[Snyk] Upgrade http-server from 0.9.0 to 0.13.0 #5

snyk-bot · 2023-05-28T09:18:22Z

Snyk has created this PR to upgrade http-server from 0.9.0 to 0.13.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 9 versions ahead of your current version.
The recommended version was released 2 years ago, on 2021-08-07.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Denial of Service (DoS) SNYK-JS-ECSTATIC-540354	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept
Prototype Poisoning SNYK-JS-QS-3153490	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept
Prototype Override Protection Bypass npm:qs:20170213	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
Open Redirect SNYK-JS-ECSTATIC-174543	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
Denial of Service (DoS) npm:ecstatic:20160809	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
Prototype Pollution SNYK-JS-MINIMIST-559764	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept
Prototype Pollution SNYK-JS-MINIMIST-2429795	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: http-server

0.13.0 - 2021-08-07
A long time coming, the next major release for http-server! This will be the final release before a switch to actual semantic versioning. This release's major achievement is the internalization of the functionality of the now-abandoned ecstatic library, thus removing it as a dependency. Huge thanks to @ zbynek for help on that front, as well as several other included changes.

Breaking changes:
- No longer sends the header server: http-server-${version} with every response
New features:
- All responses include Accept-Ranges: bytes to advertise support for partial requests
Fixes
- Removes dependency on the abandoned ecstatic library
- Dependency upgrades to fix several security alerts
- http-server -a 0.0.0.0 will now do what you told it to do, rather than overriding the address to 127.0.0.1
- Will no longer serve binary files with a charset in the Content-Type, fixing serving WebAssembly files, among other issues
- Support .mjs MimeType correctly
Internal
- Switched from Travis to GH Actions for CI
0.12.3 - 2020-04-27
Patch release to package man page
0.12.2 - 2020-04-27
In this release we:
- Move from optimist to minimist
- Add a man page
- Update README screenshots
- Fix a couple miscellaneous bugs
0.12.1 - 2020-01-08
0.12.1
0.12.0 - 2019-11-26
0.12.0
0.11.2 - 2021-08-07
Upgrades several dependencies to avoid security vulnerabilities, especially as mentioned in #707.
0.11.1 - 2018-01-10
Bumping version to deal with npm line ending
issues.
0.11.0 - 2018-01-09
[dist] Version bump. 0.11.0
0.10.0 - 2017-05-01
- add -g (or --gzip) parameter to serve .gz files when available b456b77
- update ecstatic to 2.0.0 5da2392
- use safe colors in console test output a3ace13 0da0e1b
- update portfinder to 1.0.13 989fa1c
0.9.0 - 2016-02-19
Version 0.9.0