Fix dependabot vulnerabilities
This adds some forced resolutions to ensure that vulnerable versions of packages are not installed.
This commit is contained in:
Andrew Eisenberg
parent
14deaf67e9
commit
ae97d8f96d
81 changed files with 727 additions and 7406 deletions
141
node_modules/normalize-url/index.js
generated
vendored
141
node_modules/normalize-url/index.js
generated
vendored
|
|
@ -1,31 +1,24 @@
|
|||
'use strict';
|
||||
// TODO: Use the `URL` global when targeting Node.js 10
|
||||
const URLParser = typeof URL === 'undefined' ? require('url').URL : URL;
|
||||
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs
|
||||
const DATA_URL_DEFAULT_MIME_TYPE = 'text/plain';
|
||||
const DATA_URL_DEFAULT_CHARSET = 'us-ascii';
|
||||
|
||||
const testParameter = (name, filters) => {
|
||||
return filters.some(filter => filter instanceof RegExp ? filter.test(name) : filter === name);
|
||||
};
|
||||
const testParameter = (name, filters) => filters.some(filter => filter instanceof RegExp ? filter.test(name) : filter === name);
|
||||
|
||||
const normalizeDataURL = (urlString, {stripHash}) => {
|
||||
const parts = urlString.match(/^data:(.*?),(.*?)(?:#(.*))?$/);
|
||||
const match = /^data:(?<type>[^,]*?),(?<data>[^#]*?)(?:#(?<hash>.*))?$/.exec(urlString);
|
||||
|
||||
if (!parts) {
|
||||
if (!match) {
|
||||
throw new Error(`Invalid URL: ${urlString}`);
|
||||
}
|
||||
|
||||
const mediaType = parts[1].split(';');
|
||||
const body = parts[2];
|
||||
const hash = stripHash ? '' : parts[3];
|
||||
|
||||
let base64 = false;
|
||||
let {type, data, hash} = match.groups;
|
||||
const mediaType = type.split(';');
|
||||
hash = stripHash ? '' : hash;
|
||||
|
||||
let isBase64 = false;
|
||||
if (mediaType[mediaType.length - 1] === 'base64') {
|
||||
mediaType.pop();
|
||||
base64 = true;
|
||||
isBase64 = true;
|
||||
}
|
||||
|
||||
// Lowercase MIME type
|
||||
|
|
@ -48,21 +41,21 @@ const normalizeDataURL = (urlString, {stripHash}) => {
|
|||
.filter(Boolean);
|
||||
|
||||
const normalizedMediaType = [
|
||||
...attributes
|
||||
...attributes,
|
||||
];
|
||||
|
||||
if (base64) {
|
||||
if (isBase64) {
|
||||
normalizedMediaType.push('base64');
|
||||
}
|
||||
|
||||
if (normalizedMediaType.length !== 0 || (mimeType && mimeType !== DATA_URL_DEFAULT_MIME_TYPE)) {
|
||||
if (normalizedMediaType.length > 0 || (mimeType && mimeType !== DATA_URL_DEFAULT_MIME_TYPE)) {
|
||||
normalizedMediaType.unshift(mimeType);
|
||||
}
|
||||
|
||||
return `data:${normalizedMediaType.join(';')},${base64 ? body.trim() : body}${hash ? `#${hash}` : ''}`;
|
||||
return `data:${normalizedMediaType.join(';')},${isBase64 ? data.trim() : data}${hash ? `#${hash}` : ''}`;
|
||||
};
|
||||
|
||||
const normalizeUrl = (urlString, options) => {
|
||||
export default function normalizeUrl(urlString, options) {
|
||||
options = {
|
||||
defaultProtocol: 'http:',
|
||||
normalizeProtocol: true,
|
||||
|
|
@ -70,27 +63,16 @@ const normalizeUrl = (urlString, options) => {
|
|||
forceHttps: false,
|
||||
stripAuthentication: true,
|
||||
stripHash: false,
|
||||
stripTextFragment: true,
|
||||
stripWWW: true,
|
||||
removeQueryParameters: [/^utm_\w+/i],
|
||||
removeTrailingSlash: true,
|
||||
removeSingleSlash: true,
|
||||
removeDirectoryIndex: false,
|
||||
sortQueryParameters: true,
|
||||
...options
|
||||
...options,
|
||||
};
|
||||
|
||||
// TODO: Remove this at some point in the future
|
||||
if (Reflect.has(options, 'normalizeHttps')) {
|
||||
throw new Error('options.normalizeHttps is renamed to options.forceHttp');
|
||||
}
|
||||
|
||||
if (Reflect.has(options, 'normalizeHttp')) {
|
||||
throw new Error('options.normalizeHttp is renamed to options.forceHttps');
|
||||
}
|
||||
|
||||
if (Reflect.has(options, 'stripFragment')) {
|
||||
throw new Error('options.stripFragment is renamed to options.stripHash');
|
||||
}
|
||||
|
||||
urlString = urlString.trim();
|
||||
|
||||
// Data URL
|
||||
|
|
@ -98,6 +80,10 @@ const normalizeUrl = (urlString, options) => {
|
|||
return normalizeDataURL(urlString, options);
|
||||
}
|
||||
|
||||
if (/^view-source:/i.test(urlString)) {
|
||||
throw new Error('`view-source:` is not supported as it is a non-standard protocol');
|
||||
}
|
||||
|
||||
const hasRelativeProtocol = urlString.startsWith('//');
|
||||
const isRelativeUrl = !hasRelativeProtocol && /^\.*\//.test(urlString);
|
||||
|
||||
|
|
@ -106,47 +92,43 @@ const normalizeUrl = (urlString, options) => {
|
|||
urlString = urlString.replace(/^(?!(?:\w+:)?\/\/)|^\/\//, options.defaultProtocol);
|
||||
}
|
||||
|
||||
const urlObj = new URLParser(urlString);
|
||||
const urlObject = new URL(urlString);
|
||||
|
||||
if (options.forceHttp && options.forceHttps) {
|
||||
throw new Error('The `forceHttp` and `forceHttps` options cannot be used together');
|
||||
}
|
||||
|
||||
if (options.forceHttp && urlObj.protocol === 'https:') {
|
||||
urlObj.protocol = 'http:';
|
||||
if (options.forceHttp && urlObject.protocol === 'https:') {
|
||||
urlObject.protocol = 'http:';
|
||||
}
|
||||
|
||||
if (options.forceHttps && urlObj.protocol === 'http:') {
|
||||
urlObj.protocol = 'https:';
|
||||
if (options.forceHttps && urlObject.protocol === 'http:') {
|
||||
urlObject.protocol = 'https:';
|
||||
}
|
||||
|
||||
// Remove auth
|
||||
if (options.stripAuthentication) {
|
||||
urlObj.username = '';
|
||||
urlObj.password = '';
|
||||
urlObject.username = '';
|
||||
urlObject.password = '';
|
||||
}
|
||||
|
||||
// Remove hash
|
||||
if (options.stripHash) {
|
||||
urlObj.hash = '';
|
||||
urlObject.hash = '';
|
||||
} else if (options.stripTextFragment) {
|
||||
urlObject.hash = urlObject.hash.replace(/#?:~:text.*?$/i, '');
|
||||
}
|
||||
|
||||
// Remove duplicate slashes if not preceded by a protocol
|
||||
if (urlObj.pathname) {
|
||||
// TODO: Use the following instead when targeting Node.js 10
|
||||
// `urlObj.pathname = urlObj.pathname.replace(/(?<!https?:)\/{2,}/g, '/');`
|
||||
urlObj.pathname = urlObj.pathname.replace(/((?!:).|^)\/{2,}/g, (_, p1) => {
|
||||
if (/^(?!\/)/g.test(p1)) {
|
||||
return `${p1}/`;
|
||||
}
|
||||
|
||||
return '/';
|
||||
});
|
||||
if (urlObject.pathname) {
|
||||
urlObject.pathname = urlObject.pathname.replace(/(?<!\b[a-z][a-z\d+\-.]{1,50}:)\/{2,}/g, '/');
|
||||
}
|
||||
|
||||
// Decode URI octets
|
||||
if (urlObj.pathname) {
|
||||
urlObj.pathname = decodeURI(urlObj.pathname);
|
||||
if (urlObject.pathname) {
|
||||
try {
|
||||
urlObject.pathname = decodeURI(urlObject.pathname);
|
||||
} catch {}
|
||||
}
|
||||
|
||||
// Remove directory index
|
||||
|
|
@ -155,51 +137,62 @@ const normalizeUrl = (urlString, options) => {
|
|||
}
|
||||
|
||||
if (Array.isArray(options.removeDirectoryIndex) && options.removeDirectoryIndex.length > 0) {
|
||||
let pathComponents = urlObj.pathname.split('/');
|
||||
let pathComponents = urlObject.pathname.split('/');
|
||||
const lastComponent = pathComponents[pathComponents.length - 1];
|
||||
|
||||
if (testParameter(lastComponent, options.removeDirectoryIndex)) {
|
||||
pathComponents = pathComponents.slice(0, pathComponents.length - 1);
|
||||
urlObj.pathname = pathComponents.slice(1).join('/') + '/';
|
||||
pathComponents = pathComponents.slice(0, -1);
|
||||
urlObject.pathname = pathComponents.slice(1).join('/') + '/';
|
||||
}
|
||||
}
|
||||
|
||||
if (urlObj.hostname) {
|
||||
if (urlObject.hostname) {
|
||||
// Remove trailing dot
|
||||
urlObj.hostname = urlObj.hostname.replace(/\.$/, '');
|
||||
urlObject.hostname = urlObject.hostname.replace(/\.$/, '');
|
||||
|
||||
// Remove `www.`
|
||||
if (options.stripWWW && /^www\.([a-z\-\d]{2,63})\.([a-z.]{2,5})$/.test(urlObj.hostname)) {
|
||||
// Each label should be max 63 at length (min: 2).
|
||||
// The extension should be max 5 at length (min: 2).
|
||||
if (options.stripWWW && /^www\.(?!www\.)[a-z\-\d]{1,63}\.[a-z.\-\d]{2,63}$/.test(urlObject.hostname)) {
|
||||
// Each label should be max 63 at length (min: 1).
|
||||
// Source: https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names
|
||||
urlObj.hostname = urlObj.hostname.replace(/^www\./, '');
|
||||
// Each TLD should be up to 63 characters long (min: 2).
|
||||
// It is technically possible to have a single character TLD, but none currently exist.
|
||||
urlObject.hostname = urlObject.hostname.replace(/^www\./, '');
|
||||
}
|
||||
}
|
||||
|
||||
// Remove query unwanted parameters
|
||||
if (Array.isArray(options.removeQueryParameters)) {
|
||||
for (const key of [...urlObj.searchParams.keys()]) {
|
||||
for (const key of [...urlObject.searchParams.keys()]) {
|
||||
if (testParameter(key, options.removeQueryParameters)) {
|
||||
urlObj.searchParams.delete(key);
|
||||
urlObject.searchParams.delete(key);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (options.removeQueryParameters === true) {
|
||||
urlObject.search = '';
|
||||
}
|
||||
|
||||
// Sort query parameters
|
||||
if (options.sortQueryParameters) {
|
||||
urlObj.searchParams.sort();
|
||||
urlObject.searchParams.sort();
|
||||
}
|
||||
|
||||
if (options.removeTrailingSlash) {
|
||||
urlObj.pathname = urlObj.pathname.replace(/\/$/, '');
|
||||
urlObject.pathname = urlObject.pathname.replace(/\/$/, '');
|
||||
}
|
||||
|
||||
// Take advantage of many of the Node `url` normalizations
|
||||
urlString = urlObj.toString();
|
||||
const oldUrlString = urlString;
|
||||
|
||||
// Remove ending `/`
|
||||
if ((options.removeTrailingSlash || urlObj.pathname === '/') && urlObj.hash === '') {
|
||||
// Take advantage of many of the Node `url` normalizations
|
||||
urlString = urlObject.toString();
|
||||
|
||||
if (!options.removeSingleSlash && urlObject.pathname === '/' && !oldUrlString.endsWith('/') && urlObject.hash === '') {
|
||||
urlString = urlString.replace(/\/$/, '');
|
||||
}
|
||||
|
||||
// Remove ending `/` unless removeSingleSlash is false
|
||||
if ((options.removeTrailingSlash || urlObject.pathname === '/') && urlObject.hash === '' && options.removeSingleSlash) {
|
||||
urlString = urlString.replace(/\/$/, '');
|
||||
}
|
||||
|
||||
|
|
@ -214,8 +207,4 @@ const normalizeUrl = (urlString, options) => {
|
|||
}
|
||||
|
||||
return urlString;
|
||||
};
|
||||
|
||||
module.exports = normalizeUrl;
|
||||
// TODO: Remove this for the next major release
|
||||
module.exports.default = normalizeUrl;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue