From 19108ca5be1b3e7e9787dac3131aafe2722c6218 Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Thu, 7 Jan 2021 17:18:45 -0500 Subject: [PATCH 1/7] ini@1.3.8 Closes: #2442 Co-authored-by: Marco Carini --- node_modules/ini/ini.js | 86 ++++++++++++++++++++--------------- node_modules/ini/package.json | 53 +++++++++++---------- package-lock.json | 6 +-- package.json | 2 +- 4 files changed, 81 insertions(+), 66 deletions(-) diff --git a/node_modules/ini/ini.js b/node_modules/ini/ini.js index 590195dd31478..b576f08d7a6bb 100644 --- a/node_modules/ini/ini.js +++ b/node_modules/ini/ini.js @@ -15,7 +15,7 @@ function encode (obj, opt) { if (typeof opt === 'string') { opt = { section: opt, - whitespace: false + whitespace: false, } } else { opt = opt || {} @@ -30,27 +30,25 @@ function encode (obj, opt) { val.forEach(function (item) { out += safe(k + '[]') + separator + safe(item) + '\n' }) - } else if (val && typeof val === 'object') { + } else if (val && typeof val === 'object') children.push(k) - } else { + else out += safe(k) + separator + safe(val) + eol - } }) - if (opt.section && out.length) { + if (opt.section && out.length) out = '[' + safe(opt.section) + ']' + eol + out - } children.forEach(function (k, _, __) { var nk = dotSplit(k).join('\\.') var section = (opt.section ? opt.section + '.' : '') + nk var child = encode(obj[k], { section: section, - whitespace: opt.whitespace + whitespace: opt.whitespace, }) - if (out.length && child.length) { + if (out.length && child.length) out += eol - } + out += child }) @@ -62,7 +60,7 @@ function dotSplit (str) { .replace(/\\\./g, '\u0001') .split(/\./).map(function (part) { return part.replace(/\1/g, '\\.') - .replace(/\2LITERAL\\1LITERAL\2/g, '\u0001') + .replace(/\2LITERAL\\1LITERAL\2/g, '\u0001') }) } @@ -75,15 +73,25 @@ function decode (str) { var lines = str.split(/[\r\n]+/g) lines.forEach(function (line, _, __) { - if (!line || line.match(/^\s*[;#]/)) return + if (!line || line.match(/^\s*[;#]/)) + return var match = line.match(re) - if (!match) return + if (!match) + return if (match[1] !== undefined) { section = unsafe(match[1]) + if (section === '__proto__') { + // not allowed + // keep parsing the section, but don't attach it. + p = {} + return + } p = out[section] = out[section] || {} return } var key = unsafe(match[2]) + if (key === '__proto__') + return var value = match[3] ? unsafe(match[4]) : true switch (value) { case 'true': @@ -94,20 +102,20 @@ function decode (str) { // Convert keys with '[]' suffix to an array if (key.length > 2 && key.slice(-2) === '[]') { key = key.substring(0, key.length - 2) - if (!p[key]) { + if (key === '__proto__') + return + if (!p[key]) p[key] = [] - } else if (!Array.isArray(p[key])) { + else if (!Array.isArray(p[key])) p[key] = [p[key]] - } } // safeguard against resetting a previously defined // array by accidentally forgetting the brackets - if (Array.isArray(p[key])) { + if (Array.isArray(p[key])) p[key].push(value) - } else { + else p[key] = value - } }) // {a:{y:1},"a.b":{x:2}} --> {a:{y:1,b:{x:2}}} @@ -115,9 +123,9 @@ function decode (str) { Object.keys(out).filter(function (k, _, __) { if (!out[k] || typeof out[k] !== 'object' || - Array.isArray(out[k])) { + Array.isArray(out[k])) return false - } + // see if the parent section is also an object. // if so, add it to that, and mark this one for deletion var parts = dotSplit(k) @@ -125,12 +133,15 @@ function decode (str) { var l = parts.pop() var nl = l.replace(/\\\./g, '.') parts.forEach(function (part, _, __) { - if (!p[part] || typeof p[part] !== 'object') p[part] = {} + if (part === '__proto__') + return + if (!p[part] || typeof p[part] !== 'object') + p[part] = {} p = p[part] }) - if (p === out && nl === l) { + if (p === out && nl === l) return false - } + p[nl] = out[k] return true }).forEach(function (del, _, __) { @@ -152,18 +163,20 @@ function safe (val) { (val.length > 1 && isQuoted(val)) || val !== val.trim()) - ? JSON.stringify(val) - : val.replace(/;/g, '\\;').replace(/#/g, '\\#') + ? JSON.stringify(val) + : val.replace(/;/g, '\\;').replace(/#/g, '\\#') } function unsafe (val, doUnesc) { val = (val || '').trim() if (isQuoted(val)) { // remove the single quotes before calling JSON.parse - if (val.charAt(0) === "'") { + if (val.charAt(0) === "'") val = val.substr(1, val.length - 2) - } - try { val = JSON.parse(val) } catch (_) {} + + try { + val = JSON.parse(val) + } catch (_) {} } else { // walk the val to find the first not-escaped ; character var esc = false @@ -171,23 +184,22 @@ function unsafe (val, doUnesc) { for (var i = 0, l = val.length; i < l; i++) { var c = val.charAt(i) if (esc) { - if ('\\;#'.indexOf(c) !== -1) { + if ('\\;#'.indexOf(c) !== -1) unesc += c - } else { + else unesc += '\\' + c - } + esc = false - } else if (';#'.indexOf(c) !== -1) { + } else if (';#'.indexOf(c) !== -1) break - } else if (c === '\\') { + else if (c === '\\') esc = true - } else { + else unesc += c - } } - if (esc) { + if (esc) unesc += '\\' - } + return unesc.trim() } return val diff --git a/node_modules/ini/package.json b/node_modules/ini/package.json index e2d4423dcf76d..80ec6c26a95a2 100644 --- a/node_modules/ini/package.json +++ b/node_modules/ini/package.json @@ -1,35 +1,33 @@ { - "_args": [ - [ - "ini@1.3.5", - "/Users/rebecca/code/npm" - ] - ], - "_from": "ini@1.3.5", - "_id": "ini@1.3.5", + "_from": "ini@1.3.8", + "_id": "ini@1.3.8", "_inBundle": false, - "_integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==", + "_integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "_location": "/ini", "_phantomChildren": {}, "_requested": { "type": "version", "registry": true, - "raw": "ini@1.3.5", + "raw": "ini@1.3.8", "name": "ini", "escapedName": "ini", - "rawSpec": "1.3.5", + "rawSpec": "1.3.8", "saveSpec": null, - "fetchSpec": "1.3.5" + "fetchSpec": "1.3.8" }, "_requiredBy": [ + "#USER", "/", "/config-chain", "/global-dirs", + "/libcipm", + "/libnpmconfig", "/rc" ], - "_resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", - "_spec": "1.3.5", - "_where": "/Users/rebecca/code/npm", + "_resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "_shasum": "a29da425b48806f34767a4efce397269af28432c", + "_spec": "ini@1.3.8", + "_where": "/Users/darcyclarke/Documents/Repos/npm/npm/cli", "author": { "name": "Isaac Z. Schlueter", "email": "i@izs.me", @@ -38,14 +36,16 @@ "bugs": { "url": "https://github.com/isaacs/ini/issues" }, - "dependencies": {}, + "bundleDependencies": false, + "deprecated": false, "description": "An ini encoder/decoder for node", "devDependencies": { - "standard": "^10.0.3", - "tap": "^10.7.3 || 11" - }, - "engines": { - "node": "*" + "eslint": "^7.9.0", + "eslint-plugin-import": "^2.22.0", + "eslint-plugin-node": "^11.1.0", + "eslint-plugin-promise": "^4.2.1", + "eslint-plugin-standard": "^4.0.1", + "tap": "14" }, "files": [ "ini.js" @@ -59,11 +59,14 @@ "url": "git://github.com/isaacs/ini.git" }, "scripts": { - "postpublish": "git push origin --all; git push origin --tags", + "eslint": "eslint", + "lint": "npm run eslint -- ini.js test/*.js", + "lintfix": "npm run lint -- --fix", + "posttest": "npm run lint", "postversion": "npm publish", - "pretest": "standard ini.js", + "prepublishOnly": "git push origin --follow-tags", "preversion": "npm test", - "test": "tap test/*.js --100 -J" + "test": "tap" }, - "version": "1.3.5" + "version": "1.3.8" } diff --git a/package-lock.json b/package-lock.json index 03b1840f0dcf9..b8eafd53470c8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2419,9 +2419,9 @@ "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "ini": { - "version": "1.3.5", - "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", - "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==" + "version": "1.3.8", + "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==" }, "init-package-json": { "version": "1.10.3", diff --git a/package.json b/package.json index d08c066bdc3ed..ec70f0099f79c 100644 --- a/package.json +++ b/package.json @@ -68,7 +68,7 @@ "infer-owner": "^1.0.4", "inflight": "~1.0.6", "inherits": "^2.0.4", - "ini": "^1.3.5", + "ini": "^1.3.8", "init-package-json": "^1.10.3", "is-cidr": "^3.0.0", "json-parse-better-errors": "^1.0.2", From 7a05740743ac9d9229e2dc9e1b9ca8b57d58c789 Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Thu, 7 Jan 2021 19:45:24 -0500 Subject: [PATCH 2/7] bl@3.0.1 --- node_modules/bl/bl.js | 11 ++++++++++- node_modules/bl/package.json | 26 ++++++++++++++------------ node_modules/bl/test/test.js | 16 ++++++++++++++++ package-lock.json | 6 +++--- package.json | 1 + 5 files changed, 44 insertions(+), 16 deletions(-) diff --git a/node_modules/bl/bl.js b/node_modules/bl/bl.js index e0eef85a3b67c..3e5512790cd77 100644 --- a/node_modules/bl/bl.js +++ b/node_modules/bl/bl.js @@ -185,18 +185,22 @@ BufferList.prototype.copy = function copy (dst, dstStart, srcStart, srcEnd) { if (bytes > l) { this._bufs[i].copy(dst, bufoff, start) + bufoff += l } else { this._bufs[i].copy(dst, bufoff, start, start + bytes) + bufoff += l break } - bufoff += l bytes -= l if (start) start = 0 } + // safeguard so that we don't return uninitialized memory + if (dst.length > bufoff) return dst.slice(0, bufoff) + return dst } @@ -232,6 +236,11 @@ BufferList.prototype.toString = function toString (encoding, start, end) { } BufferList.prototype.consume = function consume (bytes) { + // first, normalize the argument, in accordance with how Buffer does it + bytes = Math.trunc(bytes) + // do nothing if not a positive number + if (Number.isNaN(bytes) || bytes <= 0) return this + while (this._bufs.length) { if (bytes >= this._bufs[0].length) { bytes -= this._bufs[0].length diff --git a/node_modules/bl/package.json b/node_modules/bl/package.json index 85611a6cb5c47..3dbbf698d2bae 100644 --- a/node_modules/bl/package.json +++ b/node_modules/bl/package.json @@ -1,27 +1,29 @@ { - "_from": "bl@^3.0.0", - "_id": "bl@3.0.0", + "_from": "bl@3.0.1", + "_id": "bl@3.0.1", "_inBundle": false, - "_integrity": "sha512-EUAyP5UHU5hxF8BPT0LKW8gjYLhq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==", + "_integrity": "sha512-jrCW5ZhfQ/Vt07WX1Ngs+yn9BDqPL/gw28S7s9H6QK/gupnizNzJAss5akW20ISgOrbLTlXOOCTJeNUQqruAWQ==", "_location": "/bl", "_phantomChildren": {}, "_requested": { - "type": "range", + "type": "version", "registry": true, - "raw": "bl@^3.0.0", + "raw": "bl@3.0.1", "name": "bl", "escapedName": "bl", - "rawSpec": "^3.0.0", + "rawSpec": "3.0.1", "saveSpec": null, - "fetchSpec": "^3.0.0" + "fetchSpec": "3.0.1" }, "_requiredBy": [ + "#DEV:/", + "#USER", "/tar-stream" ], - "_resolved": "https://registry.npmjs.org/bl/-/bl-3.0.0.tgz", - "_shasum": "3611ec00579fd18561754360b21e9f784500ff88", - "_spec": "bl@^3.0.0", - "_where": "/Users/aeschright/code/cli/node_modules/tar-stream", + "_resolved": "https://registry.npmjs.org/bl/-/bl-3.0.1.tgz", + "_shasum": "1cbb439299609e419b5a74d7fce2f8b37d8e5c6f", + "_spec": "bl@3.0.1", + "_where": "/Users/darcyclarke/Documents/Repos/npm/npm/cli", "authors": [ "Rod Vagg (https://github.com/rvagg)", "Matteo Collina (https://github.com/mcollina)", @@ -58,5 +60,5 @@ "scripts": { "test": "node test/test.js | faucet" }, - "version": "3.0.0" + "version": "3.0.1" } diff --git a/node_modules/bl/test/test.js b/node_modules/bl/test/test.js index 1da0293b6d146..d8e552d8a8148 100644 --- a/node_modules/bl/test/test.js +++ b/node_modules/bl/test/test.js @@ -431,6 +431,22 @@ tape('test toString encoding', function (t) { t.end() }) +tape('uninitialized memory', function (t) { + const secret = crypto.randomBytes(256) + for (let i = 0; i < 1e6; i++) { + const clone = Buffer.from(secret) + const bl = new BufferList() + bl.append(Buffer.from('a')) + bl.consume(-1024) + const buf = bl.slice(1) + if (buf.indexOf(clone) !== -1) { + t.fail(`Match (at ${i})`) + break + } + } + t.end() +}) + !process.browser && tape('test stream', function (t) { var random = crypto.randomBytes(65534) , rndhash = hash(random, 'md5') diff --git a/package-lock.json b/package-lock.json index b8eafd53470c8..6269cc2828097 100644 --- a/package-lock.json +++ b/package-lock.json @@ -440,9 +440,9 @@ "dev": true }, "bl": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/bl/-/bl-3.0.0.tgz", - "integrity": "sha512-EUAyP5UHU5hxF8BPT0LKW8gjYLhq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==", + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/bl/-/bl-3.0.1.tgz", + "integrity": "sha512-jrCW5ZhfQ/Vt07WX1Ngs+yn9BDqPL/gw28S7s9H6QK/gupnizNzJAss5akW20ISgOrbLTlXOOCTJeNUQqruAWQ==", "dev": true, "requires": { "readable-stream": "^3.0.1" diff --git a/package.json b/package.json index ec70f0099f79c..75653657f2a44 100644 --- a/package.json +++ b/package.json @@ -275,6 +275,7 @@ "write-file-atomic" ], "devDependencies": { + "bl": "^3.0.1", "deep-equal": "^1.0.1", "get-stream": "^4.1.0", "licensee": "^7.0.3", From 1d235b230b44c5b97236cf42c6e5be18419b3263 Mon Sep 17 00:00:00 2001 From: Jim Fisher Date: Wed, 30 Sep 2020 10:00:19 +0100 Subject: [PATCH 3/7] docs: update link to CLI issues Credit: @jameshfisher Close: #1881 Reviewed-by: @darcyclarke --- docs/src/components/FoundTypo.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/src/components/FoundTypo.js b/docs/src/components/FoundTypo.js index 5aca0894934dc..39877c402d833 100644 --- a/docs/src/components/FoundTypo.js +++ b/docs/src/components/FoundTypo.js @@ -13,8 +13,8 @@ const FoundTypo = () => {

👀 Found a typo? Let us know!

The current stable version of npm is here. To upgrade, run: npm install npm@latest -g

- To report bugs or submit feature requests for the docs, please post here. - Submit npm issues here. + To report bugs or submit feature requests for the docs, please post here. + Submit npm issues here.

) From c0f8ce8fe0924ea9754d1163ea81a3d59af51b43 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Tue, 1 Sep 2020 15:09:36 +0200 Subject: [PATCH 4/7] Add s390x, ppc64 and ppc64el in supported cpu list Credit: @guimard Close: #1751 Fixes: #1455 Reviewed-by: @darcyclarke --- test/tap/legacy-platform-all.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/tap/legacy-platform-all.js b/test/tap/legacy-platform-all.js index 01c7be7ec1c86..de7e635a0d1a6 100644 --- a/test/tap/legacy-platform-all.js +++ b/test/tap/legacy-platform-all.js @@ -36,6 +36,9 @@ var fixture = new Tacks( 'arm64', 'mips', 'ia32', + 'ppc64', + 'ppc64el', + 's390x', 'x64', 'sparc' ] From 7f14d6435f8b7553bc4a6fc4c20c4727a307596b Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Thu, 7 Jan 2021 19:54:56 -0500 Subject: [PATCH 5/7] docs: changelog for v6.14.11 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index da56d107e1fd9..2541e49d03d34 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## 6.14.11 (2021-01-07) +### DEPENDENCIES + +* [`19108ca5b`](https://github.com/npm/cli/commit/19108ca5be1b3e7e9787dac3131aafe2722c6218) + `ini@1.3.8`: + * addressing [`CVE-2020-7788`](https://github.com/advisories/GHSA-qqgx-2p2h-9c37) +* [`7a0574074`](https://github.com/npm/cli/commit/7a05740743ac9d9229e2dc9e1b9ca8b57d58c789) + `bl@3.0.1` + * addressing [`CVE-2020-8244`](https://github.com/advisories/GHSA-pp7h-53gx-mx7r) + ## 6.14.10 (2020-12-18) ### DEPENDENCIES From afb3c9e6dc03a9c303d7483f23a4be2d52ddafcd Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Thu, 7 Jan 2021 20:40:57 -0500 Subject: [PATCH 6/7] update AUTHORS --- AUTHORS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/AUTHORS b/AUTHORS index ad3066625fc9c..6e8890bc3c0e3 100644 --- a/AUTHORS +++ b/AUTHORS @@ -708,3 +708,5 @@ Sandra Tatarevićová Antoine du Hamel Assaf Sapir Lukas Spieß +Jim Fisher +Xavier Guimard From 792869f03892f4e55d2fef2031ffe7887c7ffac2 Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Thu, 7 Jan 2021 20:40:59 -0500 Subject: [PATCH 7/7] 6.14.11 --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6269cc2828097..dcb81c9349668 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "npm", - "version": "6.14.10", + "version": "6.14.11", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 75653657f2a44..fdbb33e23cd53 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "version": "6.14.10", + "version": "6.14.11", "name": "npm", "description": "a package manager for JavaScript", "keywords": [