diff --git a/AUTHORS b/AUTHORS index ad3066625fc9c..6e8890bc3c0e3 100644 --- a/AUTHORS +++ b/AUTHORS @@ -708,3 +708,5 @@ Sandra Tatarevićová Antoine du Hamel Assaf Sapir Lukas Spieß +Jim Fisher +Xavier Guimard diff --git a/CHANGELOG.md b/CHANGELOG.md index da56d107e1fd9..2541e49d03d34 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## 6.14.11 (2021-01-07) +### DEPENDENCIES + +* [`19108ca5b`](https://github.com/npm/cli/commit/19108ca5be1b3e7e9787dac3131aafe2722c6218) + `ini@1.3.8`: + * addressing [`CVE-2020-7788`](https://github.com/advisories/GHSA-qqgx-2p2h-9c37) +* [`7a0574074`](https://github.com/npm/cli/commit/7a05740743ac9d9229e2dc9e1b9ca8b57d58c789) + `bl@3.0.1` + * addressing [`CVE-2020-8244`](https://github.com/advisories/GHSA-pp7h-53gx-mx7r) + ## 6.14.10 (2020-12-18) ### DEPENDENCIES diff --git a/docs/src/components/FoundTypo.js b/docs/src/components/FoundTypo.js index 5aca0894934dc..39877c402d833 100644 --- a/docs/src/components/FoundTypo.js +++ b/docs/src/components/FoundTypo.js @@ -13,8 +13,8 @@ const FoundTypo = () => {

👀 Found a typo? Let us know!

The current stable version of npm is here. To upgrade, run: npm install npm@latest -g

- To report bugs or submit feature requests for the docs, please post here. - Submit npm issues here. + To report bugs or submit feature requests for the docs, please post here. + Submit npm issues here.

) diff --git a/node_modules/bl/bl.js b/node_modules/bl/bl.js index e0eef85a3b67c..3e5512790cd77 100644 --- a/node_modules/bl/bl.js +++ b/node_modules/bl/bl.js @@ -185,18 +185,22 @@ BufferList.prototype.copy = function copy (dst, dstStart, srcStart, srcEnd) { if (bytes > l) { this._bufs[i].copy(dst, bufoff, start) + bufoff += l } else { this._bufs[i].copy(dst, bufoff, start, start + bytes) + bufoff += l break } - bufoff += l bytes -= l if (start) start = 0 } + // safeguard so that we don't return uninitialized memory + if (dst.length > bufoff) return dst.slice(0, bufoff) + return dst } @@ -232,6 +236,11 @@ BufferList.prototype.toString = function toString (encoding, start, end) { } BufferList.prototype.consume = function consume (bytes) { + // first, normalize the argument, in accordance with how Buffer does it + bytes = Math.trunc(bytes) + // do nothing if not a positive number + if (Number.isNaN(bytes) || bytes <= 0) return this + while (this._bufs.length) { if (bytes >= this._bufs[0].length) { bytes -= this._bufs[0].length diff --git a/node_modules/bl/package.json b/node_modules/bl/package.json index 85611a6cb5c47..3dbbf698d2bae 100644 --- a/node_modules/bl/package.json +++ b/node_modules/bl/package.json @@ -1,27 +1,29 @@ { - "_from": "bl@^3.0.0", - "_id": "bl@3.0.0", + "_from": "bl@3.0.1", + "_id": "bl@3.0.1", "_inBundle": false, - "_integrity": "sha512-EUAyP5UHU5hxF8BPT0LKW8gjYLhq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==", + "_integrity": "sha512-jrCW5ZhfQ/Vt07WX1Ngs+yn9BDqPL/gw28S7s9H6QK/gupnizNzJAss5akW20ISgOrbLTlXOOCTJeNUQqruAWQ==", "_location": "/bl", "_phantomChildren": {}, "_requested": { - "type": "range", + "type": "version", "registry": true, - "raw": "bl@^3.0.0", + "raw": "bl@3.0.1", "name": "bl", "escapedName": "bl", - "rawSpec": "^3.0.0", + "rawSpec": "3.0.1", "saveSpec": null, - "fetchSpec": "^3.0.0" + "fetchSpec": "3.0.1" }, "_requiredBy": [ + "#DEV:/", + "#USER", "/tar-stream" ], - "_resolved": "https://registry.npmjs.org/bl/-/bl-3.0.0.tgz", - "_shasum": "3611ec00579fd18561754360b21e9f784500ff88", - "_spec": "bl@^3.0.0", - "_where": "/Users/aeschright/code/cli/node_modules/tar-stream", + "_resolved": "https://registry.npmjs.org/bl/-/bl-3.0.1.tgz", + "_shasum": "1cbb439299609e419b5a74d7fce2f8b37d8e5c6f", + "_spec": "bl@3.0.1", + "_where": "/Users/darcyclarke/Documents/Repos/npm/npm/cli", "authors": [ "Rod Vagg (https://github.com/rvagg)", "Matteo Collina (https://github.com/mcollina)", @@ -58,5 +60,5 @@ "scripts": { "test": "node test/test.js | faucet" }, - "version": "3.0.0" + "version": "3.0.1" } diff --git a/node_modules/bl/test/test.js b/node_modules/bl/test/test.js index 1da0293b6d146..d8e552d8a8148 100644 --- a/node_modules/bl/test/test.js +++ b/node_modules/bl/test/test.js @@ -431,6 +431,22 @@ tape('test toString encoding', function (t) { t.end() }) +tape('uninitialized memory', function (t) { + const secret = crypto.randomBytes(256) + for (let i = 0; i < 1e6; i++) { + const clone = Buffer.from(secret) + const bl = new BufferList() + bl.append(Buffer.from('a')) + bl.consume(-1024) + const buf = bl.slice(1) + if (buf.indexOf(clone) !== -1) { + t.fail(`Match (at ${i})`) + break + } + } + t.end() +}) + !process.browser && tape('test stream', function (t) { var random = crypto.randomBytes(65534) , rndhash = hash(random, 'md5') diff --git a/node_modules/ini/ini.js b/node_modules/ini/ini.js index 590195dd31478..b576f08d7a6bb 100644 --- a/node_modules/ini/ini.js +++ b/node_modules/ini/ini.js @@ -15,7 +15,7 @@ function encode (obj, opt) { if (typeof opt === 'string') { opt = { section: opt, - whitespace: false + whitespace: false, } } else { opt = opt || {} @@ -30,27 +30,25 @@ function encode (obj, opt) { val.forEach(function (item) { out += safe(k + '[]') + separator + safe(item) + '\n' }) - } else if (val && typeof val === 'object') { + } else if (val && typeof val === 'object') children.push(k) - } else { + else out += safe(k) + separator + safe(val) + eol - } }) - if (opt.section && out.length) { + if (opt.section && out.length) out = '[' + safe(opt.section) + ']' + eol + out - } children.forEach(function (k, _, __) { var nk = dotSplit(k).join('\\.') var section = (opt.section ? opt.section + '.' : '') + nk var child = encode(obj[k], { section: section, - whitespace: opt.whitespace + whitespace: opt.whitespace, }) - if (out.length && child.length) { + if (out.length && child.length) out += eol - } + out += child }) @@ -62,7 +60,7 @@ function dotSplit (str) { .replace(/\\\./g, '\u0001') .split(/\./).map(function (part) { return part.replace(/\1/g, '\\.') - .replace(/\2LITERAL\\1LITERAL\2/g, '\u0001') + .replace(/\2LITERAL\\1LITERAL\2/g, '\u0001') }) } @@ -75,15 +73,25 @@ function decode (str) { var lines = str.split(/[\r\n]+/g) lines.forEach(function (line, _, __) { - if (!line || line.match(/^\s*[;#]/)) return + if (!line || line.match(/^\s*[;#]/)) + return var match = line.match(re) - if (!match) return + if (!match) + return if (match[1] !== undefined) { section = unsafe(match[1]) + if (section === '__proto__') { + // not allowed + // keep parsing the section, but don't attach it. + p = {} + return + } p = out[section] = out[section] || {} return } var key = unsafe(match[2]) + if (key === '__proto__') + return var value = match[3] ? unsafe(match[4]) : true switch (value) { case 'true': @@ -94,20 +102,20 @@ function decode (str) { // Convert keys with '[]' suffix to an array if (key.length > 2 && key.slice(-2) === '[]') { key = key.substring(0, key.length - 2) - if (!p[key]) { + if (key === '__proto__') + return + if (!p[key]) p[key] = [] - } else if (!Array.isArray(p[key])) { + else if (!Array.isArray(p[key])) p[key] = [p[key]] - } } // safeguard against resetting a previously defined // array by accidentally forgetting the brackets - if (Array.isArray(p[key])) { + if (Array.isArray(p[key])) p[key].push(value) - } else { + else p[key] = value - } }) // {a:{y:1},"a.b":{x:2}} --> {a:{y:1,b:{x:2}}} @@ -115,9 +123,9 @@ function decode (str) { Object.keys(out).filter(function (k, _, __) { if (!out[k] || typeof out[k] !== 'object' || - Array.isArray(out[k])) { + Array.isArray(out[k])) return false - } + // see if the parent section is also an object. // if so, add it to that, and mark this one for deletion var parts = dotSplit(k) @@ -125,12 +133,15 @@ function decode (str) { var l = parts.pop() var nl = l.replace(/\\\./g, '.') parts.forEach(function (part, _, __) { - if (!p[part] || typeof p[part] !== 'object') p[part] = {} + if (part === '__proto__') + return + if (!p[part] || typeof p[part] !== 'object') + p[part] = {} p = p[part] }) - if (p === out && nl === l) { + if (p === out && nl === l) return false - } + p[nl] = out[k] return true }).forEach(function (del, _, __) { @@ -152,18 +163,20 @@ function safe (val) { (val.length > 1 && isQuoted(val)) || val !== val.trim()) - ? JSON.stringify(val) - : val.replace(/;/g, '\\;').replace(/#/g, '\\#') + ? JSON.stringify(val) + : val.replace(/;/g, '\\;').replace(/#/g, '\\#') } function unsafe (val, doUnesc) { val = (val || '').trim() if (isQuoted(val)) { // remove the single quotes before calling JSON.parse - if (val.charAt(0) === "'") { + if (val.charAt(0) === "'") val = val.substr(1, val.length - 2) - } - try { val = JSON.parse(val) } catch (_) {} + + try { + val = JSON.parse(val) + } catch (_) {} } else { // walk the val to find the first not-escaped ; character var esc = false @@ -171,23 +184,22 @@ function unsafe (val, doUnesc) { for (var i = 0, l = val.length; i < l; i++) { var c = val.charAt(i) if (esc) { - if ('\\;#'.indexOf(c) !== -1) { + if ('\\;#'.indexOf(c) !== -1) unesc += c - } else { + else unesc += '\\' + c - } + esc = false - } else if (';#'.indexOf(c) !== -1) { + } else if (';#'.indexOf(c) !== -1) break - } else if (c === '\\') { + else if (c === '\\') esc = true - } else { + else unesc += c - } } - if (esc) { + if (esc) unesc += '\\' - } + return unesc.trim() } return val diff --git a/node_modules/ini/package.json b/node_modules/ini/package.json index e2d4423dcf76d..80ec6c26a95a2 100644 --- a/node_modules/ini/package.json +++ b/node_modules/ini/package.json @@ -1,35 +1,33 @@ { - "_args": [ - [ - "ini@1.3.5", - "/Users/rebecca/code/npm" - ] - ], - "_from": "ini@1.3.5", - "_id": "ini@1.3.5", + "_from": "ini@1.3.8", + "_id": "ini@1.3.8", "_inBundle": false, - "_integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==", + "_integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==", "_location": "/ini", "_phantomChildren": {}, "_requested": { "type": "version", "registry": true, - "raw": "ini@1.3.5", + "raw": "ini@1.3.8", "name": "ini", "escapedName": "ini", - "rawSpec": "1.3.5", + "rawSpec": "1.3.8", "saveSpec": null, - "fetchSpec": "1.3.5" + "fetchSpec": "1.3.8" }, "_requiredBy": [ + "#USER", "/", "/config-chain", "/global-dirs", + "/libcipm", + "/libnpmconfig", "/rc" ], - "_resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", - "_spec": "1.3.5", - "_where": "/Users/rebecca/code/npm", + "_resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "_shasum": "a29da425b48806f34767a4efce397269af28432c", + "_spec": "ini@1.3.8", + "_where": "/Users/darcyclarke/Documents/Repos/npm/npm/cli", "author": { "name": "Isaac Z. Schlueter", "email": "i@izs.me", @@ -38,14 +36,16 @@ "bugs": { "url": "https://github.com/isaacs/ini/issues" }, - "dependencies": {}, + "bundleDependencies": false, + "deprecated": false, "description": "An ini encoder/decoder for node", "devDependencies": { - "standard": "^10.0.3", - "tap": "^10.7.3 || 11" - }, - "engines": { - "node": "*" + "eslint": "^7.9.0", + "eslint-plugin-import": "^2.22.0", + "eslint-plugin-node": "^11.1.0", + "eslint-plugin-promise": "^4.2.1", + "eslint-plugin-standard": "^4.0.1", + "tap": "14" }, "files": [ "ini.js" @@ -59,11 +59,14 @@ "url": "git://github.com/isaacs/ini.git" }, "scripts": { - "postpublish": "git push origin --all; git push origin --tags", + "eslint": "eslint", + "lint": "npm run eslint -- ini.js test/*.js", + "lintfix": "npm run lint -- --fix", + "posttest": "npm run lint", "postversion": "npm publish", - "pretest": "standard ini.js", + "prepublishOnly": "git push origin --follow-tags", "preversion": "npm test", - "test": "tap test/*.js --100 -J" + "test": "tap" }, - "version": "1.3.5" + "version": "1.3.8" } diff --git a/package-lock.json b/package-lock.json index 03b1840f0dcf9..dcb81c9349668 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "npm", - "version": "6.14.10", + "version": "6.14.11", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -440,9 +440,9 @@ "dev": true }, "bl": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/bl/-/bl-3.0.0.tgz", - "integrity": "sha512-EUAyP5UHU5hxF8BPT0LKW8gjYLhq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==", + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/bl/-/bl-3.0.1.tgz", + "integrity": "sha512-jrCW5ZhfQ/Vt07WX1Ngs+yn9BDqPL/gw28S7s9H6QK/gupnizNzJAss5akW20ISgOrbLTlXOOCTJeNUQqruAWQ==", "dev": true, "requires": { "readable-stream": "^3.0.1" @@ -2419,9 +2419,9 @@ "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "ini": { - "version": "1.3.5", - "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz", - "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==" + "version": "1.3.8", + "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==" }, "init-package-json": { "version": "1.10.3", diff --git a/package.json b/package.json index d08c066bdc3ed..fdbb33e23cd53 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "version": "6.14.10", + "version": "6.14.11", "name": "npm", "description": "a package manager for JavaScript", "keywords": [ @@ -68,7 +68,7 @@ "infer-owner": "^1.0.4", "inflight": "~1.0.6", "inherits": "^2.0.4", - "ini": "^1.3.5", + "ini": "^1.3.8", "init-package-json": "^1.10.3", "is-cidr": "^3.0.0", "json-parse-better-errors": "^1.0.2", @@ -275,6 +275,7 @@ "write-file-atomic" ], "devDependencies": { + "bl": "^3.0.1", "deep-equal": "^1.0.1", "get-stream": "^4.1.0", "licensee": "^7.0.3", diff --git a/test/tap/legacy-platform-all.js b/test/tap/legacy-platform-all.js index 01c7be7ec1c86..de7e635a0d1a6 100644 --- a/test/tap/legacy-platform-all.js +++ b/test/tap/legacy-platform-all.js @@ -36,6 +36,9 @@ var fixture = new Tacks( 'arm64', 'mips', 'ia32', + 'ppc64', + 'ppc64el', + 's390x', 'x64', 'sparc' ]