mixins";
  │         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  ╵
  node_modules/@mathigon/studio/frontend/styles/variables.scss 9:9  @import
  node_modules/@mathigon/studio/frontend/main.scss 7:9              @import
  node_modules/@mathigon/studio/frontend/accounts.scss 7:9          root stylesheet

...

  ✖ [ERROR] Building /Users/helix/code/example/node_modules/@mathigon/studio/frontend/dashboard.scss:
 Error: Can't find stylesheet to import.
  ╷
9 │ @import "../../node_modules/@mathigon/boost/src/components/mixins";
  │         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  ╵

...

  ✔ Built /Users/helix/code/example/content/science/styles.scss in 49ms
  ✔ Built /Users/helix/code/example/content/geography/styles.scss in 70ms
  ✔ Built /Users/helix/code/example/node_modules/@mathigon/studio/frontend/accounts.ts in 194ms
  ✔ Built /Users/helix/code/example/node_modules/@mathigon/studio/frontend/main.ts in 188ms
  ✔ Built /Users/helix/code/example/frontend/custom.ts in 188ms
  ✔ Built /Users/helix/code/example/node_modules/@mathigon/studio/frontend/dashboard.ts in 192ms
  ✔ Built /Users/helix/code/example/content/geography/functions.ts in 82ms
  ✔ Built /Users/helix/code/example/content/science/functions.ts in 82ms
  ✔ Built /Users/helix/code/example/frontend/course.ts in 193ms
  DONE!

The logs didn't print any port number, so I tried ports like 3000, 4000, 5000, 6000, 8000, 8080, 9000. But no app was accessible anywhere (npm run dev terminal did not show any logs for incoming requests either).

I have tried manually running npm install @mathigon/studio as well. Is there a build step for @mathigon/studio that I need to run explicitly, even when referencing the npm version before starting the example app? Or is there something broken in the setup here?

My setup:
NodeJS: 16.13.1 (installed via asdf but I made sure to reshim after npm install)
OS: Mac OS M1 (Apple Silicon)

mongodb-memory-server-8.15.1.tgz: 3 vulnerabilities (highest severity is: 7.5) reachable

Vulnerable Library - mongodb-memory-server-8.15.1.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (mongodb-memory-server version)	Remediation Possible**	Reachability
CVE-2024-28849	Medium	6.5	follow-redirects-1.15.4.tgz	Transitive	N/A*	❌	Reachable
CVE-2023-34104	High	7.5	fast-xml-parser-4.0.11.tgz	Transitive	8.16.0	❌	Unreachable
CVE-2023-26920	Medium	6.5	fast-xml-parser-4.0.11.tgz	Transitive	8.16.0	❌	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-28849

Vulnerable Library - follow-redirects-1.15.4.tgz

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.4.tgz

Dependency Hierarchy:

mongodb-memory-server-8.15.1.tgz (Root Library)
- mongodb-memory-server-core-8.15.1.tgz
  - ❌ follow-redirects-1.15.4.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

@mathigon/studio-0.1.42/server/utilities/mongodb.ts (Application)
  -> mongodb-memory-server-8.15.1/index.js (Extension)
   -> mongodb-memory-server-core-8.15.1/lib/index.js (Extension)
    -> mongodb-memory-server-core-8.15.1/lib/util/MongoBinary.js (Extension)
     -> mongodb-memory-server-core-8.15.1/lib/util/MongoBinaryDownload.js (Extension)
      -> ❌ follow-redirects-1.15.4/index.js (Vulnerable Component)

Vulnerability Details

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-14

URL: CVE-2024-28849

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cxjh-pqwp-8mfp

Release Date: 2024-03-14

Fix Resolution: follow-redirects - 1.15.6

CVE-2023-34104

Vulnerable Library - fast-xml-parser-4.0.11.tgz

Validate XML, Parse XML, Build XML without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz

Dependency Hierarchy:

mongodb-memory-server-8.15.1.tgz (Root Library)
- mongodb-memory-server-core-8.15.1.tgz
  - mongodb-4.17.1.tgz
    - credential-providers-3.201.0.tgz
      - client-sts-3.201.0.tgz
        
        ❌ fast-xml-parser-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false option.

Publish Date: 2023-06-06

URL: CVE-2023-34104

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6w63-h3fj-q4vw

Release Date: 2023-06-06

Fix Resolution (fast-xml-parser): 4.2.4

Direct dependency fix Resolution (mongodb-memory-server): 8.16.0

CVE-2023-26920

Vulnerable Library - fast-xml-parser-4.0.11.tgz

Validate XML, Parse XML, Build XML without C/C++ based libraries

Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz

Dependency Hierarchy:

mongodb-memory-server-8.15.1.tgz (Root Library)
- mongodb-memory-server-core-8.15.1.tgz
  - mongodb-4.17.1.tgz
    - credential-providers-3.201.0.tgz
      - client-sts-3.201.0.tgz
        
        ❌ fast-xml-parser-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.

Publish Date: 2023-12-12

URL: CVE-2023-26920

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x3cc-x39p-42qx

Release Date: 2023-12-12

Fix Resolution (fast-xml-parser): 4.1.2

Direct dependency fix Resolution (mongodb-memory-server): 8.16.0

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

Update dependency tslib to v2.6.2
Update Server (@types/validator, mongodb-memory-server, mongoose, validator)
Update Sendgrid and Google Cloud Tools (major) (@google-cloud/secret-manager, @google-cloud/text-to-speech, @google-cloud/translate)
Update Types, Test and Build (major) (marked, puppeteer)

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Update dependency connect-mongo to v5

Detected dependencies

github-actions

.github/workflows/codeql.yml

actions/checkout v3

github/codeql-action v2

github/codeql-action v2

.github/workflows/test.yml

actions/checkout v3

actions/setup-node v3

npm

docs/example/package.json

ts-node 10.9.1

typescript 5.1.6

nodemon 3.0.1

npm-run-all 4.1.5

package.json

@mathigon/boost 1.2.13

@mathigon/core 1.1.10

@mathigon/euclid 1.1.12

@mathigon/fermat 1.1.9

@mathigon/hilbert 1.1.9

@sendgrid/mail 7.7.0

@types/bcryptjs 2.4.2

@types/compression 1.7.2

@types/cookie-parser 1.4.3

@types/express 4.17.17

@types/express-flash 0.0.2

@types/express-session 1.17.7

@types/js-yaml 4.0.5

@types/lusca 1.7.1

@types/node-fetch 2.6.4

@types/pug 2.0.6

@types/validator 13.9.0

@webcomponents/custom-elements 1.6.0

autoprefixer 10.4.15

autotrack 2.4.1

bcryptjs 2.4.3

body-parser 1.20.2

chokidar 3.5.3

compression 1.7.4

connect-mongo 4.6.0

cookie-parser 1.4.6

cssnano 6.0.1

date-fns 2.30.0

esbuild 0.19.2

express 4.18.2

express-flash 0.0.2

express-session 1.17.3

glob 10.3.3

html-entities 2.4.0

html-minifier 4.0.0

js-yaml 4.1.0

jsdom 22.1.0

lusca 1.7.0

marked 6.0.0

mongodb-memory-server 8.13.0

mongoose 7.3.3

postcss 8.4.28

postcss-inline-svg 6.0.0

pug 3.0.2

rtlcss 4.1.0

sass 1.66.1

tslib 2.6.1

typescript 5.1.6

validator 13.9.0

web-animations-js 2.3.2

xss 1.0.14

yargs-parser 21.1.1

@typescript-eslint/eslint-plugin 6.4.0

@typescript-eslint/parser 6.4.0

eslint 8.47.0

eslint-config-google 0.14.0

eslint-plugin-import 2.28.1

tape 5.6.6

@google-cloud/secret-manager 4.2.2

@google-cloud/text-to-speech 4.2.3

@google-cloud/translate 7.2.2

puppeteer 20.9.0

node >=18

Check this box to trigger a request for Renovate to run again on this repository

License Policy Violation detected in node-forge-1.3.1.tgz

Library - node-forge-1.3.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz

Dependency Hierarchy:

secret-manager-4.2.2.tgz (Root Library)
- google-gax-3.6.1.tgz
  - google-auth-library-8.1.0.tgz
    - gtoken-6.1.0.tgz
      - google-p12-pem-4.0.0.tgz
        
        ❌ node-forge-1.3.1.tgz (Library containing License Policy Violation)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

📃 License Details

BSD 3
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/54fcc1c1-dc31-4c37-9c83-114a4e92decc

GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/54fcc1c1-dc31-4c37-9c83-114a4e92decc

⛔ License Policy Violation - [Reject][Global] Block CopyLeft Licenses

Support for Plugins

Add the ability to configure and import plugins. This means that we will need to update the places where we access PROJECT_DIR and STUDIO_DIR directly to also loop over all plugin directories.

mail-7.7.0.tgz: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - mail-7.7.0.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (mail version)	Remediation Possible**	Reachability
CVE-2023-45857	Medium	6.5	axios-0.26.1.tgz	Transitive	8.0.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-45857

Vulnerable Library - axios-0.26.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.26.1.tgz

Dependency Hierarchy:

mail-7.7.0.tgz (Root Library)
- client-7.7.0.tgz
  - ❌ axios-0.26.1.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution (axios): 1.6.0

Direct dependency fix Resolution (@sendgrid/mail): 8.0.0

When trying to copy the example app and install mathigon studio, getting an error.

Copied the example folder.

Installed mathigon studio 0.1.26. When I do npm run dev, get the following error.

docs/example/node_modules/@mathigon/studio/server/app.ts:7
import crypto from 'crypto';
^^^^^^

SyntaxError: Cannot use import statement outside a module
at Object.compileFunction (node:vm:352:18)
at wrapSafe (node:internal/modules/cjs/loader:1031:15)
at Module._compile (node:internal/modules/cjs/loader:1065:27)
at Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Object.require.extensions. [as .ts] (/home/chaitanya/code/node/innings2/chetan/studio/docs/example/node_modules/ts-node/src/index.ts:1608:43)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:102:18)
at Object. (/home/chaitanya/code/node/innings2/chetan/studio/docs/example/server/app.ts:7:1)

puppeteer-20.9.0.tgz: 1 vulnerabilities (highest severity is: 9.8) unreachable

Vulnerable Library - puppeteer-20.9.0.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (puppeteer version)	Remediation Possible**	Reachability
CVE-2023-42282	Critical	9.8	ip-1.1.8.tgz	Transitive	21.0.0	❌	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-1.1.8.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz

Dependency Hierarchy:

puppeteer-20.9.0.tgz (Root Library)
- browsers-1.4.6.tgz
  - proxy-agent-6.3.0.tgz
    - pac-proxy-agent-7.0.0.tgz
      - pac-resolver-7.0.0.tgz
        
        ❌ ip-1.1.8.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (puppeteer): 21.0.0

Hide internal files from public directories

Currently, the public directories exposed by express.static() at https://github.com/mathigon/studio/blob/main/server/app.ts#L139 contain some internal files, for example search-index.json in .output and all the course source files like content.md in content/. We should hide these!

mongoose-7.4.3.tgz: 2 vulnerabilities (highest severity is: 9.8) reachable

Vulnerable Library - mongoose-7.4.3.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (mongoose version)	Remediation Possible**	Reachability
CVE-2023-42282	Critical	9.8	ip-2.0.0.tgz	Transitive	N/A*	❌	Reachable
CVE-2021-32050	High	7.5	mongodb-5.7.0.tgz	Transitive	N/A*	❌	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-2.0.0.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz

Dependency Hierarchy:

mongoose-7.4.3.tgz (Root Library)
- mongodb-5.7.0.tgz
  - socks-2.7.1.tgz
    - ❌ ip-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

@mathigon/studio-0.1.42/server/models/progress.ts (Application)
  -> mongoose-7.4.3/index.js (Extension)
   -> mongoose-7.4.3/lib/index.js (Extension)
    -> mongodb-5.7.0/lib/sdam/monitor.js (Extension)
    ...
      -> socks-2.7.1/build/index.js (Extension)
       -> socks-2.7.1/build/client/socksclient.js (Extension)
        -> ❌ ip-2.0.0/lib/ip.js (Vulnerable Component)

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Release Date: 2024-02-08

Fix Resolution: ip - 2.0.0

CVE-2021-32050

Vulnerable Library - mongodb-5.7.0.tgz

Library home page: https://registry.npmjs.org/mongodb/-/mongodb-5.7.0.tgz

Dependency Hierarchy:

mongoose-7.4.3.tgz (Root Library)
- ❌ mongodb-5.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

@mathigon/studio-0.1.42/server/models/progress.ts (Application)
  -> mongoose-7.4.3/index.js (Extension)
   -> mongoose-7.4.3/lib/index.js (Extension)
    -> mongodb-5.7.0/lib/index.js (Extension)
     -> ❌ mongodb-5.7.0/lib/cmap/command_monitoring_events.js (Vulnerable Component)

Vulnerability Details

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.

Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).

This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Publish Date: 2023-08-29

URL: CVE-2021-32050

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-32050

Release Date: 2023-08-29

Fix Resolution: mongodb - 3.6.10,4.17.0,5.8.0, mongo-swift-driver - 1.1.1

secret-manager-4.2.2.tgz: 1 vulnerabilities (highest severity is: 9.8) unreachable

Vulnerable Library - secret-manager-4.2.2.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (secret-manager version)	Remediation Possible**	Reachability
CVE-2023-36665	Critical	9.8	protobufjs-7.2.4.tgz	Transitive	5.0.0	❌	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-36665

Vulnerable Library - protobufjs-7.2.4.tgz

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz

Dependency Hierarchy:

secret-manager-4.2.2.tgz (Root Library)
- google-gax-3.6.1.tgz
  - ❌ protobufjs-7.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36665

Release Date: 2023-07-05

Fix Resolution (protobufjs): 7.2.5

Direct dependency fix Resolution (@google-cloud/secret-manager): 5.0.0

Add integration tests for example project

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions

.github/workflows/codeql.yml

actions/checkout v3

github/codeql-action v2

github/codeql-action v2

.github/workflows/test.yml

actions/checkout v3

actions/setup-node v3

npm

docs/example/package.json

ts-node 10.9.2

typescript 5.3.3

nodemon 3.0.1

npm-run-all 4.1.5

package.json

@mathigon/boost 1.2.21

@mathigon/core 1.1.16

@mathigon/euclid 1.1.18

@mathigon/fermat 1.1.15

@mathigon/hilbert 1.1.15

@sendgrid/mail 8.0.0

@types/bcryptjs 2.4.6

@types/compression 1.7.5

@types/cookie-parser 1.4.6

@types/express 4.17.21

@types/express-flash 0.0.5

@types/express-session 1.17.10

@types/js-yaml 4.0.9

@types/lusca 1.7.4

@types/node-fetch 2.6.11

@types/pug 2.0.10

@types/validator 13.11.8

@webcomponents/custom-elements 1.6.0

autoprefixer 10.4.17

autotrack 2.4.1

bcryptjs 2.4.3

body-parser 1.20.2

chokidar 3.5.3

compression 1.7.4

connect-mongo 4.6.0

cookie-parser 1.4.6

cssnano 6.0.3

date-fns 2.30.0

esbuild 0.20.0

express 4.18.2

express-flash 0.0.2

express-session 1.18.0

glob 10.3.10

html-entities 2.4.0

html-minifier 4.0.0

js-yaml 4.1.0

jsdom 22.1.0

lusca 1.7.0

marked 6.0.0

mongodb-memory-server 8.15.1

mongoose 7.4.3

postcss 8.4.33

postcss-inline-svg 6.0.0

pug 3.0.2

rtlcss 4.1.1

sass 1.70.0

tslib 2.6.2

typescript 5.3.3

validator 13.11.0

web-animations-js 2.3.2

xss 1.0.14

yargs-parser 21.1.1

@typescript-eslint/eslint-plugin 6.4.0

@typescript-eslint/parser 6.4.0

eslint 8.47.0

eslint-config-google 0.14.0

eslint-plugin-import 2.28.1

tape 5.6.6

@google-cloud/secret-manager 4.2.2

@google-cloud/text-to-speech 4.2.3

@google-cloud/translate 7.2.2

puppeteer 20.9.0

node >=18

MongoDB attempt takes too long

Hi there,
after trying different ways to just get the example course working I'm now at some strange point.
After starting the server npm run start I get this:

npm run start

@mathigon/[email protected] start
ts-node -s server/app.ts

Running on port 8080 in development mode.
Trying in-memory Mongo DB...

The problem now is that nothing more happens and I'm not sure what to do. It seems like there is some server implementation issue but without an error I'm not able to figure it out. Someone else with the same problems?

Fixed it by myself:
Just had to change the port to http://127.0.0.1:8080/

express-4.18.2.tgz: 1 vulnerabilities (highest severity is: 6.1) reachable

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (express version)	Remediation Possible**	Reachability
CVE-2024-29041	Medium	6.1	express-4.18.2.tgz	Direct	4.19.0	❌	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-29041

Vulnerable Library - express-4.18.2.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz

Dependency Hierarchy:

❌ express-4.18.2.tgz (Vulnerable Library)

Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

@mathigon/studio-0.1.42/server/models/progress.ts (Application)
  -> express-4.18.2/index.js (Extension)
   -> express-4.18.2/lib/express.js (Extension)
    -> ❌ express-4.18.2/lib/response.js (Vulnerable Component)

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: 4.19.0

Markdown Parser Improvements

To parse the course markdown, we currently use marked.js, together with numerous string/regex-based extensions, e.g. to add HTML blocks, inline blanks and variables, and many other elements.

This approach is difficult to test and doesn't work well with nested elements (e.g. blanks inside a table, or italic text inside a blank). We should switch to a more robust method by first tokenizing the text.

Marked.js offers some support for plugins and extensions, but it might also be necessary to switch to a different parser like markdown-it.