This repository has been archived by the owner on Jan 29, 2023. It is now read-only.
Update dependency loopback to v2.42.0 [SECURITY] #26
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.19.0->2.42.0GitHub Vulnerability Alerts
GHSA-8wgc-jjvv-cv6v
Vulnerable versions of
loopbackmay allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target'suserId. This will allow the attacker to access the user's data and their privileges.Recommendation
For loopback 2.x, upgrade to version 2.40.0 or later
For loopback 3.x, upgrade to version 3.22.0 or later
GHSA-724c-6vrf-99rq
Versions of
loopbackprior to 3.26.0 (3.x) and 2.42.0 (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft.Recommendation
If you're using
loopback3.x upgrade to version 3.26.0 or later.If you're using
loopback2.x upgrade to version 2.42.0 or later.Release Notes
strongloop/loopback
v2.42.0Compare Source
v2.41.2Compare Source
v2.41.1Compare Source
v2.41.0Compare Source
v2.40.0Compare Source
v2.39.2Compare Source
v2.39.1Compare Source
v2.39.0Compare Source
v2.38.3Compare Source
v2.38.2Compare Source
v2.38.1: 2.38.1 (LTS)Compare Source
loopback 2.38.1 (LTS)
Improve "filter" arg description
Add an example showing how to serialize object values as JSON.
Fix creation of verification links
Fix User.prototype.verify to call
querystring.stringifyinstead of concatenating query-string components directly.In particular, this fixes the bug where
options.redirectcontaining a hash fragment like#/home?arg1=value1&arg2=value2produced incorrect URL, because theredirectvalue was not correctly encoded.Include link to docs in logoutSessions warning
Make it easy for people encountering the long warning about "logoutSessionsOnSensitiveChanges" to find the relevant information in our documentation.
Preserve sessions on
User.save()making no changesFix session-invalidation code to correctly recognize the case when
User.save()was called but neither password nor email was changed.Modify the code detecting whether logoutSessionsOnSensitiveChanges is enabled to correctly handle the case when the model is not attached to any application, as is the case with loopback-component-passport tests.
Fix logout to handle missing or unknown accessToken
Return 401 when the request does not provide any accessToken argument or the token was not found.
Also simplify the implementation of the
logoutmethod to make only a single database call (deleteById) instead offindById+delete.Role model: resolve related models by name
Resolve models related to the
Rolemodel by name instead of class instance. This allows to uselocalRegistryinappwithout monkeypatchingRolemanually.When loading the
Rolemodel into a custom registry (e.g. by settinglocalRegistrytotruewhen instantiating theappobject), static roles can not be resolved because theRoleMappingmodel used inside static methods (e.g.Role.isInRole()) is loaded into a different registry (i.e. loopback) and thus not attached to anydataSource. The patch changed code resolving models related to theRolemodel to use model name instead of a global model constructor, which leads to them being resolved from the same registry thatRoleis loaded in as well.Fix User methods to use correct Primary Key
Do not use hard-coded "id" property name, call
idName()to get the name of the PK property.strong-remoting 2.33.0 (LTS)
See https://github.com/strongloop/strong-remoting/releases/tag/v2.33.0
Enable remote methods to be disabled by alias
Fix
disableMethodByNamemethod to allow callers to specify one of method aliases instead of the "canonical" name. For example, disable the methodremoveByIdby callingdisableMethodByName('destroyById').Fix content-type reported by the built-in error handler
When a remote method sets a custom content-type (e.g.
image/jpeg) and then fails, the content-type is reset back toapplication/jsonnow, in order to match the body contents.Convert object query params to JSON in outgoing requests
When invoking a remote method via strong-remoting, fix the code building query string parameters to correctly handle edge cases like a deeply-nested empty-array value.
Consider the following invocation:
Before the fix, an empty argument value was sent.
strong-remoting is sending the correct argument value now.
loopback-datasource-juggler 2.54.1 (LTS)
See https://github.com/strongloop/loopback-datasource-juggler/releases/tag/v2.54.1
Fix datasource to report connector-loading errors
When resolving full connector path, all errors used to be ignored. As a result, when the connector was installed but not correctly built (e.g. loopback-connector-db2 which uses a native addon), a very confusing message was reported by LoopBack.
We fixed the code handling
require()errors to ignore onlyMODULE_NOT_FOUNDerrors that contain the name of the required module.v2.38.0Compare Source
v2.37.1Compare Source
v2.37.0Compare Source
v2.36.2Compare Source
v2.36.0Compare Source
v2.35.0Compare Source
v2.34.1Compare Source
v2.34.0Compare Source
v2.33.0Compare Source
v2.32.0Compare Source
v2.31.0Compare Source
v2.30.0Compare Source
v2.29.1Compare Source
v2.29.0Compare Source
v2.28.0Compare Source
v2.27.0Compare Source
v2.26.2Compare Source
==========================
v2.26.1Compare Source
==========================
v2.26.0Compare Source
==========================
change: skip cp lookup on no change (Miroslav Bajtoš)
Change: correctly rectify no-change (Miroslav Bajtoš)
Update model.js (Rand McKinney)
Adding properties description for User Model (David Cheung)
Add case-sensitve email option for User model. (Richard Pringle)
v2.25.0Compare Source
==========================
v2.23.0Compare Source
==========================
lib/registry: fix findModel for model ctor (Miroslav Bajtoš)
Refer to licenses with a link (Sam Roberts)
Fix user.resetPassword to fail on email not found (Simo Moujami)
Fix typo in doc comment (Rand McKinney)
Do not include redundant ports in verify links (Samuel Gaus)
Set application's id property only if it's empty. (wusuopu)
Check configs for shared method settings (Simon Ho)
Add test fixtures for shared methods (Simon Ho)
Clean up .jshintrc (Simon Ho)
Update comment about user ACL to reflect implementation (Felipe Oliveira Carvalho)
v2.22.2Compare Source
==========================
Use strongloop conventions for licensing (Sam Roberts)
Set package license to MIT (Sam Roberts)
v2.22.1Compare Source
==========================
Fix perf of rectification after updateAttributes (Miroslav Bajtoš)
Update persisted-model.js (Rand McKinney)
Stop NPM license warning (Simon Ho)
v2.22.0Compare Source
==========================
Create stack-removing errorhandler middleware (Richard Walker)
Update README.md (Rand McKinney)
Allow EJS templates to use includes (Samuel Gaus)
Fix options.to assertion message in user.verify (Farid Nouri Neshat)
Upgrade Travis to container-based infrastructure (Miroslav Bajtoš)
fix typo "PeristedModel" (Christoph)
v2.21.0Compare Source
==========================
Add util methods to ACL and clean up related model resolutions (Raymond Feng)
Promisify 'PersistedModel - replication' (Pradnya Baviskar)
Promisify 'Application' model (Pradnya Baviskar)
v2.20.0Compare Source
==========================
Allow methods filter for middleware config (Raymond Feng)
Don't load Bluebird for createPromiseCallback (Miroslav Bajtoš)
fix exit early when password is non-string closes #1437 (Berkeley Martinez)
Promisify User model (Pradnya Baviskar)
Add missing . to user model property descriptions (Richard Walker)
v2.19.1Compare Source
==========================
Disable application model test for karma (Raymond Feng)
Fix jsdocs for methods with where argument (Raymond Feng)
Add link to createChangeStream docs (Ritchie Martori)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.