mathigon / studio Goto Github PK
View Code? Open in Web Editor NEWA customisable NodeJS server for creating and hosting highly interactive online courses.
Home Page: https://mathigon.io
License: Other
A customisable NodeJS server for creating and hosting highly interactive online courses.
Home Page: https://mathigon.io
License: Other
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-4.0.0.tgz
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
CVE | Severity | CVSS | Dependency | Type | Fixed in (html-minifier version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-37620 | High | 7.5 | html-minifier-4.0.0.tgz | Direct | N/A | ❌ | |
CVE-2022-37598 | Critical | 9.8 | uglify-js-3.13.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-4.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
This vulnerability is potentially reachable
@mathigon/studio-0.1.42/build/markdown/parser.js (Application)
-> html-minifier-4.0.0/src/htmlminifier.js (Extension)
-> ❌ html-minifier-4.0.0/src/htmlparser.js (Vulnerable Component)
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
Base Score Metrics:
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.13.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
The vulnerable code is unreachable
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution: uglify-js - 3.13.10
Right now, this is disabled here: https://github.com/mathigon/studio/blob/main/build/assets.js#L63
We either need to generate separate .rtl.css
files, or merge both styles into a single file usinghtml[dir]
.
✘ [ERROR] Transforming JavaScript decorators to the configured target environment ("es2016") is not supported yet
node_modules/@mathigon/studio/frontend/course.ts:38:0:
38 │ @register('x-course')
╵ ^
✘ [ERROR] Transforming JavaScript decorators to the configured target environment ("es2016") is not supported yet
node_modules/@mathigon/studio/frontend/accounts.ts:54:0:
54 │ @register('x-password', {template})
Also this:
TSError: ⨯ Unable to compile TypeScript:
node_modules/@mathigon/studio/server/utilities/utilities.ts:79:21 - error TS2345: Argument of type '{}' is not assignable to parameter of type 'Obj'.
Index signature for type 'string' is missing in type '{}'.
79 deep ? deepExtend(studio, project, (a, b) => b) : Object.assign(studio as any, project);
at createTSError (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:859:12)
at reportTSError (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:863:19)
at getOutput (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1077:36)
at Object.compile (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1433:41)
at Module.m._compile (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1617:30)
at Module._extensions..js (node:internal/modules/cjs/loader:1308:10)
at Object.require.extensions. [as .ts] (/Users/eshnil/code/textbooks/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1117:32)
at Function.Module._load (node:internal/modules/cjs/loader:958:12)
at Module.require (node:internal/modules/cjs/loader:1141:19) {
diagnosticCodes: [ 2345 ]
}
I see this error when running npm start
for the latest commit in the textbooks repo which changed studio dependency from 0.1.35 to 0.1.36.
node -v
v18.15.0
npm -v
9.5.0
Our entire codebase should be in TS, to enable better type checking and code-reusability, especially across subfolders like build/
and server/
.
Running directly in the studio/docs/example/server
directory. Node v16.14.2, npm 8.5.0, ts-node v10.7.0
> npm run build
> @mathigon/[email protected] build
> mgon-build --assets --minify --search
✔ Built icons.svg in 27ms
✔ Built frontend/accounts.scss in 5408ms
✔ Built docs/example/content/geography/styles.scss in 3450ms
✔ Built frontend/main.scss in 4209ms
✔ Built docs/example/frontend/custom.scss in 3585ms
✔ Built docs/example/content/science/styles.scss in 3445ms
✔ Built frontend/dashboard.scss in 4401ms
✔ Built docs/example/frontend/course.scss in 4025ms
✔ Built docs/example/frontend/custom.ts in 5432ms
✔ Built frontend/main.ts in 5436ms
✔ Built frontend/dashboard.ts in 5442ms
✔ Built frontend/accounts.ts in 5458ms
✔ Built docs/example/content/geography/functions.ts in 3467ms
✔ Built docs/example/content/science/functions.ts in 3466ms
✔ Built docs/example/frontend/course.ts in 5444ms
✔ Built search-index.json and search-docs.json in 6ms
DONE!
> npm start
> @mathigon/[email protected] start
> ts-node -s server/app.ts
/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:840
return new TSError(diagnosticText, diagnosticCodes);
^
TSError: ⨯ Unable to compile TypeScript:
../../server/models/progress.ts:119:39 - error TS7006: Parameter 'm' implicitly has an 'any' type.
119 const messages = this.messages?.map(m => ({content: m.content, type: m.kind}));
~
../../server/models/progress.ts:180:34 - error TS7006: Parameter 'm' implicitly has an 'any' type.
180 messages: this.messages?.map(m => ({content: m.content, kind: m.kind})),
~
at createTSError (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:840:12)
at reportTSError (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:844:19)
at getOutput (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1034:36)
at Object.compile (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1342:43)
at Module.m._compile (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1474:30)
at Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
at Object.require.extensions.<computed> [as .ts] (/Users/aednichols/Projects/studio/docs/example/node_modules/ts-node/src/index.ts:1478:12)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19) {
diagnosticCodes: [ 7006, 7006 ]
}
We should use the schema in server/interfaces.ts
to type check all YAML configuration files (e.g. config.yaml
and glossary.yaml
).
I copied docs/example
to a new directory, modified the version of @mathigon/studio in package.json
to 0.1.18
, ran npm install
and then ran npm run dev
. I expected some sort of webapp to open but the logs showed this:
helix ~/code/example $ npm run dev
> @mathigon/[email protected] dev
> npm-run-all --parallel watch start-dev
> @mathigon/[email protected] watch
> mgon-build --assets --watch
> @mathigon/[email protected] start-dev
> nodemon --watch 'server/**/*.ts' --exec 'ts-node' -s server/app.ts
[nodemon] 2.0.15
[nodemon] to restart at any time, enter `rs`
[nodemon] watching path(s): server/**/*.ts
[nodemon] watching extensions: js,mjs,json
[nodemon] starting `ts-node`
✔ Built icons.svg in 23ms
✖ [ERROR] Building /Users/helix/code/example/node_modules/@mathigon/studio/frontend/accounts.scss:
Error: Can't find stylesheet to import.
╷
9 │ @import "../../node_modules/@mathigon/boost/src/components/mixins";
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
╵
node_modules/@mathigon/studio/frontend/styles/variables.scss 9:9 @import
node_modules/@mathigon/studio/frontend/main.scss 7:9 @import
node_modules/@mathigon/studio/frontend/accounts.scss 7:9 root stylesheet
...
✖ [ERROR] Building /Users/helix/code/example/node_modules/@mathigon/studio/frontend/dashboard.scss:
Error: Can't find stylesheet to import.
╷
9 │ @import "../../node_modules/@mathigon/boost/src/components/mixins";
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
╵
...
✔ Built /Users/helix/code/example/content/science/styles.scss in 49ms
✔ Built /Users/helix/code/example/content/geography/styles.scss in 70ms
✔ Built /Users/helix/code/example/node_modules/@mathigon/studio/frontend/accounts.ts in 194ms
✔ Built /Users/helix/code/example/node_modules/@mathigon/studio/frontend/main.ts in 188ms
✔ Built /Users/helix/code/example/frontend/custom.ts in 188ms
✔ Built /Users/helix/code/example/node_modules/@mathigon/studio/frontend/dashboard.ts in 192ms
✔ Built /Users/helix/code/example/content/geography/functions.ts in 82ms
✔ Built /Users/helix/code/example/content/science/functions.ts in 82ms
✔ Built /Users/helix/code/example/frontend/course.ts in 193ms
DONE!
The logs didn't print any port number, so I tried ports like 3000, 4000, 5000, 6000, 8000, 8080, 9000. But no app was accessible anywhere (npm run dev
terminal did not show any logs for incoming requests either).
I have tried manually running npm install @mathigon/studio
as well. Is there a build step for @mathigon/studio that I need to run explicitly, even when referencing the npm version before starting the example app? Or is there something broken in the setup here?
My setup:
NodeJS: 16.13.1 (installed via asdf but I made sure to reshim after npm install)
OS: Mac OS M1 (Apple Silicon)
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
CVE | Severity | CVSS | Dependency | Type | Fixed in (mongodb-memory-server version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2024-28849 | Medium | 6.5 | follow-redirects-1.15.4.tgz | Transitive | N/A* | ❌ | |
CVE-2023-34104 | High | 7.5 | fast-xml-parser-4.0.11.tgz | Transitive | 8.16.0 | ❌ | |
CVE-2023-26920 | Medium | 6.5 | fast-xml-parser-4.0.11.tgz | Transitive | 8.16.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.4.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
This vulnerability is potentially reachable
@mathigon/studio-0.1.42/server/utilities/mongodb.ts (Application)
-> mongodb-memory-server-8.15.1/index.js (Extension)
-> mongodb-memory-server-core-8.15.1/lib/index.js (Extension)
-> mongodb-memory-server-core-8.15.1/lib/util/MongoBinary.js (Extension)
-> mongodb-memory-server-core-8.15.1/lib/util/MongoBinaryDownload.js (Extension)
-> ❌ follow-redirects-1.15.4/index.js (Vulnerable Component)
follow-redirects is an open source, drop-in replacement for Node's http
and https
modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
The vulnerable code is unreachable
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false
option.
Publish Date: 2023-06-06
URL: CVE-2023-34104
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6w63-h3fj-q4vw
Release Date: 2023-06-06
Fix Resolution (fast-xml-parser): 4.2.4
Direct dependency fix Resolution (mongodb-memory-server): 8.16.0
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
The vulnerable code is unreachable
fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.
Publish Date: 2023-12-12
URL: CVE-2023-26920
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x3cc-x39p-42qx
Release Date: 2023-12-12
Fix Resolution (fast-xml-parser): 4.1.2
Direct dependency fix Resolution (mongodb-memory-server): 8.16.0
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
@types/validator
, mongodb-memory-server
, mongoose
, validator
)@google-cloud/secret-manager
, @google-cloud/text-to-speech
, @google-cloud/translate
)marked
, puppeteer
)These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
.github/workflows/codeql.yml
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
.github/workflows/test.yml
actions/checkout v3
actions/setup-node v3
docs/example/package.json
ts-node 10.9.1
typescript 5.1.6
nodemon 3.0.1
npm-run-all 4.1.5
package.json
@mathigon/boost 1.2.13
@mathigon/core 1.1.10
@mathigon/euclid 1.1.12
@mathigon/fermat 1.1.9
@mathigon/hilbert 1.1.9
@sendgrid/mail 7.7.0
@types/bcryptjs 2.4.2
@types/compression 1.7.2
@types/cookie-parser 1.4.3
@types/express 4.17.17
@types/express-flash 0.0.2
@types/express-session 1.17.7
@types/js-yaml 4.0.5
@types/lusca 1.7.1
@types/node-fetch 2.6.4
@types/pug 2.0.6
@types/validator 13.9.0
@webcomponents/custom-elements 1.6.0
autoprefixer 10.4.15
autotrack 2.4.1
bcryptjs 2.4.3
body-parser 1.20.2
chokidar 3.5.3
compression 1.7.4
connect-mongo 4.6.0
cookie-parser 1.4.6
cssnano 6.0.1
date-fns 2.30.0
esbuild 0.19.2
express 4.18.2
express-flash 0.0.2
express-session 1.17.3
glob 10.3.3
html-entities 2.4.0
html-minifier 4.0.0
js-yaml 4.1.0
jsdom 22.1.0
lusca 1.7.0
marked 6.0.0
mongodb-memory-server 8.13.0
mongoose 7.3.3
postcss 8.4.28
postcss-inline-svg 6.0.0
pug 3.0.2
rtlcss 4.1.0
sass 1.66.1
tslib 2.6.1
typescript 5.1.6
validator 13.9.0
web-animations-js 2.3.2
xss 1.0.14
yargs-parser 21.1.1
@typescript-eslint/eslint-plugin 6.4.0
@typescript-eslint/parser 6.4.0
eslint 8.47.0
eslint-config-google 0.14.0
eslint-plugin-import 2.28.1
tape 5.6.6
@google-cloud/secret-manager 4.2.2
@google-cloud/text-to-speech 4.2.3
@google-cloud/translate 7.2.2
puppeteer 20.9.0
node >=18
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
BSD 3
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/54fcc1c1-dc31-4c37-9c83-114a4e92decc
GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/54fcc1c1-dc31-4c37-9c83-114a4e92decc
⛔ License Policy Violation - [Reject][Global] Block CopyLeft Licenses
Add the ability to configure and import plugins. This means that we will need to update the places where we access PROJECT_DIR
and STUDIO_DIR
directly to also loop over all plugin directories.
CVE | Severity | CVSS | Dependency | Type | Fixed in (mail version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2023-45857 | Medium | 6.5 | axios-0.26.1.tgz | Transitive | 8.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.26.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 1.6.0
Direct dependency fix Resolution (@sendgrid/mail): 8.0.0
Copied the example folder.
Installed mathigon studio 0.1.26. When I do npm run dev, get the following error.
docs/example/node_modules/@mathigon/studio/server/app.ts:7
import crypto from 'crypto';
^^^^^^
SyntaxError: Cannot use import statement outside a module
at Object.compileFunction (node:vm:352:18)
at wrapSafe (node:internal/modules/cjs/loader:1031:15)
at Module._compile (node:internal/modules/cjs/loader:1065:27)
at Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Object.require.extensions. [as .ts] (/home/chaitanya/code/node/innings2/chetan/studio/docs/example/node_modules/ts-node/src/index.ts:1608:43)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:102:18)
at Object. (/home/chaitanya/code/node/innings2/chetan/studio/docs/example/server/app.ts:7:1)
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
CVE | Severity | CVSS | Dependency | Type | Fixed in (puppeteer version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2023-42282 | Critical | 9.8 | ip-1.1.8.tgz | Transitive | 21.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
The vulnerable code is unreachable
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (puppeteer): 21.0.0
Currently, the public directories exposed by express.static()
at https://github.com/mathigon/studio/blob/main/server/app.ts#L139 contain some internal files, for example search-index.json
in .output
and all the course source files like content.md
in content/
. We should hide these!
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
CVE | Severity | CVSS | Dependency | Type | Fixed in (mongoose version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2023-42282 | Critical | 9.8 | ip-2.0.0.tgz | Transitive | N/A* | ❌ | |
CVE-2021-32050 | High | 7.5 | mongodb-5.7.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
This vulnerability is potentially reachable
@mathigon/studio-0.1.42/server/models/progress.ts (Application)
-> mongoose-7.4.3/index.js (Extension)
-> mongoose-7.4.3/lib/index.js (Extension)
-> mongodb-5.7.0/lib/sdam/monitor.js (Extension)
...
-> socks-2.7.1/build/index.js (Extension)
-> socks-2.7.1/build/client/socksclient.js (Extension)
-> ❌ ip-2.0.0/lib/ip.js (Vulnerable Component)
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282
Release Date: 2024-02-08
Fix Resolution: ip - 2.0.0
Library home page: https://registry.npmjs.org/mongodb/-/mongodb-5.7.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
This vulnerability is potentially reachable
@mathigon/studio-0.1.42/server/models/progress.ts (Application)
-> mongoose-7.4.3/index.js (Extension)
-> mongoose-7.4.3/lib/index.js (Extension)
-> mongodb-5.7.0/lib/index.js (Extension)
-> ❌ mongodb-5.7.0/lib/cmap/command_monitoring_events.js (Vulnerable Component)
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).
This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Publish Date: 2023-08-29
URL: CVE-2021-32050
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-32050
Release Date: 2023-08-29
Fix Resolution: mongodb - 3.6.10,4.17.0,5.8.0, mongo-swift-driver - 1.1.1
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
CVE | Severity | CVSS | Dependency | Type | Fixed in (secret-manager version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2023-36665 | Critical | 9.8 | protobufjs-7.2.4.tgz | Transitive | 5.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
The vulnerable code is unreachable
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
Publish Date: 2023-07-05
URL: CVE-2023-36665
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36665
Release Date: 2023-07-05
Fix Resolution (protobufjs): 7.2.5
Direct dependency fix Resolution (@google-cloud/secret-manager): 5.0.0
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
)@google-cloud/text-to-speech
, @google-cloud/translate
)jsdom
, marked
)connect-mongo
, mongoose
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
)These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
autoprefixer
, chokidar
, cssnano
, esbuild
, glob
, html-entities
, postcss
, sass
)@mathigon/boost
, @mathigon/core
, @mathigon/euclid
, @mathigon/fermat
, @mathigon/hilbert
)@types/cookie-parser
, @types/express-session
, @types/lusca
, @types/validator
, xss
)eslint
, eslint-plugin-import
, nodemon
, npm-run-all
, tape
).github/workflows/codeql.yml
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
.github/workflows/test.yml
actions/checkout v3
actions/setup-node v3
docs/example/package.json
ts-node 10.9.2
typescript 5.3.3
nodemon 3.0.1
npm-run-all 4.1.5
package.json
@mathigon/boost 1.2.21
@mathigon/core 1.1.16
@mathigon/euclid 1.1.18
@mathigon/fermat 1.1.15
@mathigon/hilbert 1.1.15
@sendgrid/mail 8.0.0
@types/bcryptjs 2.4.6
@types/compression 1.7.5
@types/cookie-parser 1.4.6
@types/express 4.17.21
@types/express-flash 0.0.5
@types/express-session 1.17.10
@types/js-yaml 4.0.9
@types/lusca 1.7.4
@types/node-fetch 2.6.11
@types/pug 2.0.10
@types/validator 13.11.8
@webcomponents/custom-elements 1.6.0
autoprefixer 10.4.17
autotrack 2.4.1
bcryptjs 2.4.3
body-parser 1.20.2
chokidar 3.5.3
compression 1.7.4
connect-mongo 4.6.0
cookie-parser 1.4.6
cssnano 6.0.3
date-fns 2.30.0
esbuild 0.20.0
express 4.18.2
express-flash 0.0.2
express-session 1.18.0
glob 10.3.10
html-entities 2.4.0
html-minifier 4.0.0
js-yaml 4.1.0
jsdom 22.1.0
lusca 1.7.0
marked 6.0.0
mongodb-memory-server 8.15.1
mongoose 7.4.3
postcss 8.4.33
postcss-inline-svg 6.0.0
pug 3.0.2
rtlcss 4.1.1
sass 1.70.0
tslib 2.6.2
typescript 5.3.3
validator 13.11.0
web-animations-js 2.3.2
xss 1.0.14
yargs-parser 21.1.1
@typescript-eslint/eslint-plugin 6.4.0
@typescript-eslint/parser 6.4.0
eslint 8.47.0
eslint-config-google 0.14.0
eslint-plugin-import 2.28.1
tape 5.6.6
@google-cloud/secret-manager 4.2.2
@google-cloud/text-to-speech 4.2.3
@google-cloud/translate 7.2.2
puppeteer 20.9.0
node >=18
Hi there,
after trying different ways to just get the example course working I'm now at some strange point.
After starting the server npm run start
I get this:
npm run start
@mathigon/[email protected] start
ts-node -s server/app.tsRunning on port 8080 in development mode.
Trying in-memory Mongo DB...
The problem now is that nothing more happens and I'm not sure what to do. It seems like there is some server implementation issue but without an error I'm not able to figure it out. Someone else with the same problems?
Fixed it by myself:
Just had to change the port to http://127.0.0.1:8080/
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
CVE | Severity | CVSS | Dependency | Type | Fixed in (express version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2024-29041 | Medium | 6.1 | express-4.18.2.tgz | Direct | 4.19.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 6d9647c6b41573a1d30cef1f4a06c455ed027b71
Found in base branch: main
This vulnerability is potentially reachable
@mathigon/studio-0.1.42/server/models/progress.ts (Application)
-> express-4.18.2/index.js (Extension)
-> express-4.18.2/lib/express.js (Extension)
-> ❌ express-4.18.2/lib/response.js (Vulnerable Component)
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl
on the contents before passing it to the location
header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location()
but this is also called from within res.redirect()
. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: 4.19.0
To parse the course markdown, we currently use marked.js, together with numerous string/regex-based extensions, e.g. to add HTML blocks, inline blanks and variables, and many other elements.
This approach is difficult to test and doesn't work well with nested elements (e.g. blanks inside a table, or italic text inside a blank). We should switch to a more robust method by first tokenizing the text.
Marked.js offers some support for plugins and extensions, but it might also be necessary to switch to a different parser like markdown-it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.