| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This includes a fix for CVE-2023-42282 in the IP package (because one of
the transitive dependencies of node-sass switched to the ip-address
module). The node-sass module is only used at build time and nothing in
munin-plot does IP address validation so should not have been
vulnerable.
|
| |
|
|
|
|
| |
Includes a fix for CVE-2023-44270 in postcss. The postcss package is
only used to build the resulting CSS and as such is not run on untrusted
data.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Includes the last dependency fix for CVE-2022-25883 (Regular Expression
Denial of Service) in semver.
Also includes the dependency fix for CVE-2023-26115 (Regular Expression
Denial of Service) in word-wrap.
Both packages were previously partially fixed in 1aa9d67 but now all
dependencies have been updated. Neither packages should have run on
untrusted data.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Includes a partial fix CVE-2023-26115 (Regular Expression Denial of
Service) in word-wrap. While word-wrap was used in the built application
the vulnerable version is now only used in a dependency of munin-plot
build tools. It should not have been run on any untrusted data.
This does not completely fix CVE-2022-25883 (Regular Expression Denial
of Service) in semver because of dependency issues. The semver package
is only used to build the resulting Javascript and as such is not run on
untrusted data.
|
| |
|
|
|
|
| |
Includes a fix for CVE-2023-28154 in webpack. This vulnerability does
not seem to impact munin-plot because we don't run webpack on untrusted
input.
|
| |
|
|
|
|
|
|
|
|
|
| |
Includes a fix for a vulnerability in d3-color is available yet (no CVE
for GHSA-36jr-mh4h-2g58 has been assigned). Since we only pass data to
d3 that is generated by the server-side component this should not affect
munin-plot.
Also includes a fix for CVE-2022-25881 in http-cache-semantics which
does not affect munin-plot because it only affects server-side
applications.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrades to version 7 of eslint which results in some minor other
changes.
Sadly no fix for CVE-2022-46175 in json5 (a transitive dependency of
eslint) is available yet. This vulnerability should not affect
munin-plot because we don't run eslint on untrusted input.
Sadly no fix for a vulnerability in d3-color is available yet (no CVE
for GHSA-36jr-mh4h-2g58 has been assigned) because there is not yet a
version of plotly.js available that doesn't depend on a version of
d3-interpolate that doesn't depend on the vulnerable package. This could
affect munin-plot because d3 is used in the web application but we only
pass data to d3 (via plotly.js) that is output of the munin-plot
server-side component.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Includes a fixes for CVE-2022-37601 and CVE-2022-37603 in webpack
loader-utils. These vulnerabilities does not seem to impact munin-plot
because we don't run webpack on untrusted input.
Sadly no fix for a vulnerability in d3-color is available yet (no CVE
for GHSA-36jr-mh4h-2g58 has been assigned) because there is not yet a
version of plotly.js available that doesn't depend on a version of
d3-interpolate that doesn't depend on the vulnerable package. This could
affect munin-plot because d3 is unsed in the web application but we only
pass data to d3 (through plotly.js) that is output from the the
munin-plot server-side component.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Includes a fix for CVE-2022-25758 in scss-tokenizer. This vulnerability
does not seem to impact munin-plot because we don't run node-sass on
untrusted input.
Sadly no fix for a vulnerability in d3-color is available yet (no CVE
for GHSA-36jr-mh4h-2g58 has been assigned) because there is not yet a
version of plotly.js available that doesn't depend on a version of
d3-interpolate that doesn't depend on the vulnerable package. This could
affect munin-plot because d3 is unsed in the web application but we only
pass data to d3 (through plotly.js) that is output from the the
munin-plot server-side component.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Includes a fix for CVE-2022-31160 in jQuery UI. This vulnerability does
not seem to impact munin-plot because we don't use radio buttons.
Includes a fix for CVE-2022-24785 in Moment.js This vulnerability does
not seem to impact munin-plot because it should only affect server-side
Javascript.
Includes a fix for CVE-2022-25858 in terser. This is used by webpack and
should not affect impact munin-plot because it does not run webpack on
untrusted input.
Sadly no fix for CVE-2022-25758 is available at this time because there
is not yet a version of node-sass available that doesn't depend on the
scss-tokenizer package (which appears to be unmaintained). Since we
don't process untrusted SCSS it should not affect munin-plot.
|
| |
|
|
|
| |
Includes a fix for CVE-2021-44906 in the minimist package which is a
transitive dependency of plotly.js.
|
| |
|
|
|
|
| |
Includes fixes for CVE-2021-3807 in the ansi-regex package and
CVE-2021-23566 in nanoid both of which should only be used to build the
resulting Javascript.
|
| |
|
|
|
| |
The Compression Streams API is not yet widely supported in browsers
(i.e. is unsupported in FireFox).
|
| |
|
|
|
| |
This generates a zip file with the source code of munin-plot as a
resource that can be downloaded.
|
| | |
|
| | |
|
| |
|
|
| |
This include a CSS tweak for a change in Bootstrap.
|
| | |
|
| |
|
|
|
|
| |
This updates the events that are handled in Javascript to no longer use
jQuery and stops the use of Bootstrap tooltips. Bootstrap introduces
slightly different font sizes and we include some changes to padding.
|
| |
|
|
| |
This includes some changes to import D3 ourselves.
|
| |
|
|
|
| |
Includes fixes for CVE-2021-37713 in the tar npm package (that should
not affect us).
|
| |
|
|
| |
Includes changes that should have been part of 8cf2053.
|
| |
|
|
|
| |
Includes fixes for CVE-2021-32804 and CVE-2021-32803 in the tar npm
package.
|
| |
|
|
|
|
|
|
| |
This includes an update to html-loader that requires a small
configurmation change.
This does not include new major versions of Bootstrap 5 and Plotly.js 2
that are also available.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Includes a fix for CVE-2020-7788 in ini npm package.
This upgrades to newer eslint and webpack and includes a few fixes for
that.
Closes https://github.com/arthurdejong/munin-plot/pull/6
|
| | |
|
| |
|
|
| |
Closes https://github.com/arthurdejong/munin-plot/pull/5
|
| | |
|
| | |
|
| |
|
|
| |
Closes https://github.com/arthurdejong/munin-plot/pull/3
|
| | |
|
| |
|
|
|
| |
The latter has more icons and the former no longer seems to be
supported.
|
| |
|
|
|
| |
This also adds a few small style tweaks and ensures that webpack does
not minimise development builds.
|
| | |
|
|
|
This uses npm to install the required packages and builds the files with
webpack.
|