profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/ctavan/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Christoph Tavan ctavan @contentpass Berlin / Germany https://twitter.com/ctavan CTO & Co-Founder of contentpass

ctavan/express-validate 7

Validator for expressjs

coronakompass/coronakompass 2

Corona Kompass

ctavan/CakePHP-Facebook-Plugin 2

CakePHP Facebook Plugin

ctavan/CakePHP-Asset-Management-Plugin 1

A plugin to package and minify your javascript and css. Supports preprocessors like LESS, coffeescript and kaffeine, minification engines like cssmin, uglifyjs, jsmin and closure compiler, auto-include-paths, specifying which asset to include on which request, and much more.

ctavan/campfire-plugin 1

Jenkins campfire plugin

ctavan/cluster 1

Node.JS multi-core server manager with plugins support.

ctavan/debuggable-scraps 1

MIT licensed code without warranty ; )

push eventAdguardTeam/HttpsExclusions

Andrey Meshkov

commit sha 3cdc3940fd3283fd43218a105e3b32019ce6b06e

Removed googlevideo.com from the default exclusions list

view details

push time in 11 hours

issue openedAdguardTeam/HttpsExclusions

Addition of MCB Mauritius to the exclusion list

Address: https://www.mcb.mu/en/

created time in 2 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

Merged this so that the spec is inline with what has so far been shipped. We should follow up with a blurb about the discussion happening in #23, as suggested by @domenic.

bcoe

comment created time in 3 days

push eventWICG/uuid

Benjamin E. Coe

commit sha 5f620e9a71c8b4ecf97842c5db5f74ab97111215

update randomUUID() to SecureContext (#24)

view details

push time in 3 days

PR merged WICG/uuid

update randomUUID() to SecureContext

Based on review during the intent to ship process, and based on the ongoing discussions linked below, we've opted to ship randomUUID() in a SecureContext.

Let's continue the discussion regarding this choice in #23, potentially soon with user feedback?

Refs: https://github.com/WICG/uuid/issues/23 Refs: https://github.com/w3ctag/design-reviews/issues/623 CC: @annevk, @cynthia

<!-- This comment and the below content is programatically generated. You may add a comma-separated list of anchors you'd like a direct link to below (e.g. #idl-serializers, #idl-sequence):

Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.

-->


<a href="https://pr-preview.s3.amazonaws.com/WICG/uuid/pull/24.html" title="Last updated on May 12, 2021, 5:00 PM UTC (1fb97f2)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/WICG/uuid/24/6d6b40a...1fb97f2.html" title="Last updated on May 12, 2021, 5:00 PM UTC (1fb97f2)">Diff</a>

+1 -1

9 comments

1 changed file

bcoe

pr closed time in 3 days

issue commentWICG/uuid

Secure contexts

Are there potential security risks associated with this being exposed on insecure contexts? The bit we are afraid of is people falling back to suboptimal randomizers in insecure contexts due to this not being available.

While in the general case there is no excuse for shipping a new application insecure, if this is used by libraries or frameworks it would have to be polyfilled since there isn't any guarantee of a secure context.

I acknowledge that making this available on insecure against our general guidelines, but the associated risks are definitely there for making this secure only.

annevk

comment created time in 5 days

issue commentWICG/uuid

Secure contexts

There are zero implementations of crypto.randomUUID() that work in non-secure contexts. (And no implementations interested in doing so currently.)

There is one implementation of crypto.randomUUID() that works only in secure contexts. (And another implementation which has expressed some interest, although not yet an official position.)

annevk

comment created time in 5 days

issue commentWICG/uuid

Secure contexts

Is it reflecting multiple implementations though? If it's one implementation than I think it should be malleable unless a lot of content already depends on it. (e.g. we have already failed with a lot of webkit specials, although some have unshipped..)

annevk

comment created time in 5 days

issue commentWICG/uuid

Secure contexts

For reviewing #24, I think the relevant question is "should the spec reflect implementations". (The answer is yes.)

Then this issue is about "what should implementations and the spec do in the future". I.e. this issue becomes a change request for the spec/implementations.

annevk

comment created time in 5 days

issue commentWICG/uuid

Secure contexts

[Continuing the thread from #24 here.]

@bakkot and I are both confused as to how this conversation led to #24 (restricting to secure contexts). Specifically...

It sounded like the group was okay with making an exception here (as relayed by @cynthia):

we have consensus that this is a special case that should also be available in insecure contexts.

And while @annevk did push back, he seems to acknowledge that the general case of crypto being secure-only already made exceptions for randomness-related APIs:

Limited to randomness it would be more reasonable as that's already exposed

(E.g.crypto.getRandomValues(), which strikes me as being conceptually very similar to randomUUID(), is available in insecure contexts. That these two methods would have different security profiles seems inconsistent.)

There's also @domenic's observation about the impact this is likely to have on libraries (having to expose the secure-context constraint and/or provide shim code). But he also points out that there's some value in bringing the spec inline with the current implementation(s).

As a reviewer of #24, I'm getting mixed messages. While my preference would be to lift the secure-context requirement, I'm fine proceeding either way. I'd just like to see some sort of consensus so the last comment here doesn't directly contradict the PR I'm being asked to approve. 😆

annevk

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

In particular, I think merging this to the spec is a good idea, so that the spec reflects the one shipping implementation (Chrome) and the preference of at least one other implementer (Mozilla). Then we can see if we can sway those implementers in #23.

Maybe we should add a comment or <p class="note"> or something pointing people to #23 though, from the spec.

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

Is it appropriate to continue debating this

I think it's appropriate to keep debating this, let's move to #23 though.

I saw SecureContext as a reasonable compromise for now, as it's easier to go from a limited audience to a wider audience, than form a wide audience of users to a smaller audience.

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

Is it appropriate to continue debating this, or do you just want a simple "make sure this change isn't going to break anything" code review here? If the latter, I'm happy to approve.

If the former... well, the arguments for why this should be restricted to secure contexts so far lack real substance. Meanwhile the counter-arguments seem pretty valid. E.g. @domenic's comment about this forcing dependent libraries to surface the secure-context requirement and / or ship with a polyfill is pretty astute.

For my part, I can't help but wonder about the conceptual similarity between getRandomValues() and randomUuid(). Two peas in a pod, so to speak. Explaining to developers why the former works in insecure contexts but the latter doesn't is going to be difficult.

bcoe

comment created time in 5 days

push eventWICG/uuid

bcoe

commit sha 1fb97f203c9feefa82af57368dcceeda15249c5d

force build

view details

push time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

@annevk says

Limited to randomness it would be more reasonable as that's already exposed

But this proposal is limited to randomness. I read his comment to be addressing the preceding comment about "rolling your own crypto", not about this proposal specifically.

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

@bakkot @broofa, re:

The conclusion in both of the linked discussions is that it should not be limited to secure contexts. Is there another discussion you meant to link? I'm confused. I read the conversation in #23 as allowing for an exception to be made here

@annevk makes the case in this comment that the decision to ship in insecure contexts is inconsistent with recent design decisions in Web Crypto.

@cynthia in turn proposes that we continue the discussion in #23.

In seeing this, reviewers in the Chromium Intent to Ship thread suggested that we make the conservative choice of shipping in a secure context (at least initially).

If it becomes clear this is a huge pain in the neck for users, I think we can make a case for later removing this constraint.

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

I'm not strongly invested in either outcome here, but I am interested in understanding the reasoning, and

based on the ongoing discussions linked below, we've opted to ship randomUUID() in a SecureContext

The conclusion in both of the linked discussions is that it should not be limited to secure contexts. Is there another discussion you meant to link?

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

I'm confused. I read the conversation in #23 as allowing for an exception to be made here (i.e. randomUuid() should not be limited to secure contexts.) But this change reads as though it is. What am I missing?

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

👇 looks like I'm still listed in the group, hiccup?

Screen Shot 2021-05-12 at 8 29 54 AM

bcoe

comment created time in 5 days

pull request commentWICG/uuid

update randomUUID() to SecureContext

@marcoscaceres any idea what happened with the IPR checker? It was working fine for all previous PRs...

bcoe

comment created time in 5 days

push eventWICG/uuid

bcoe

commit sha 3ac88d124e3188083bd5811a932b7122fc631343

force recheck

view details

push time in 5 days

PR opened WICG/uuid

update randomUUID() to SecureContext

Based on review during the intent to ship process, and based on the ongoing discussions linked below, we've opted to ship randomUUID() in a SecureContext.

Let's continue the discussion regarding this choice in #23, potentially soon with user feedback?

Refs: https://github.com/WICG/uuid/issues/23 Refs: https://github.com/w3ctag/design-reviews/issues/623 CC: @annevk, @cynthia

+1 -1

0 comment

1 changed file

pr created time in 5 days

create barnchWICG/uuid

branch : secure-context

created branch time in 5 days

PR opened ctavan/uuid-example-react-native

Bump hosted-git-info from 2.8.8 to 2.8.9

Bumps hosted-git-info from 2.8.8 to 2.8.9. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md">hosted-git-info's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/npm/hosted-git-info/compare/v2.8.8...v2.8.9">2.8.9</a> (2021-04-07)</h2> <h3>Bug Fixes</h3> <ul> <li>backport regex fix from <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/76">#76</a> (<a href="https://github.com/npm/hosted-git-info/commit/29adfe5">29adfe5</a>), closes <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/84">#84</a></li> </ul> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01"><code>8d4b369</code></a> chore(release): 2.8.9</li> <li><a href="https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7"><code>29adfe5</code></a> fix: backport regex fix from <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/76">#76</a></li> <li>See full diff in <a href="https://github.com/npm/hosted-git-info/compare/v2.8.8...v2.8.9">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~nlf">nlf</a>, a new releaser for hosted-git-info since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

pr created time in 6 days

PR opened tc39/proposal-csprng

Bump hosted-git-info from 2.8.5 to 2.8.9

Bumps hosted-git-info from 2.8.5 to 2.8.9. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md">hosted-git-info's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/npm/hosted-git-info/compare/v2.8.8...v2.8.9">2.8.9</a> (2021-04-07)</h2> <h3>Bug Fixes</h3> <ul> <li>backport regex fix from <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/76">#76</a> (<a href="https://github.com/npm/hosted-git-info/commit/29adfe5">29adfe5</a>), closes <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/84">#84</a></li> </ul> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> <h2><a href="https://github.com/npm/hosted-git-info/compare/v2.8.7...v2.8.8">2.8.8</a> (2020-02-29)</h2> <h3>Bug Fixes</h3> <ul> <li><a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/61">#61</a> & <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/65">#65</a> addressing issues w/ url.URL implmentation which regressed node 6 support (<a href="https://github.com/npm/hosted-git-info/commit/5038b18">5038b18</a>), closes <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/66">#66</a></li> </ul> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> <h2><a href="https://github.com/npm/hosted-git-info/compare/v2.8.6...v2.8.7">2.8.7</a> (2020-02-26)</h2> <h3>Bug Fixes</h3> <ul> <li>Do not attempt to use url.URL when unavailable (<a href="https://github.com/npm/hosted-git-info/commit/2d0bb66">2d0bb66</a>), closes <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/61">#61</a> <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/62">#62</a></li> <li>Do not pass scp-style URLs to the WhatWG url.URL (<a href="https://github.com/npm/hosted-git-info/commit/f2cdfcf">f2cdfcf</a>), closes <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/60">#60</a></li> </ul> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> <h2><a href="https://github.com/npm/hosted-git-info/compare/v2.8.5...v2.8.6">2.8.6</a> (2020-02-25)</h2> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01"><code>8d4b369</code></a> chore(release): 2.8.9</li> <li><a href="https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7"><code>29adfe5</code></a> fix: backport regex fix from <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/76">#76</a></li> <li><a href="https://github.com/npm/hosted-git-info/commit/afeaefdd86ba9bb5044be3c1554a666d007cf19a"><code>afeaefd</code></a> chore(release): 2.8.8</li> <li><a href="https://github.com/npm/hosted-git-info/commit/5038b1891a61ca3cd7453acbf85d7011fe0086bb"><code>5038b18</code></a> fix: <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/61">#61</a> & <a href="https://github-redirect.dependabot.com/npm/hosted-git-info/issues/65">#65</a> addressing issues w/ url.URL implmentation which regressed nod...</li> <li><a href="https://github.com/npm/hosted-git-info/commit/7440afa859162051c191e55d8ecfaf69a193b026"><code>7440afa</code></a> chore(release): 2.8.7</li> <li><a href="https://github.com/npm/hosted-git-info/commit/2d0bb6615ecb8f9ef1019bc0737aab7f6449641f"><code>2d0bb66</code></a> fix: Do not attempt to use url.URL when unavailable</li> <li><a href="https://github.com/npm/hosted-git-info/commit/f2cdfcf33ad2bd3bd1acdba0326281089f53c5b1"><code>f2cdfcf</code></a> fix: Do not pass scp-style URLs to the WhatWG url.URL</li> <li><a href="https://github.com/npm/hosted-git-info/commit/e1b83df5d9cb1f8bb220352e20565560548d2292"><code>e1b83df</code></a> chore(release): 2.8.6</li> <li><a href="https://github.com/npm/hosted-git-info/commit/ff259a6117c62df488e927820e30bec2f7ee453f"><code>ff259a6</code></a> Ensure passwords in hosted Git URLs are correctly escaped</li> <li>See full diff in <a href="https://github.com/npm/hosted-git-info/compare/v2.8.5...v2.8.9">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~nlf">nlf</a>, a new releaser for hosted-git-info since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

pr created time in 7 days

PR opened ctavan/uuid-example-react-native

Bump lodash from 4.17.20 to 4.17.21

Bumps lodash from 4.17.20 to 4.17.21. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/f299b52f39486275a9e6483b60a410e06520c538"><code>f299b52</code></a> Bump to v4.17.21</li> <li><a href="https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a"><code>c4847eb</code></a> Improve performance of <code>toNumber</code>, <code>trim</code> and <code>trimEnd</code> on large input strings</li> <li><a href="https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"><code>3469357</code></a> Prevent command injection through <code>_.template</code>'s <code>variable</code> option</li> <li>See full diff in <a href="https://github.com/lodash/lodash/compare/4.17.20...4.17.21">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

pr created time in 7 days

delete branch tc39/proposal-csprng

delete branch : dependabot/npm_and_yarn/lodash-4.17.19

delete time in 7 days