profile
viewpoint

paulator/bench 0

Multi-tenant platform to install and manage Frappe / ERPNext

paulator/docker-erpnext 0

:whale: Docker image for ERPNext.

paulator/erpnext 0

ERP made Simple

paulator/FastLED 0

The main FastLED library (successor to FastSPI_LED). Please direct questions/requests for advice to the reddit community - http://fastled.io/r - we'd like to keep issues to just tracking bugs/enhancements/tasks. *NOTE* major library work is currently on hold

paulator/frappe 0

Full Stack Web Framework in Python & JS. Used to build ERPNext

paulator/frappe_docker 0

Docker images for production and development setups of the Frappe framework and ERPNext

paulator/vault-openvpn 0

Small wrapper utility to manage OpenVPN configuration combined with a Vault PKI

push eventfrappe/frappe

Saqib Ansari

commit sha aa2360e589368d58b909fc9f49ad9dd028990da4

fix: cannot refresh grid_row

view details

Saqib Ansari

commit sha 4806dcff32fa4f3187c05877659741bb7b67179c

fix: sider issues

view details

prssanna

commit sha d2d905be140647d404f089e9abb97bcc55a1c97e

fix: grid row index no longer dependant on doc index

view details

hasnain2808@gmail.com

commit sha cd693d5a17e5e90668f53ca8e4caccab417c9a45

fix: hide theme url

view details

robert kimutai

commit sha 9591d01c2c2458b459e132d0cd28d3f777cf865c

chore: Update CONTRIBUTING.md (#12241)

view details

mergify[bot]

commit sha 9c214c836b5ca77604cd4da3fb7e62d9248f7b99

Merge pull request #12226 from hasnain2808/fix--hide-theme-url fix: hide theme url

view details

mergify[bot]

commit sha bd209058180d387e34033a04cff3f8f56a0d9e43

Merge pull request #12188 from prssanna/grid-form-keyboard-nav fix: grid row index no longer dependant on doc index for keyboard navigation

view details

Suraj Shetty

commit sha 723436ca5016c07e4161b9aa4a8c07afe6186916

Merge branch 'develop' into grid-row-refresh-fix

view details

Raffael Meyer

commit sha f47d2c32b144dc19ddac2a273644d973c2895561

feat: Add translation context (#12043) Co-authored-by: Suraj Shetty <13928957+surajshetty3416@users.noreply.github.com>

view details

mergify[bot]

commit sha d89ea9ee6010653dd078ebe1332fa89a8e037467

Merge pull request #12176 from nextchamp-saqib/grid-row-refresh-fix fix: cannot refresh grid_row

view details

Suraj Shetty

commit sha 86b381716b9a7866e0b37921f4f179b34724314c

Merge branch 'develop' of https://github.com/frappe/frappe into rebrand-ui

view details

push time in 2 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 611b74b8a065e9b226e7ab36312e792422582a0b

refactor: Introduce variables for error state

view details

push time in 3 hours

PR closed frappe/frappe

Reviewers
feat: 'bench migrate/migrate process' Optimization for quick sync up fixtures in DB #12235

<!--

Some key notes before you open a PR:

  1. Select which branch should this PR be merged in?
  2. PR name follows convention
  3. All tests pass locally, UI and Unit tests
  4. All business logic and validations must be on the server-side
  5. Update necessary Documentation
  6. Put closes #XXXX in your comment to auto-close the issue that your PR fixes

Also, if you're new here

  • Documentation Guidelines => https://github.com/frappe/erpnext/wiki/Updating-Documentation

  • Contribution Guide => https://github.com/frappe/frappe/blob/develop/.github/CONTRIBUTING.md

  • Pull Request Checklist => https://github.com/frappe/erpnext/wiki/Pull-Request-Checklist

--> Pull Request for - "bench migrate" Optimization for Quick Sync up fixtures in DB #12235 As per Observed in frappe codebase, I found below Observations

Problem:

  • While bench migrate we migrate all fixtures .json which are present in the respective directory of app, In that process, bench migrate re-insert all fields which are not updated as well as the new one/updated and also in simple bench migrate process it does the same. Due to this, we are doing unnecessary Alteration in Database if there is no change in other fields like custom_field.json,property_setter.json,role.json etc … and bench migrate takes too much of time just to syncing.

  • Another Major Point. if you have multiple Apps in System, fixtures of the last app erased by fixtures of another app (Next app - last migrated app) if both fixtures are not in sync and we end with issues/bug fixes and developer goes into a panic situation 😓.

Solution:

  • I have Added one condition, which checks whether field already exists or not in the Database with the same modified date. if it is not modified then it exits from the loop and if it is a new field or modified then it will insert into the custom field.

  • For Multiple App, it will not override other apps fixtures in Database. Will update only those are modified or updated.

  • Due to this Fix, we improved bench migrate process check below Screenshot for analysis on the server-side. image

+10 -2

0 comment

2 changed files

shrikant9867

pr closed time in 4 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 1b5634d4384c976af1a899edf358de7d3691f7b0

fix: Blockquote style

view details

Suraj Shetty

commit sha fd4d349e4c53c830c2507ec6ae052bae331ac5e5

fix: Use get_abbr method for abbr

view details

push time in 5 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 37e54c35125b68a4bb541cbe5a0c502333b885e0

fix: Remove fallback title for brand logo

view details

Suraj Shetty

commit sha e5482022f545783137928ddbda0b1f8941045fe3

fix: Responsive email style

view details

push time in 6 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 927b62f39e38777b1185e37baf052acc99af4782

fix: Email body spacing issue

view details

push time in 6 hours

PR opened frappe/frappe

feat: Util to get datetime in specific timezone

Usage

Screenshot 2021-01-21 at 1 20 39 PM

+12 -3

0 comment

2 changed files

pr created time in 8 hours

push eventfrappe/frappe

Suraj Shetty

commit sha dff1a2adf3db4fbd71128d30071d73a56fe5fc30

fix: Relaod docperm doctype to sync recent changes

view details

push time in 9 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 65a82bef1a770c37073e8e3a16ad0cb72c1ebb15

fix: Show brand logo if header is set

view details

push time in 9 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 5045cdf092ac3ade3da8c2d51bfe4f2ba9888790

fix: Get brand logo from email account

view details

Suraj Shetty

commit sha 6e7fbe157c960486ecfb8bf89ba7705d0e932074

fix: Show brand logo only if header or with_container is set

view details

Suraj Shetty

commit sha 6c01e9234b005bab41f5b410907bd97c26a352b8

chore: Update frappe-charts

view details

Suraj Shetty

commit sha cb7c29b9f5c291de4a4daf733a72962d455acece

Merge branch 'rebrand-ui' of https://github.com/frappe/frappe into rebrand-ui

view details

push time in 9 hours

push eventfrappe/frappe

prssanna

commit sha a440a8d7ddf92b5e77ce608309134a36f744bc2b

fix: escape kanban name in data attribute

view details

prssanna

commit sha dff870ead656b264a47dc7778d48fddea89fdd5e

Merge branch 'rebrand-ui' of https://github.com/frappe/frappe into rebrand-ui

view details

push time in 10 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 425ab65bb4445c671c8fa31e49e9585406546b16

fix: Post merge issue

view details

push time in 10 hours

push eventfrappe/frappe

Suraj Shetty

commit sha 733d33aad0389f31d687a16edfe52c5a11e8b8b4

fix: Email footer style

view details

Suraj Shetty

commit sha d2b5bd7af79cc8d98067f88753d4c3ce1a7f0c8a

refactor: Fix address naming

view details

Suraj Shetty

commit sha e2c763c989334dd3d393a302fbdb617e7c30c1b6

feat: Add avatar macro

view details

Suraj Shetty

commit sha e6f551d610932a46b461aa72e5c8264c53f79701

feat: Add with_container argument and update email style

view details

Suraj Shetty

commit sha e6aa5394b817ef5fea1a2a9cac437cf049349803

feat: Add avatars for top performers

view details

Suraj Shetty

commit sha e4bdbed414605208fd1f5dcdb3226897b128ab0c

Merge branch 'rebrand-ui' of https://github.com/frappe/frappe into rebrand-ui

view details

push time in 10 hours

Pull request review commentfrappe/frappe

feat: Hide Child Records for a Nested DocType via User Permissions

 frappe.ui.form.on('User Permission', { 		if (frm.doc.apply_to_all_doctypes) { 			frm.set_value('applicable_for', null); 		}+	},++	show_exclude_descendants: frm => {
	toggle_exclude_descendants: frm => {
marination

comment created time in 11 hours

Pull request review commentfrappe/frappe

feat: Hide Child Records for a Nested DocType via User Permissions

 frappe.ui.form.on('User Permission', { 			() => frappe.set_route('query-report', 'Permitted Documents For User', 				{ user: frm.doc.user })); 		frm.trigger('set_applicable_for_constraint');+		frm.trigger('show_exclude_descendants');
		frm.trigger('toggle_exclude_descendants');

Maybe, rename this as toggle_exclude_descendants instead of show_exclude_descendants because it will also hide the checkbox.

marination

comment created time in 11 hours

Pull request review commentfrappe/frappe

feat: Hide Child Records for a Nested DocType via User Permissions

 frappe.ui.form.on('User Permission', { 			() => frappe.set_route('query-report', 'Permitted Documents For User', 				{ user: frm.doc.user })); 		frm.trigger('set_applicable_for_constraint');+		frm.trigger('show_exclude_descendants'); 	},  	allow: frm => {-		if(frm.doc.for_value) {-			frm.set_value('for_value', null);+		if (frm.doc.allow) {+			if (frm.doc.for_value) {+				frm.set_value('for_value', null);+			}+			frm.trigger('show_exclude_descendants');
			frm.trigger('toggle_exclude_descendants');
marination

comment created time in 11 hours

Pull request review commentfrappe/frappe

feat: Hide Child Records for a Nested DocType via User Permissions

 def add_user_permissions(data): 		data = json.loads(data) 	data = frappe._dict(data) -	d = check_applicable_doc_perm(data.user, data.doctype, data.docname)+	# get all doctypes on whom this permission os applied
	# get all doctypes on whom this permission is applied
marination

comment created time in 11 hours

push eventfrappe/frappe

prssanna

commit sha aaa4fc6b3552ffdcb83c5fd2a366e889b51f0794

fix: dropdown divider style

view details

push time in 11 hours

push eventfrappe/frappe

prssanna

commit sha 3026801cf0e635c2ca62a4a4b7c8cdbaa4f68cf6

fix: kanban switcher in page custom actions

view details

push time in 11 hours

Pull request review commentfrappe/frappe

fix: Check for fieldlevel permission for report query

 def get_form_params():  	fields = data["fields"] +	if ((isinstance(fields, string_types) and fields == "*")+		or (isinstance(fields, (list, tuple)) and len(fields) == 1 and fields[0] == "*")):+		parenttype = data.doctype+		data["fields"] = frappe.db.get_table_columns(parenttype)+		fields = data["fields"]+ 	for field in fields: 		key = field.split(" as ")[0]  		if key.startswith('count('): continue 		if key.startswith('sum('): continue 		if key.startswith('avg('): continue -		if "." in key:-			parenttype, fieldname = key.split(".")[0][4:-1], key.split(".")[1].strip("`")-		else:-			parenttype = data.doctype-			fieldname = field.strip("`")+		parenttype, fieldname = get_parent_dt_and_field(key, data) -		df = frappe.get_meta(parenttype).get_field(fieldname)+		if fieldname == "*":+			# * inside list is not allowed with other fields+			fields.remove(field)++		meta = frappe.get_meta(parenttype)+		df = meta.get_field(fieldname) -		fieldname = df.fieldname if df else None 		report_hide = df.report_hide if df else None  		# remove the field from the query if the report hide flag is set and current view is Report 		if report_hide and is_report: 			fields.remove(field) +		if df and fieldname in [df.fieldname for df in meta.get_high_permlevel_fields()]:+			if df.get('permlevel') not in meta.get_permlevel_access() and field in fields:

This fails for child table fields: image

(parenttype is not set in get_permissions)

surajshetty3416

comment created time in 12 hours

pull request commentfrappe/frappe

feat(Data Import): Handle import of DocTypes with tree structure

Oh, my apologies, I should be able to get to the documentation update next week. Thanks!

gwhitney

comment created time in 17 hours

create barnchfrappe/frappe

branch : snyk-fix-f40a8131737dbb81805c07d9a1c531e0

created branch time in 17 hours

push eventfrappe/frappe

snyk-bot

commit sha 19c6e0218db9b1dd95132693a96a8174fac2dc94

fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151

view details

push time in 17 hours

PR opened frappe/frappe

[Snyk] Security upgrade PyYAML from 5.3.1 to 5.4

<h3>Snyk has created this PR to fix one or more vulnerable packages in the pip dependencies of this project.</h3>

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • requirements.txt

<details> <summary>⚠️ <b>Warning</b></summary>

google-auth 1.18.0 has requirement rsa<4.1; python_version < "3", but you have rsa 4.5.
google-api-core 1.25.0 has requirement google-auth<2.0dev,>=1.21.1, but you have google-auth 1.18.0.

</details>

Vulnerabilities that will be fixed

By pinning:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 876/1000 <br/> Why? Mature exploit, Has a fix available, CVSS 9.8 Arbitrary Code Execution <br/>SNYK-PYTHON-PYYAML-590151 PyYAML: <br> 5.3.1 -> 5.4 <br> No Mature

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI1MTBkOGZkMy04M2FmLTQ2MWEtOWFhNi1iNjc0ZjJjZmNhNjciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjUxMGQ4ZmQzLTgzYWYtNDYxYS05YWE2LWI2NzRmMmNmY2E2NyJ9fQ==" width="0" height="0"/> 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

+1 -1

0 comment

1 changed file

pr created time in 17 hours

PR opened frappe/frappe

chore(deps): [security] bump socket.io from 2.2.0 to 2.4.0

Bumps socket.io from 2.2.0 to 2.4.0. This update includes a security fix. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-fxwf-4rqh-v8g3">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Insecure defaults due to CORS misconfiguration in socket.io</strong> The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.</p> <p>Affected versions: < 2.4.0</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/socketio/socket.io/releases">socket.io's releases</a>.</em></p> <blockquote> <h2>2.4.0</h2> <p>Related blog post: <a href="https://socket.io/blog/socket-io-2-4-0/">https://socket.io/blog/socket-io-2-4-0/</a></p> <h3>Features (from Engine.IO)</h3> <ul> <li>add support for all cookie options (<a href="https://github.com/socketio/engine.io/commit/19cc58264a06dca47ed401fbaca32dcdb80a903b">19cc582</a>)</li> <li>disable perMessageDeflate by default (<a href="https://github.com/socketio/engine.io/commit/5ad273601eb66c7b318542f87026837bf9dddd21">5ad2736</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>security:</strong> do not allow all origins by default (<a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7">f78a575</a>)</li> <li>properly overwrite the query sent in the handshake (<a href="https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e">d33a619</a>)</li> </ul> <p>:warning: <strong>BREAKING CHANGE</strong> :warning:</p> <p>Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (<code>Access-Control-Allow-xxx</code>) to <strong>any</strong> domain. This will not be the case anymore, and you now have to explicitly enable it.</p> <p>Please note that you are not impacted if:</p> <ul> <li>you are using Socket.IO v2 and the <code>origins</code> option to restrict the list of allowed domains</li> <li>you are using Socket.IO v3 (disabled by default)</li> </ul> <p>This commit also removes the support for '' matchers and protocol-less URL:</p> <pre><code>io.origins('https://example.com:443'); => io.origins(['https://example.com']); io.origins('localhost:3000'); => io.origins(['http://localhost:3000']); io.origins('http://localhost:'); => io.origins(['http://localhost:3000']); io.origins('*:3000'); => io.origins(['http://localhost:3000']); </code></pre> <p>To restore the previous behavior (please use with caution):</p> <pre lang="js"><code>io.origins((_, callback) => { callback(null, true); }); </code></pre> <p>See also:</p> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS</a></li> <li><a href="https://socket.io/docs/v3/handling-cors/">https://socket.io/docs/v3/handling-cors/</a></li> <li><a href="https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling">https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling</a></li> </ul> <p>Thanks a lot to <a href="https://github.com/ni8walk3r"><code>@ni8walk3r</code></a> for the security report.</p> <h4>Links:</h4> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/socketio/socket.io/blob/2.4.0/CHANGELOG.md">socket.io's changelog</a>.</em></p> <blockquote> <h1><a href="https://github.com/socketio/socket.io/compare/2.3.0...2.4.0">2.4.0</a> (2021-01-04)</h1> <h3>Bug Fixes</h3> <ul> <li><strong>security:</strong> do not allow all origins by default (<a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7">f78a575</a>)</li> <li>properly overwrite the query sent in the handshake (<a href="https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e">d33a619</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/socketio/socket.io/commit/873fdc55eddd672960fdbc1325ccb7c4bf466f05"><code>873fdc5</code></a> chore(release): 2.4.0</li> <li><a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7"><code>f78a575</code></a> fix(security): do not allow all origins by default</li> <li><a href="https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e"><code>d33a619</code></a> fix: properly overwrite the query sent in the handshake</li> <li><a href="https://github.com/socketio/socket.io/commit/3951a79359c19f9497de664d96a8f9f80196a405"><code>3951a79</code></a> chore: bump engine.io version</li> <li><a href="https://github.com/socketio/socket.io/commit/6fa026fc94fb3a1e6674b8a2c1211b24ee38934a"><code>6fa026f</code></a> ci: migrate to GitHub Actions</li> <li><a href="https://github.com/socketio/socket.io/commit/47161a65d40c2587535de750ac4c7d448e5842ba"><code>47161a6</code></a> [chore] Release 2.3.0</li> <li><a href="https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd"><code>cf39362</code></a> [chore] Bump socket.io-parser to version 3.4.0</li> <li><a href="https://github.com/socketio/socket.io/commit/4d01b2c84cc8dcd6968e422d44cb5e78851058b9"><code>4d01b2c</code></a> test: remove deprecated Buffer usage (<a href="https://github-redirect.dependabot.com/socketio/socket.io/issues/3481">#3481</a>)</li> <li><a href="https://github.com/socketio/socket.io/commit/82271921db9d5d2048322a0c9466ffcb09b2a501"><code>8227192</code></a> [docs] Fix the default value of the 'origins' parameter (<a href="https://github-redirect.dependabot.com/socketio/socket.io/issues/3464">#3464</a>)</li> <li><a href="https://github.com/socketio/socket.io/commit/1150eb50e9ce4f15cbd86c51de69df82f3194206"><code>1150eb5</code></a> [chore] Bump engine.io to version 3.4.0</li> <li>Additional commits viewable in <a href="https://github.com/socketio/socket.io/compare/2.2.0...2.4.0">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+78 -90

0 comment

2 changed files

pr created time in 18 hours

issue commentletscontrolit/ESPEasy

travis-ci.org is shutting down

Yes please do. The requirements.txt is mainly based on "this works, so freeze it" using pip freeze > requirements.txt.

Every now and then I just upgrade the packages to the then current version and test if it still works.

So I guess now is the time for a new upgrade of Python packages.

A PR will be much appreciated.

mcspr

comment created time in 18 hours

PR opened frappe/frappe

chore(deps): [security] bump socket.io from 2.0.4 to 2.4.1

Bumps socket.io from 2.0.4 to 2.4.1. This update includes a security fix. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-fxwf-4rqh-v8g3">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Insecure defaults due to CORS misconfiguration in socket.io</strong> The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.</p> <p>Affected versions: < 2.4.0</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/socketio/socket.io/releases">socket.io's releases</a>.</em></p> <blockquote> <h2>2.4.1</h2> <p>This release reverts the breaking change introduced in <code>2.4.0</code> (<a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7">https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7</a>).</p> <p>If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:</p> <ul> <li>without CORS (server and client are served from the same domain):</li> </ul> <pre lang="js"><code>io.origins((req, callback) => { callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed }); </code></pre> <ul> <li>with CORS (server and client are served from distinct domains):</li> </ul> <pre lang="js"><code>io.origins(["http://localhost:3000"]); // for local development io.origins(["https://example.com"]); </code></pre> <p>In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).</p> <h3>Reverts</h3> <ul> <li>fix(security): do not allow all origins by default (<a href="https://github.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0">a169050</a>)</li> </ul> <h4>Links:</h4> <ul> <li>Diff: <a href="https://github.com/socketio/socket.io/compare/2.4.0...2.4.1">https://github.com/socketio/socket.io/compare/2.4.0...2.4.1</a></li> <li>Client release: -</li> <li>engine.io version: <code>~3.5.0</code></li> <li>ws version: <code>~7.4.2</code></li> </ul> <h2>2.4.0</h2> <p>Related blog post: <a href="https://socket.io/blog/socket-io-2-4-0/">https://socket.io/blog/socket-io-2-4-0/</a></p> <h3>Features (from Engine.IO)</h3> <ul> <li>add support for all cookie options (<a href="https://github.com/socketio/engine.io/commit/19cc58264a06dca47ed401fbaca32dcdb80a903b">19cc582</a>)</li> <li>disable perMessageDeflate by default (<a href="https://github.com/socketio/engine.io/commit/5ad273601eb66c7b318542f87026837bf9dddd21">5ad2736</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>security:</strong> do not allow all origins by default (<a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7">f78a575</a>)</li> <li>properly overwrite the query sent in the handshake (<a href="https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e">d33a619</a>)</li> </ul> <p>:warning: <strong>BREAKING CHANGE</strong> :warning:</p> <p>Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (<code>Access-Control-Allow-xxx</code>) to <strong>any</strong> domain. This will not be the case anymore, and you now have to explicitly enable it.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/socketio/socket.io/blob/2.4.1/CHANGELOG.md">socket.io's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/socketio/socket.io/compare/2.4.0...2.4.1">2.4.1</a> (2021-01-07)</h2> <h3>Reverts</h3> <ul> <li>fix(security): do not allow all origins by default (<a href="https://github.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0">a169050</a>)</li> </ul> <h1><a href="https://github.com/socketio/socket.io/compare/2.3.0...2.4.0">2.4.0</a> (2021-01-04)</h1> <h3>Bug Fixes</h3> <ul> <li><strong>security:</strong> do not allow all origins by default (<a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7">f78a575</a>)</li> <li>properly overwrite the query sent in the handshake (<a href="https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e">d33a619</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/socketio/socket.io/commit/e6b869738c73fa0ce9928974d823e50cc92f7a1a"><code>e6b8697</code></a> chore(release): 2.4.1</li> <li><a href="https://github.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0"><code>a169050</code></a> revert: fix(security): do not allow all origins by default</li> <li><a href="https://github.com/socketio/socket.io/commit/873fdc55eddd672960fdbc1325ccb7c4bf466f05"><code>873fdc5</code></a> chore(release): 2.4.0</li> <li><a href="https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7"><code>f78a575</code></a> fix(security): do not allow all origins by default</li> <li><a href="https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e"><code>d33a619</code></a> fix: properly overwrite the query sent in the handshake</li> <li><a href="https://github.com/socketio/socket.io/commit/3951a79359c19f9497de664d96a8f9f80196a405"><code>3951a79</code></a> chore: bump engine.io version</li> <li><a href="https://github.com/socketio/socket.io/commit/6fa026fc94fb3a1e6674b8a2c1211b24ee38934a"><code>6fa026f</code></a> ci: migrate to GitHub Actions</li> <li><a href="https://github.com/socketio/socket.io/commit/47161a65d40c2587535de750ac4c7d448e5842ba"><code>47161a6</code></a> [chore] Release 2.3.0</li> <li><a href="https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd"><code>cf39362</code></a> [chore] Bump socket.io-parser to version 3.4.0</li> <li><a href="https://github.com/socketio/socket.io/commit/4d01b2c84cc8dcd6968e422d44cb5e78851058b9"><code>4d01b2c</code></a> test: remove deprecated Buffer usage (<a href="https://github-redirect.dependabot.com/socketio/socket.io/issues/3481">#3481</a>)</li> <li>Additional commits viewable in <a href="https://github.com/socketio/socket.io/compare/2.0.4...2.4.1">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+104 -117

0 comment

1 changed file

pr created time in 18 hours

more