This repository has been archived by the owner on Feb 5, 2022. It is now read-only.

fix(deps): update dependency loopback to v2.42.0 [security] #26

Merged

renovate merged 1 commit into master from renovate/npm-loopback-vulnerability

Sep 22, 2021

renovate bot commented Jan 23, 2021 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
loopback (source)	`2.19.0` -> `2.42.0`

GitHub Vulnerability Alerts

GHSA-8wgc-jjvv-cv6v

Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.

Recommendation

For loopback 2.x, upgrade to version 2.40.0 or later
For loopback 3.x, upgrade to version 3.22.0 or later

GHSA-724c-6vrf-99rq

Versions of loopback prior to 3.26.0 (3.x) and 2.42.0 (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft.

Recommendation

If you're using loopback 3.x upgrade to version 3.26.0 or later.
If you're using loopback 2.x upgrade to version 2.42.0 or later.

Release Notes

strongloop/loopback

`v2.42.0`

`v2.41.2`

`v2.41.1`

`v2.41.0`

`v2.40.0`

`v2.39.2`

`v2.39.1`

`v2.39.0`

`v2.38.3`

`v2.38.2`

`v2.38.1`

loopback 2.38.1 (LTS)

Improve "filter" arg description

Add an example showing how to serialize object values as JSON.

Fix creation of verification links

Fix User.prototype.verify to call querystring.stringify instead of concatenating query-string components directly.

In particular, this fixes the bug where options.redirect containing a hash fragment like #/home?arg1=value1&arg2=value2 produced incorrect URL, because the redirect value was not correctly encoded.

Include link to docs in logoutSessions warning

Make it easy for people encountering the long warning about "logoutSessionsOnSensitiveChanges" to find the relevant information in our documentation.

Pull request https://github.com/strongloop/loopback/pull/3193

Preserve sessions on `User.save()` making no changes

Fix session-invalidation code to correctly recognize the case when User.save() was called but neither password nor email was changed.

Modify the code detecting whether logoutSessionsOnSensitiveChanges is enabled to correctly handle the case when the model is not attached to any application, as is the case with loopback-component-passport tests.

Fix logout to handle missing or unknown accessToken

Return 401 when the request does not provide any accessToken argument or the token was not found.

Also simplify the implementation of the logout method to make only a single database call (deleteById) instead of findById + delete.

Role model: resolve related models by name

Resolve models related to the Role model by name instead of class instance. This allows to use localRegistry in app without monkeypatching Role manually.

When loading the Role model into a custom registry (e.g. by setting localRegistry to true when instantiating the app object), static roles can not be resolved because the RoleMapping model used inside static methods (e.g. Role.isInRole()) is loaded into a different registry (i.e. loopback) and thus not attached to any dataSource. The patch changed code resolving models related to the Role model to use model name instead of a global model constructor, which leads to them being resolved from the same registry that Role is loaded in as well.

Fix User methods to use correct Primary Key

Do not use hard-coded "id" property name, call idName() to get the name of the PK property.

Pull request https://github.com/strongloop/loopback/pull/3129

strong-remoting 2.33.0 (LTS)

See https://github.com/strongloop/strong-remoting/releases/tag/v2.33.0

Enable remote methods to be disabled by alias

Fix disableMethodByName method to allow callers to specify one of method aliases instead of the "canonical" name. For example, disable the method removeById by calling disableMethodByName('destroyById').

Issue https://github.com/strongloop/loopback/issues/1936
Pull request https://github.com/strongloop/strong-remoting/pull/395
Backport of https://github.com/strongloop/strong-remoting/pull/385

Fix content-type reported by the built-in error handler

When a remote method sets a custom content-type (e.g. image/jpeg) and then fails, the content-type is reset back to application/json now, in order to match the body contents.

Pull request https://github.com/strongloop/strong-remoting/pull/390

Convert object query params to JSON in outgoing requests

When invoking a remote method via strong-remoting, fix the code building query string parameters to correctly handle edge cases like a deeply-nested empty-array value.

Consider the following invocation:

Model.find({where: {id: {inq: []}}})

Before the fix, an empty argument value was sent.

strong-remoting is sending the correct argument value now.

loopback-datasource-juggler 2.54.1 (LTS)

See https://github.com/strongloop/loopback-datasource-juggler/releases/tag/v2.54.1

Fix datasource to report connector-loading errors

When resolving full connector path, all errors used to be ignored. As a result, when the connector was installed but not correctly built (e.g. loopback-connector-db2 which uses a native addon), a very confusing message was reported by LoopBack.

We fixed the code handling require() errors to ignore only MODULE_NOT_FOUND errors that contain the name of the required module.

`v2.38.0`

`v2.37.1`

`v2.37.0`

`v2.36.2`

`v2.36.0`

`v2.35.0`

`v2.34.1`

`v2.34.0`

`v2.33.0`

`v2.32.0`

`v2.31.0`

`v2.30.0`

`v2.29.1`

`v2.29.0`

`v2.28.0`

`v2.27.0`

`v2.26.2`

==========================

Fix bulkUpdate to not trigger rectifyAll (Amir Jafarian)

`v2.26.1`

==========================

PersistedModel: log rectify/rectifyAll triggers (Miroslav Bajtoš)

`v2.26.0`

==========================

change: skip cp lookup on no change (Miroslav Bajtoš)
Change: correctly rectify no-change (Miroslav Bajtoš)
Update model.js (Rand McKinney)
Adding properties description for User Model (David Cheung)
Add case-sensitve email option for User model. (Richard Pringle)

`v2.25.0`

==========================

Fix typo in description of persistedModel.updateAttributes() (Richard Pringle)

`v2.23.0`

==========================

lib/registry: fix findModel for model ctor (Miroslav Bajtoš)
Refer to licenses with a link (Sam Roberts)
Fix user.resetPassword to fail on email not found (Simo Moujami)
Fix typo in doc comment (Rand McKinney)
Do not include redundant ports in verify links (Samuel Gaus)
Set application's id property only if it's empty. (wusuopu)
Check configs for shared method settings (Simon Ho)
Add test fixtures for shared methods (Simon Ho)
Clean up .jshintrc (Simon Ho)
Update comment about user ACL to reflect implementation (Felipe Oliveira Carvalho)

`v2.22.2`

==========================

Use strongloop conventions for licensing (Sam Roberts)
Set package license to MIT (Sam Roberts)

`v2.22.1`

==========================

Fix perf of rectification after updateAttributes (Miroslav Bajtoš)
Update persisted-model.js (Rand McKinney)
Stop NPM license warning (Simon Ho)

`v2.22.0`

==========================

Create stack-removing errorhandler middleware (Richard Walker)
Update README.md (Rand McKinney)
Allow EJS templates to use includes (Samuel Gaus)
Fix options.to assertion message in user.verify (Farid Nouri Neshat)
Upgrade Travis to container-based infrastructure (Miroslav Bajtoš)
fix typo "PeristedModel" (Christoph)

`v2.21.0`

==========================

Add util methods to ACL and clean up related model resolutions (Raymond Feng)
Promisify 'PersistedModel - replication' (Pradnya Baviskar)
Promisify 'Application' model (Pradnya Baviskar)

`v2.20.0`

==========================

Allow methods filter for middleware config (Raymond Feng)
Don't load Bluebird for createPromiseCallback (Miroslav Bajtoš)
fix exit early when password is non-string closes #1437 (Berkeley Martinez)
Promisify User model (Pradnya Baviskar)
Add missing . to user model property descriptions (Richard Walker)

`v2.19.1`

==========================

Disable application model test for karma (Raymond Feng)
Fix jsdocs for methods with where argument (Raymond Feng)
Add link to createChangeStream docs (Ritchie Martori)

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

renovate bot changed the title ~~Update dependency loopback to v2.42.0 [SECURITY]~~ fix(deps): update dependency loopback to v2.42.0 [security]

renovate bot force-pushed the renovate/npm-loopback-vulnerability branch from 36e0859 to f708700 Compare

February 27, 2021 15:50

renovate bot force-pushed the renovate/npm-loopback-vulnerability branch from f708700 to f645e23 Compare

September 22, 2021 13:43


          fix(deps): update dependency loopback to v2.42.0 [security]

e62f50c

renovate bot force-pushed the renovate/npm-loopback-vulnerability branch from f645e23 to e62f50c Compare

September 22, 2021 13:46

renovate bot merged commit d8cd49d into master

renovate bot deleted the renovate/npm-loopback-vulnerability branch

September 22, 2021 16:57

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet