Thomas Lynch
d7a3e55fb0
update some deps, pm2 major verison change
3 years ago
Thomas Lynch
552034da5b
npm audit fix
3 years ago
Thomas Lynch
cfae852971
use gulp-real-favicon
...
make favicons , files for safari, msfile, browserconfig, webmanifest, etc in gulp task
remove favicon2 so no exclamation mark favicon for now, until it can be incorporated
somehow. but the number like (x) is shown so it shouldnt matter.
maybe another commit can add a general "!" icon if somebody makes one
3 years ago
Thomas Lynch
4872b7f5f8
npm audit fix
3 years ago
Thomas Lynch
e909cde541
audit fix again?
3 years ago
Thomas Lynch
9491d60aec
socket.io, redis adapter, client and gulpfile update
3 years ago
Thomas Lynch
01915f6377
npm update && npm audit fix
3 years ago
Thomas Lynch
42eb51c498
npm audit fix again
3 years ago
Thomas Lynch
5686c293c9
npm audit fix 1/3, still 2 more waiting for upstream pm2
3 years ago
Thomas Lynch
ce69aaee7d
i hate life
3 years ago
Thomas Lynch
05f1353205
package lock
3 years ago
Thomas Lynch
e103c71478
publish scoped gulp-pug package to use gulp 3, 3.0.2 to fix vuln that this POS outdated package wont update
3 years ago
Thomas Lynch
fc525c6a04
update package.json
3 years ago
Thomas Lynch
67e50bdb8e
dont duplicate codethemes, improve gulpfile and theme helper
...
now only css files are listed as themes, othe extensions are copied to /file
and gulp-replace is used to prepend /file/ to all the url( paths in the codethemes
3 years ago
Thomas Lynch
edd2f0392d
npm update
3 years ago
Thomas Lynch
2d26328dc9
update package lock
4 years ago
Thomas Lynch
5ff814de62
npm audit fix https://npmjs.com/advisories/1594
4 years ago
Thomas Lynch
56562a9e52
update deps
4 years ago
Thomas Lynch
e65015540a
run npm audit fix
4 years ago
Thomas Lynch
c6f9744013
ran npm audit fix
4 years ago
Thomas Lynch
4ebea1c084
ran npm audit fix
4 years ago
Thomas Lynch
9215dcbf17
test only, blockhash option
4 years ago
Thomas Lynch
0bc6a80c96
update deps
4 years ago
Thomas Lynch
22f582f3a7
Insecure tripcodes reference #282
4 years ago
Thomas Lynch
ecb9550693
update some deps
4 years ago
Thomas Lynch
26dd43f251
update express-fileupload middleware to fix issue with abort event incorrectly deleting temp files between file upload middleware and later middlewares
4 years ago
Thomas Lynch
48d6721ecc
update deps
4 years ago
Thomas Lynch
f212f67aa4
update package lock
4 years ago
Thomas Lynch
24574862a2
Add file-type moodule to check file mime types strictly, with 2 optiosn in config about it
...
Update express-fileupload dependency to clean tempfiles on numFilesLimitHandler
Add a proper error message for max num files instead of allowing unlimited and limiting in board post method
4 years ago
Thomas Lynch
7d87819ad4
Update node-fetch dependency for security advisory https://npmjs.com/advisories/1556
4 years ago
Thomas Lynch
f5e44011dd
npm audit fix
4 years ago
Thomas Lynch
2d1af818aa
Update some deps
4 years ago
e30ec2737e
normalize IP addresses
...
Currently jschan takes the IP address as a string from the `X-Real-Ip` header,
which based on the frontend proxy configuration, OS settings, etc. can take
various forms:
IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or
as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in
the latter case, node's `isIP` will report 6, so the code will try to split it
along colons, breaking hrange and qrange.
With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and
`0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`)
represents the same address. Since it's pretty easy to get a /64 IPv6 block, a
spammer can abuse it, by spamming from `a🅱️ c:d::1` (`qrange=a🅱️ c:d`,
`hrange=a🅱️ c`), then from `a🅱️ c:d::1:1` (`qrange=a🅱️ c:d:`, `hrange=a🅱️ c`),
`a🅱️ c:d::1:1:1` (`qrange=a🅱️ c:d::1`, `hrange=a🅱️ c:d`) and
`a🅱️ c:d:1:1:1:1` (`qrange=a🅱️ c:d:1:1`, `hrange=a🅱️ c:d`). He practically got
two hranges and qrange is pretty much pointless for IPv6 addresses.
This change uses the `ip6addr` package to parse IP addresses and convert it to
some canonical form. This means:
* IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation.
* Zero are not elided in IPv6 (so you'll never see `::`).
* IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`).
* Even though it's not documented, it seems like `ip6addr` always generates
lower-case letters.
This will unfortunately mean that some IP hashes may change after the update.
Normal IPv4 hashes will most probably remain the same though.
4 years ago
Thomas Lynch
1f7e670c7c
modlog records for non-delete actions now link to posts closes #193
4 years ago
Thomas Lynch
8935ca5c28
Customisable header for IP and country code, and improve how country names are handled
4 years ago
Thomas Lynch
f4717b35a3
explicit version for express-fileupload, which should now be fixed
4 years ago
Thomas Lynch
39bbedfe53
Get session in websocket
4 years ago
Thomas Lynch
9f47b05f0d
update deps
4 years ago
Thomas Lynch
ce0bfab6c2
switch to getting packages from gitgud.io
4 years ago
Thomas Lynch
708a6e0b9b
remove dupe dependency with same path
4 years ago
d4705d6f3c
Bump bcrypt from 4.0.1 to 5.0.0 ( #166 )
...
Bumps [bcrypt](https://github.com/kelektiv/node.bcrypt.js ) from 4.0.1 to 5.0.0.
- [Release notes](https://github.com/kelektiv/node.bcrypt.js/releases )
- [Changelog](https://github.com/kelektiv/node.bcrypt.js/blob/master/CHANGELOG.md )
- [Commits](https://github.com/kelektiv/node.bcrypt.js/compare/v4.0.1...v5.0.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
bd427b929e
Bump socket.io-redis from 5.2.0 to 5.3.0 ( #159 )
...
Bumps [socket.io-redis](https://github.com/socketio/socket.io-redis ) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/socketio/socket.io-redis/releases )
- [Changelog](https://github.com/socketio/socket.io-redis/blob/master/CHANGELOG.md )
- [Commits](https://github.com/socketio/socket.io-redis/compare/5.2.0...5.3.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
ec76dfa0fe
Bump sanitize-html from 1.25.0 to 1.26.0 ( #157 )
...
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.25.0 to 1.26.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
285bee3f31
Bump fs-extra from 9.0.0 to 9.0.1 ( #156 )
...
Bumps [fs-extra](https://github.com/jprichardson/node-fs-extra ) from 9.0.0 to 9.0.1.
- [Release notes](https://github.com/jprichardson/node-fs-extra/releases )
- [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md )
- [Commits](https://github.com/jprichardson/node-fs-extra/compare/9.0.0...9.0.1 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
523d0975f7
Bump ioredis from 4.17.1 to 4.17.3 ( #150 )
...
Bumps [ioredis](https://github.com/luin/ioredis ) from 4.17.1 to 4.17.3.
- [Release notes](https://github.com/luin/ioredis/releases )
- [Changelog](https://github.com/luin/ioredis/blob/master/Changelog.md )
- [Commits](https://github.com/luin/ioredis/compare/v4.17.1...v4.17.3 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
0351b9c688
Bump sanitize-html from 1.24.0 to 1.25.0 ( #151 )
...
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.24.0 to 1.25.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
fatchan
eed27c414a
Update package-lock.json closes #148
4 years ago
Thomas Lynch
b32f3a76c0
bring across dependabot merges ( #147 )
...
* Bump ioredis from 4.16.3 to 4.17.1
Bumps [ioredis](https://github.com/luin/ioredis ) from 4.16.3 to 4.17.1.
- [Release notes](https://github.com/luin/ioredis/releases )
- [Changelog](https://github.com/luin/ioredis/blob/master/Changelog.md )
- [Commits](https://github.com/luin/ioredis/compare/v4.16.3...v4.17.1 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump sanitize-html from 1.23.0 to 1.24.0
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump pug from 2.0.4 to 3.0.0
Bumps [pug](https://github.com/pugjs/pug ) from 2.0.4 to 3.0.0.
- [Release notes](https://github.com/pugjs/pug/releases )
- [Commits](https://github.com/pugjs/pug/compare/pug@2.0.4...pug@3.0.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump mongodb from 3.5.7 to 3.5.8
Bumps [mongodb](https://github.com/mongodb/node-mongodb-native ) from 3.5.7 to 3.5.8.
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases )
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/master/CHANGES_3.0.0.md )
- [Commits](https://github.com/mongodb/node-mongodb-native/compare/v3.5.7...v3.5.8 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
ec2f3a68c7
Bump mongodb from 3.5.7 to 3.5.8
...
Bumps [mongodb](https://github.com/mongodb/node-mongodb-native ) from 3.5.7 to 3.5.8.
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases )
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/master/CHANGES_3.0.0.md )
- [Commits](https://github.com/mongodb/node-mongodb-native/compare/v3.5.7...v3.5.8 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
c1ea23a6a8
Bump pug from 2.0.4 to 3.0.0
...
Bumps [pug](https://github.com/pugjs/pug ) from 2.0.4 to 3.0.0.
- [Release notes](https://github.com/pugjs/pug/releases )
- [Commits](https://github.com/pugjs/pug/compare/pug@2.0.4...pug@3.0.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
some random guy