resolve npm audit security fixes (#3721)

* upgrade mocha from 3.5.3 to 5.0.5 This resolves these security issues Low Regular Expression Denial of Service Package debug Dependency of mocha [dev] Path mocha > debug More info https://nodesecurity.io/advisories/534 Critical Command Injection Package growl Dependency of mocha [dev] Path mocha > growl More info https://nodesecurity.io/advisories/146 * upgrade mocha and start modularizing lodash to make sure tests pass * more lodash modularization * upgrade mqtt to 2.18.3 * allow npm 6.2 * upgrade share2nightscout-bridge * incorporate express-extension-to-accept into Nightscout the packages seems not maintained (github page is 404) and has a security issue with mime package. so upgraded and included into Nightscout code. if somebody knows a more efficient way of programming this with express4 please PR * update jsdom for security fixes * prevent wrapping of hour labels by removing the space * Revert "update jsdom for security fixes" This reverts commit 04f1f39. * Revert "more lodash modularization" This reverts commit c4fa530. * remove forever dependency * Revert "Revert "more lodash modularization"" This reverts commit b13c274. * fix report.test.js with newer packages sometimes a fix is very easy. This is to prevent: ``` Deprecation warning: value provided is not in a recognized RFC2822 or ISO format. moment construction falls back to js Date(), which is not reliable across all browsers and versions. Non RFC2822/ISO date formats are discouraged and will be removed in an upcoming major release. Please refer to http://momentjs.com/guides/#/warnings/js-date/ for more info. Arguments: [0] _isAMomentObject: true, _isUTC: true, _useUTC: true, _l: undefined, _i: T00:00:00, _f: undefined, _strict: undefined, _locale: [object Object] Error at Function.createFromInputFallback (XXX\cgm-remote-monitor\tmp\js\bundle.js:117408:98) at configFromString (XXX\cgm-remote-monitor\tmp\js\bundle.js:119456:15) ``` We must use ISO8601 formatted strings and not use slashes in dates, see moment/moment#1407 (comment) * upgrade webpack to 4.16.2 * Update package.json
nightscout · Jul 24, 2018 · 71103bb · 71103bb
1 parent 2571934
commit 71103bb
Show file tree

Hide file tree

Showing 18 changed files with 2,813 additions and 2,670 deletions.
diff --git a/Procfile b/Procfile
@@ -1 +1 @@
-web: ./node_modules/.bin/forever --minUptime 100 -c node server.js
+web: node server.js
diff --git a/app.js b/app.js
@@ -1,6 +1,6 @@
 'use strict';
 
-var _ = require('lodash');
+var _get = require('lodash/get');
 var express = require('express');
 var compression = require('compression');
 var bodyParser = require('body-parser');
@@ -29,7 +29,7 @@ function create(env, ctx) {
     }
 
     if (env.settings.isEnabled('cors')) {
-        var allowOrigin = _.get(env, 'extendedSettings.cors.allowOrigin') || '*';
+        var allowOrigin = _get(env, 'extendedSettings.cors.allowOrigin') || '*';
         console.info('Enabled CORS, allow-origin:', allowOrigin);
         app.use(function allowCrossDomain(req, res, next) {
             res.header('Access-Control-Allow-Origin', allowOrigin);

diff --git a/env.js b/env.js
@@ -1,6 +1,11 @@
 'use strict';
 
-var _ = require('lodash');
+var _each = require('lodash/each');
+var _trim = require('lodash/trim');
+var _forIn = require('lodash/forIn');
+var _startsWith = require('lodash/startsWith');
+var _camelCase = require('lodash/camelCase');
+
 var fs = require('fs');
 var crypto = require('crypto');
 var consts = require('./lib/constants');
@@ -168,16 +173,16 @@ function findExtendedSettings (envs) {
     return key.toUpperCase().replace('CUSTOMCONNSTR_', '');
   }
 
-  _.each(env.settings.enable, function eachEnable(enable) {
-    if (_.trim(enable)) {
-      _.forIn(envs, function eachEnvPair (value, key) {
+  _each(env.settings.enable, function eachEnable(enable) {
+    if (_trim(enable)) {
+      _forIn(envs, function eachEnvPair (value, key) {
         var env = normalizeEnv(key);
-        if (_.startsWith(env, enable.toUpperCase() + '_')) {
+        if (_startsWith(env, enable.toUpperCase() + '_')) {
           var split = env.indexOf('_');
           if (split > -1 && split <= env.length) {
             var exts = extended[enable] || {};
             extended[enable] = exts;
-            var ext = _.camelCase(env.substring(split + 1).toLowerCase());
+            var ext = _camelCase(env.substring(split + 1).toLowerCase());
             if (!isNaN(value)) { value = Number(value); }
             if (typeof value === 'string' && (value.toLowerCase() === 'on' || value.toLowerCase() === 'true')) { value = true; }
             if (typeof value === 'string' && (value.toLowerCase() === 'off' || value.toLowerCase() === 'false')) { value = false; }

diff --git a/lib/admin_plugins/index.js b/lib/admin_plugins/index.js
@@ -1,6 +1,7 @@
 'use strict';
 
-var _ = require('lodash');
+var _find = require('lodash/find');
+var _each = require('lodash/each');
 
 function init() {
     var allPlugins = [
@@ -12,14 +13,14 @@ function init() {
 
   function plugins(name) {
     if (name) {
-      return _.find(allPlugins, {name: name});
+      return _find(allPlugins, {name: name});
     } else {
       return plugins;
     }
   }
 
   plugins.eachPlugin = function eachPlugin(f) {
-    _.each(allPlugins, f);
+    _each(allPlugins, f);
   };
 
   plugins.createHTML = function createHTML(client) {

diff --git a/lib/api/activity/index.js b/lib/api/activity/index.js
@@ -1,6 +1,9 @@
 'use strict';
 
-var _ = require('lodash');
+var _forEach = require('lodash/forEach');
+var _isNil = require('lodash/isNil');
+var _isArray = require('lodash/isArray');
+
 var consts = require('../../constants');
 var moment = require('moment');
 
@@ -36,7 +39,7 @@ function configure(app, wares, ctx) {
         ctx.activity.list(req.query, function(err, results) {
             var d1 = null;
 
-            _.forEach(results, function clean(t) {
+            _forEach(results, function clean(t) {
 
                 var d2 = null;
 
@@ -55,7 +58,7 @@ function configure(app, wares, ctx) {
                 }
             });
 
-            if (!_.isNil(d1)) res.setHeader('Last-Modified', d1.toUTCString());
+            if (!_isNil(d1)) res.setHeader('Last-Modified', d1.toUTCString());
 
             if (ifModifiedSince && d1.getTime() <= moment(ifModifiedSince).valueOf()) {
                 res.status(304).send({
@@ -75,7 +78,7 @@ function configure(app, wares, ctx) {
         function post_response(req, res) {
             var activity = req.body;
 
-            if (!_.isArray(activity)) {
+            if (!_isArray(activity)) {
                 activity = [activity];
             };
 

diff --git a/lib/api/alexa/index.js b/lib/api/alexa/index.js
@@ -1,8 +1,7 @@
 'use strict';
 
 var moment = require('moment');
-var _ = require('lodash');
-
+var _each = require('lodash/each');
 
 function configure (app, wares, ctx, env) {
     var entries = ctx.entries;
@@ -21,15 +20,15 @@ function configure (app, wares, ctx, env) {
         if (plugin.alexa) {
             if (plugin.alexa.intentHandlers) {
                 console.log(plugin.name + ' is Alexa enabled');
-                _.each(plugin.alexa.intentHandlers, function (route) {
+                _each(plugin.alexa.intentHandlers, function (route) {
                     if (route) {
                         ctx.alexa.configureIntentHandler(route.intent, route.intentHandler, route.routableSlot, route.slots);
                     }
                 });
             }
             if (plugin.alexa.rollupHandlers) {
                 console.log(plugin.name + ' is Alexa rollup enabled');
-                _.each(plugin.alexa.rollupHandlers, function (route) {
+                _each(plugin.alexa.rollupHandlers, function (route) {
                     console.log('Route');
                     console.log(route);
                     if (route) {

diff --git a/lib/api/entries/index.js b/lib/api/entries/index.js
@@ -1,6 +1,10 @@
 'use strict';
 
-var _ = require('lodash');
+var _last = require('lodash/last');
+var _isNil = require('lodash/isNil');
+var _first = require('lodash/first');
+var _includes = require('lodash/includes');
+
 var consts = require('../../constants');
 var es = require('event-stream');
 var sgvdata = require('sgvdata');
@@ -77,11 +81,11 @@ function configure(app, wares, ctx) {
 
     function ifModifiedSinceCTX(req, res, next) {
 
-        var lastEntry = _.last(ctx.ddata.sgvs);
+        var lastEntry = _last(ctx.ddata.sgvs);
         var lastEntryDate = null;
 
-        if (!_.isNil(lastEntry)) {
-            lastEntryDate = new Date(_.last(ctx.ddata.sgvs).mills);
+        if (!_isNil(lastEntry)) {
+            lastEntryDate = new Date(_last(ctx.ddata.sgvs).mills);
             res.setHeader('Last-Modified', lastEntryDate.toUTCString());
         }
 
@@ -140,10 +144,10 @@ function configure(app, wares, ctx) {
 
         res.entries.sort(compare);
 
-        var lastEntry = _.first(res.entries);
+        var lastEntry = _first(res.entries);
         var lastEntryDate = null;
 
-        if (!_.isNil(lastEntry)) {
+        if (!_isNil(lastEntry)) {
             if (lastEntry.mills) lastEntryDate = new Date(lastEntry.mills);
             if (!lastEntry.mills && lastEntry.date) lastEntryDate = new Date(lastEntry.date);
             res.setHeader('Last-Modified', lastEntryDate.toUTCString());
@@ -626,7 +630,7 @@ curl -s -g 'http://localhost:1337/api/v1/times/20{14..15}/T{13..18}:{00..15}'.js
      * by default.
      */
     function prep_storage(req, res, next) {
-        if (req.params.storage && _.includes(['entries', 'treatments', 'devicestatus'], req.params.storage)) {
+        if (req.params.storage && _includes(['entries', 'treatments', 'devicestatus'], req.params.storage)) {
             req.storage = ctx[req.params.storage];
         } else {
             req.storage = ctx.entries;

diff --git a/lib/api/index.js b/lib/api/index.js
@@ -1,7 +1,7 @@
 'use strict';
 
 function create (env, ctx) {
-  var _ = require('lodash')
+  var _each = require('lodash/each')
     , express = require('express')
     ,  app = express( )
     ;
@@ -22,7 +22,7 @@ function create (env, ctx) {
 
   if (env.settings.enable) {
     app.extendedClientSettings = ctx.plugins && ctx.plugins.extendedClientSettings ? ctx.plugins.extendedClientSettings(env.extendedSettings) : {};
-    _.each(env.settings.enable, function (enable) {
+    _each(env.settings.enable, function (enable) {
       console.info('enabling feature:', enable);
       app.enable(enable);
     });

diff --git a/lib/api/properties.js b/lib/api/properties.js
@@ -1,6 +1,9 @@
 'use strict';
 
-var _ = require('lodash');
+var _isEmpty = require('lodash/isEmpty');
+var _filter = require('lodash/filter');
+var _pick = require('lodash/pick');
+
 var express = require('express');
 var sandbox = require('../sandbox')();
 
@@ -22,21 +25,21 @@ function create (env, ctx) {
     ctx.plugins.setProperties(sbx);
 
     function notEmpty (part) {
-      return ! _.isEmpty(part);
+      return ! _isEmpty(part);
     }
 
-    var segments = _.filter(req.path.split('/'), notEmpty);
+    var segments = _filter(req.path.split('/'), notEmpty);
 
     var selected = [ ];
 
     if (segments.length > 0) {
-      selected = _.filter(segments[0].split(','), notEmpty);
+      selected = _filter(segments[0].split(','), notEmpty);
     }
 
     var result = sbx.properties;
 
     if (selected.length > 0) {
-      result = _.pick(sbx.properties, selected);
+      result = _pick(sbx.properties, selected);
     }
 
     if (req.query && req.query.pretty) {

diff --git a/lib/api/treatments/index.js b/lib/api/treatments/index.js
@@ -1,6 +1,9 @@
 'use strict';
 
-var _ = require('lodash');
+var _forEach = require('lodash/forEach');
+var _isNil = require('lodash/isNil');
+var _isArray = require('lodash/isArray');
+
 var consts = require('../../constants');
 var moment = require('moment');
 
@@ -36,7 +39,7 @@ function configure(app, wares, ctx) {
         ctx.treatments.list(req.query, function(err, results) {
             var d1 = null;
 
-            _.forEach(results, function clean(t) {
+            _forEach(results, function clean(t) {
                 t.carbs = Number(t.carbs);
                 t.insulin = Number(t.insulin);
 
@@ -57,7 +60,7 @@ function configure(app, wares, ctx) {
                 }
             });
 
-            if (!_.isNil(d1)) res.setHeader('Last-Modified', d1.toUTCString());
+            if (!_isNil(d1)) res.setHeader('Last-Modified', d1.toUTCString());
 
             if (ifModifiedSince && d1.getTime() <= moment(ifModifiedSince).valueOf()) {
                 res.status(304).send({
@@ -77,7 +80,7 @@ function configure(app, wares, ctx) {
         function post_response(req, res) {
             var treatments = req.body;
 
-            if (!_.isArray(treatments)) {
+            if (!_isArray(treatments)) {
                 treatments = [treatments];
             };
 

diff --git a/lib/language.js b/lib/language.js
@@ -4383,7 +4383,7 @@ function init() {
       ,pl: '2h'
       ,ru: '2ч'
       ,sk: '2 hod'
-      ,nl: '2 uur'
+      ,nl: '2uur'
       ,ko: '2시간'
       ,zh_cn: '2小时'
       ,zh_tw: '2小時'
@@ -4406,7 +4406,7 @@ function init() {
       ,pl: '3h'
       ,ru: '3ч'
       ,sk: '3 hod'
-      ,nl: '3 uur'
+      ,nl: '3uur'
       ,ko: '3시간'
       ,zh_cn: '3小时'
       ,zh_tw: '3小時'
@@ -4429,7 +4429,7 @@ function init() {
       ,pl: '6h'
       ,ru: '6ч'
       ,sk: '6 hod'
-      ,nl: '6 uur'
+      ,nl: '6uur'
       ,ko: '6시간'
       ,zh_cn: '6小时'
       ,zh_tw: '6小時'
@@ -4452,7 +4452,7 @@ function init() {
       ,pl: '12h'
       ,ru: '12ч'
       ,sk: '12 hod'
-      ,nl: '12 uur'
+      ,nl: '12uur'
       ,ko: '12시간'
       ,zh_cn: '12小时'
       ,zh_tw: '12小時'
@@ -4475,7 +4475,7 @@ function init() {
       ,pl: '24h'
       ,ru: '24ч'
       ,sk: '24 hod'
-      ,nl: '24 uur'
+      ,nl: '24uur'
       ,ko: '24시간'
       ,zh_cn: '24小时'
       ,zh_tw: '24小時'

diff --git a/lib/middleware/express-extension-to-accept.js b/lib/middleware/express-extension-to-accept.js
@@ -0,0 +1,41 @@
+var mime = require('mime')
+var url = require('url')
+
+module.exports = function (formats) {
+  if (!Array.isArray(formats))
+    throw new TypeError('Formats must be an array.')
+
+  var getType = Object.create(null)
+
+  formats.forEach(function (format) {
+    if (!/^\w+$/.test(format))
+      throw new TypeError('Invalid format - must be a word.')
+
+    var type = getType[format] = mime.getType(format)
+    if (!type || type === 'application/octet-stream')
+      throw new Error('Invalid format.')
+  })
+
+  var regexp = new RegExp('\.(' + formats.join('|') + ')$', 'i')
+
+  return function (req, res, next) {
+    var match = req.path.match(regexp)
+    if (!match)
+      return next()
+    var type = getType[match[1]]
+    if (!type)
+      return next()
+
+    req.extToAccept = {
+      url: req.url,
+      accept: req.headers.accept
+    }
+
+    req.headers.accept = type
+    var parsed = url.parse(req.url)
+    parsed.pathname = req.path.replace(regexp, '')
+    req.url = url.format(parsed)
+
+    next()
+  }
+}
diff --git a/lib/middleware/index.js b/lib/middleware/index.js
@@ -7,7 +7,7 @@ var wares = {
 };
 
 function extensions (list) {
-  return require('express-extension-to-accept')(list);
+  return require('./express-extension-to-accept')(list);
 }
 
 function configure (env) {
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		web: ./node_modules/.bin/forever --minUptime 100 -c node server.js
		web: node server.js