From c0a071a8dffc05943e8ba00b4b5fd43e231ebaf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Marqu=C3=ADnez=20Prado?= <25435858+inigomarquinez@users.noreply.github.com> Date: Tue, 14 May 2024 18:25:22 +0200 Subject: [PATCH 01/32] chore: add support for OSSF scorecard reporting (#163) PR-URL: https://github.com/expressjs/serve-static/pull/163 --- .github/workflows/scorecard.yml | 70 +++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..0b5ddcc --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,70 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security + +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '16 21 * * 1' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 + with: + sarif_file: results.sarif From 89fc94567fae632718a2157206c52654680e9d01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Marqu=C3=ADnez=20Prado?= <25435858+inigomarquinez@users.noreply.github.com> Date: Tue, 14 May 2024 19:27:08 +0200 Subject: [PATCH 02/32] ci: fix errors in ci github action for node 8 and 9 (#164) PR-URL: https://github.com/expressjs/serve-static/pull/164 --- .github/workflows/ci.yml | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2eaea5a..26db995 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,11 @@ jobs: - Node.js 15.x - Node.js 16.x - Node.js 17.x + - Node.js 18.x + - Node.js 19.x + - Node.js 20.x + - Node.js 21.x + - Node.js 22.x include: - name: Node.js 0.8 @@ -75,11 +80,11 @@ jobs: - name: Node.js 8.x node-version: "8.16" - npm-i: mocha@7.2.0 + npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 9.x node-version: "9.11" - npm-i: mocha@7.2.0 + npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 10.x node-version: "10.24" @@ -107,8 +112,23 @@ jobs: - name: Node.js 17.x node-version: "17.8" + - name: Node.js 18.x + node-version: "18.14" + + - name: Node.js 19.x + node-version: "19.6" + + - name: Node.js 20.x + node-version: "20.12" + + - name: Node.js 21.x + node-version: "21.7" + + - name: Node.js 22.x + node-version: "22.0" + steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Install Node.js ${{ matrix.node-version }} shell: bash -eo pipefail -l {0} @@ -123,7 +143,12 @@ jobs: dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - name: Configure npm - run: npm config set shrinkwrap false + run: | + if [[ "$(npm config get package-lock)" == "true" ]]; then + npm config set package-lock false + else + npm config set shrinkwrap false + fi - name: Remove npm module(s) ${{ matrix.npm-rm }} run: npm rm --silent --save-dev ${{ matrix.npm-rm }} @@ -182,7 +207,7 @@ jobs: needs: test runs-on: ubuntu-latest steps: - - name: Uploade code coverage + - name: Upload code coverage uses: coverallsapp/github-action@master with: github-token: ${{ secrets.github_token }} From 2d267cb1c19e7a6d4c3995a550c6af887df4ad09 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sat, 5 Feb 2022 00:44:26 -0500 Subject: [PATCH 03/32] Drop support for Node.js 0.8 --- .github/workflows/ci.yml | 24 +----------------------- HISTORY.md | 5 +++++ appveyor.yml | 11 ++--------- package.json | 2 +- 4 files changed, 9 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 26db995..4e524e1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,6 @@ jobs: strategy: matrix: name: - - Node.js 0.8 - Node.js 0.10 - Node.js 0.12 - io.js 1.x @@ -37,11 +36,6 @@ jobs: - Node.js 22.x include: - - name: Node.js 0.8 - node-version: "0.8" - npm-i: mocha@2.5.3 supertest@1.1.0 - npm-rm: nyc - - name: Node.js 0.10 node-version: "0.10" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 @@ -134,12 +128,6 @@ jobs: shell: bash -eo pipefail -l {0} run: | nvm install --default ${{ matrix.node-version }} - if [[ "${{ matrix.node-version }}" == 0.* && "$(cut -d. -f2 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then - nvm install --alias=npm 0.10 - nvm use ${{ matrix.node-version }} - sed -i '1s;^.*$;'"$(printf '#!%q' "$(nvm which npm)")"';' "$(readlink -f "$(which npm)")" - npm config set strict-ssl false - fi dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - name: Configure npm @@ -150,10 +138,6 @@ jobs: npm config set shrinkwrap false fi - - name: Remove npm module(s) ${{ matrix.npm-rm }} - run: npm rm --silent --save-dev ${{ matrix.npm-rm }} - if: matrix.npm-rm != '' - - name: Install npm module(s) ${{ matrix.npm-i }} run: npm install --save-dev ${{ matrix.npm-i }} if: matrix.npm-i != '' @@ -184,12 +168,7 @@ jobs: - name: Run tests shell: bash - run: | - if npm -ps ls nyc | grep -q nyc; then - npm run test-ci - else - npm test - fi + run: npm run test-ci - name: Lint code if: steps.list_env.outputs.eslint != '' @@ -197,7 +176,6 @@ jobs: - name: Collect code coverage uses: coverallsapp/github-action@master - if: steps.list_env.outputs.nyc != '' with: github-token: ${{ secrets.GITHUB_TOKEN }} flag-name: run-${{ matrix.test_number }} diff --git a/HISTORY.md b/HISTORY.md index 6b58456..3614290 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,8 @@ +2.x +=== + + * Drop support for Node.js 0.8 + 1.15.0 / 2022-03-24 =================== diff --git a/appveyor.yml b/appveyor.yml index d1d6862..fa48bc3 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -41,15 +41,12 @@ install: # Setup Node.js version-specific dependencies - ps: | # mocha for testing - # - use 2.x for Node.js < 0.10 # - use 3.x for Node.js < 4 # - use 5.x for Node.js < 6 # - use 6.x for Node.js < 8 # - use 7.x for Node.js < 10 # - use 8.x for Node.js < 12 - if ([int]$env:nodejs_version.split(".")[0] -eq 0 -and [int]$env:nodejs_version.split(".")[1] -lt 10) { - npm install --silent --save-dev mocha@2.5.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 4) { + if ([int]$env:nodejs_version.split(".")[0] -lt 4) { npm install --silent --save-dev mocha@3.5.3 } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { npm install --silent --save-dev mocha@5.2.0 @@ -62,13 +59,9 @@ install: } - ps: | # supertest for http calls - # - use 1.1.0 for Node.js < 0.10 # - use 2.0.0 for Node.js < 4 # - use 3.4.2 for Node.js < 6 - # - use 6.1.6 for Node.js < 8 - if ([int]$env:nodejs_version.split(".")[0] -eq 0 -and [int]$env:nodejs_version.split(".")[1] -lt 10) { - npm install --silent --save-dev supertest@1.1.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 4) { + if ([int]$env:nodejs_version.split(".")[0] -lt 4) { npm install --silent --save-dev supertest@2.0.0 } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { npm install --silent --save-dev supertest@3.4.2 diff --git a/package.json b/package.json index 9d935f5..6eea037 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,7 @@ "index.js" ], "engines": { - "node": ">= 0.8.0" + "node": ">= 0.10" }, "scripts": { "lint": "eslint .", From 3f5a845c1ba9d3fc5466551274d79a68a6e1dce6 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sat, 5 Feb 2022 00:59:18 -0500 Subject: [PATCH 04/32] deps: send@1.0.0-beta.1 --- HISTORY.md | 5 +++++ README.md | 11 +++++------ index.js | 1 - package.json | 4 ++++ test/test.js | 2 +- 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 3614290..c52a833 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,7 +1,12 @@ 2.x === + * Change `dotfiles` option default to `'ignore'` * Drop support for Node.js 0.8 + * Remove `hidden` option; use `dotfiles` option instead + * deps: send@1.0.0-beta.1 + - Use `mime-types` for file to content type mapping + - deps: debug@3.1.0 1.15.0 / 2022-03-24 =================== diff --git a/README.md b/README.md index 262d944..56268f7 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ true. Disabling this will ignore the `immutable` and `maxAge` options. ##### dotfiles - Set how "dotfiles" are treated when encountered. A dotfile is a file +Set how "dotfiles" are treated when encountered. A dotfile is a file or directory that begins with a dot ("."). Note this check is done on the path itself without checking if the path actually exists on the disk. If `root` is specified, only the dotfiles above the root are @@ -56,8 +56,7 @@ to "deny"). - `'deny'` Deny a request for a dotfile and 403/`next()`. - `'ignore'` Pretend like the dotfile does not exist and 404/`next()`. -The default value is similar to `'ignore'`, with the exception that this -default will not ignore the files within a directory that begins with a dot. +The default value is `'ignore'`. ##### etag @@ -215,7 +214,7 @@ app.listen(3000) #### Different settings for paths This example shows how to set a different max age depending on the served -file type. In this example, HTML files are not cached, while everything else +file. In this example, HTML files are not cached, while everything else is for 1 day. ```js @@ -232,8 +231,8 @@ app.use(serveStatic(path.join(__dirname, 'public'), { app.listen(3000) -function setCustomCacheControl (res, path) { - if (serveStatic.mime.lookup(path) === 'text/html') { +function setCustomCacheControl (res, file) { + if (path.extname(file) === '.html') { // Custom Cache-Control for HTML files res.setHeader('Cache-Control', 'public, max-age=0') } diff --git a/index.js b/index.js index b7d3984..1c1bb46 100644 --- a/index.js +++ b/index.js @@ -26,7 +26,6 @@ var url = require('url') */ module.exports = serveStatic -module.exports.mime = send.mime /** * @param {string} root diff --git a/package.json b/package.json index 6eea037..be1c909 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,11 @@ "encodeurl": "~1.0.2", "escape-html": "~1.0.3", "parseurl": "~1.3.3", +<<<<<<< HEAD "send": "0.18.0" +======= + "send": "1.0.0-beta.1" +>>>>>>> 50cc670 (deps: send@1.0.0-beta.1) }, "devDependencies": { "eslint": "7.32.0", diff --git a/test/test.js b/test/test.js index e1e3fd1..2603568 100644 --- a/test/test.js +++ b/test/test.js @@ -41,7 +41,7 @@ describe('serveStatic()', function () { it('should set Content-Type', function (done) { request(server) .get('/todo.txt') - .expect('Content-Type', 'text/plain; charset=UTF-8') + .expect('Content-Type', 'text/plain; charset=utf-8') .expect(200, done) }) From c7011e2a194a7d486dde74ba69b93aac9e25e525 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sat, 5 Feb 2022 13:46:19 -0500 Subject: [PATCH 05/32] 2.0.0-beta.1 --- HISTORY.md | 4 ++-- package.json | 6 +----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index c52a833..ca32095 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,5 @@ -2.x -=== +2.0.0-beta.1 / 2022-02-05 +========================= * Change `dotfiles` option default to `'ignore'` * Drop support for Node.js 0.8 diff --git a/package.json b/package.json index be1c909..8d532bc 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "serve-static", "description": "Serve static files", - "version": "1.15.0", + "version": "2.0.0-beta.1", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static", @@ -9,11 +9,7 @@ "encodeurl": "~1.0.2", "escape-html": "~1.0.3", "parseurl": "~1.3.3", -<<<<<<< HEAD - "send": "0.18.0" -======= "send": "1.0.0-beta.1" ->>>>>>> 50cc670 (deps: send@1.0.0-beta.1) }, "devDependencies": { "eslint": "7.32.0", From 841893bf0013af418df2696d7154f58ce9e5f187 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Wed, 20 Mar 2024 20:50:03 -0500 Subject: [PATCH 06/32] deps: send@1.0.0-beta.2 --- HISTORY.md | 5 +++++ package.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index ca32095..1a5de67 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,8 @@ +unreleased +========================= + + * deps: send@1.0.0-beta.2 + 2.0.0-beta.1 / 2022-02-05 ========================= diff --git a/package.json b/package.json index 8d532bc..8767d4b 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,7 @@ "encodeurl": "~1.0.2", "escape-html": "~1.0.3", "parseurl": "~1.3.3", - "send": "1.0.0-beta.1" + "send": "^1.0.0-beta.2" }, "devDependencies": { "eslint": "7.32.0", From 2178d79caaa7f89d5fe4cdf789ab5f96951a5b6a Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Wed, 20 Mar 2024 20:52:31 -0500 Subject: [PATCH 07/32] v2.0.0-beta.2 --- HISTORY.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 1a5de67..5bac370 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,4 +1,4 @@ -unreleased +2.0.0-beta.2 / 2024-03-20 ========================= * deps: send@1.0.0-beta.2 diff --git a/package.json b/package.json index 8767d4b..8380364 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "serve-static", "description": "Serve static files", - "version": "2.0.0-beta.1", + "version": "2.0.0-beta.2", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static", From cd4cf8e75e38ee960f3610a571d49b15544abc21 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 14:17:29 -0700 Subject: [PATCH 08/32] fix!: drop node <18 --- .github/workflows/ci.yml | 137 ++++----------------------------------- package.json | 2 +- 2 files changed, 14 insertions(+), 125 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e524e1..b902866 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,15 @@ name: ci on: -- pull_request -- push + push: + branches: + - master + - '2.0' + paths-ignore: + - '*.md' + pull_request: + paths-ignore: + - '*.md' jobs: test: @@ -10,116 +17,19 @@ jobs: strategy: matrix: name: - - Node.js 0.10 - - Node.js 0.12 - - io.js 1.x - - io.js 2.x - - io.js 3.x - - Node.js 4.x - - Node.js 5.x - - Node.js 6.x - - Node.js 7.x - - Node.js 8.x - - Node.js 9.x - - Node.js 10.x - - Node.js 11.x - - Node.js 12.x - - Node.js 13.x - - Node.js 14.x - - Node.js 15.x - - Node.js 16.x - - Node.js 17.x - Node.js 18.x - - Node.js 19.x - Node.js 20.x - - Node.js 21.x - Node.js 22.x include: - - name: Node.js 0.10 - node-version: "0.10" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: Node.js 0.12 - node-version: "0.12" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 1.x - node-version: "1.8" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 2.x - node-version: "2.5" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: io.js 3.x - node-version: "3.3" - npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - - - name: Node.js 4.x - node-version: "4.9" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 5.x - node-version: "5.12" - npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - - - name: Node.js 6.x - node-version: "6.17" - npm-i: mocha@6.2.3 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 7.x - node-version: "7.10" - npm-i: mocha@6.2.3 nyc@14.1.1 supertest@6.1.6 - - - name: Node.js 8.x - node-version: "8.16" - npm-i: mocha@7.2.0 nyc@14.1.1 - - - name: Node.js 9.x - node-version: "9.11" - npm-i: mocha@7.2.0 nyc@14.1.1 - - - name: Node.js 10.x - node-version: "10.24" - npm-i: mocha@8.4.0 - - - name: Node.js 11.x - node-version: "11.15" - npm-i: mocha@8.4.0 - - - name: Node.js 12.x - node-version: "12.22" - - - name: Node.js 13.x - node-version: "13.14" - - - name: Node.js 14.x - node-version: "14.19" - - - name: Node.js 15.x - node-version: "15.14" - - - name: Node.js 16.x - node-version: "16.14" - - - name: Node.js 17.x - node-version: "17.8" - - name: Node.js 18.x - node-version: "18.14" - - - name: Node.js 19.x - node-version: "19.6" + node-version: "18" - name: Node.js 20.x - node-version: "20.12" - - - name: Node.js 21.x - node-version: "21.7" + node-version: "20" - name: Node.js 22.x - node-version: "22.0" + node-version: "22" steps: - uses: actions/checkout@v4 @@ -131,28 +41,7 @@ jobs: dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - name: Configure npm - run: | - if [[ "$(npm config get package-lock)" == "true" ]]; then - npm config set package-lock false - else - npm config set shrinkwrap false - fi - - - name: Install npm module(s) ${{ matrix.npm-i }} - run: npm install --save-dev ${{ matrix.npm-i }} - if: matrix.npm-i != '' - - - name: Setup Node.js version-specific dependencies - shell: bash - run: | - # eslint for linting - # - remove on Node.js < 10 - if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then - node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ - grep -E '^eslint(-|$)' | \ - sort -r | \ - xargs -n1 npm rm --silent --save-dev - fi + run: npm config set package-lock false - name: Install Node.js dependencies run: npm install diff --git a/package.json b/package.json index 8380364..0fa034e 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,7 @@ "index.js" ], "engines": { - "node": ">= 0.10" + "node": ">= 18" }, "scripts": { "lint": "eslint .", From 43b3d900349315c6fbb2d27c88137a87bc504699 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 14:30:37 -0700 Subject: [PATCH 09/32] fix(deps): send@1.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 0fa034e..9774b5e 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,7 @@ "encodeurl": "~1.0.2", "escape-html": "~1.0.3", "parseurl": "~1.3.3", - "send": "^1.0.0-beta.2" + "send": "^1.0.0" }, "devDependencies": { "eslint": "7.32.0", From 28e7a40e95daddc624c62f1e1eb3e6bc80c75ffc Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:03:23 -0700 Subject: [PATCH 10/32] fix(devDeps): mocha@^10.7.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9774b5e..d6736a4 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "eslint-plugin-node": "11.1.0", "eslint-plugin-promise": "5.2.0", "eslint-plugin-standard": "4.1.0", - "mocha": "9.2.2", + "mocha": "^10.7.0", "nyc": "15.1.0", "safe-buffer": "5.2.1", "supertest": "6.2.2" From 474517114abe8547eb96bbc7dbbf03b301479d2b Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:03:47 -0700 Subject: [PATCH 11/32] fix(devDeps): nyc@^17.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d6736a4..5b3930c 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "eslint-plugin-promise": "5.2.0", "eslint-plugin-standard": "4.1.0", "mocha": "^10.7.0", - "nyc": "15.1.0", + "nyc": "^17.0.0", "safe-buffer": "5.2.1", "supertest": "6.2.2" }, From 5d26187e87857198f028d1c3087313c8eb3ed048 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:04:20 -0700 Subject: [PATCH 12/32] fix(devDeps): safe-buffer@^5.2.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5b3930c..a44f9f4 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "eslint-plugin-standard": "4.1.0", "mocha": "^10.7.0", "nyc": "^17.0.0", - "safe-buffer": "5.2.1", + "safe-buffer": "^5.2.1", "supertest": "6.2.2" }, "files": [ From 5efec6195681372ee4ef9899eaa05fced006f795 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:04:58 -0700 Subject: [PATCH 13/32] fix(devDeps): supertest@^6.3.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a44f9f4..d4d8d7a 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "mocha": "^10.7.0", "nyc": "^17.0.0", "safe-buffer": "^5.2.1", - "supertest": "6.2.2" + "supertest": "^6.3.4" }, "files": [ "LICENSE", From 9bba9faa9f710fa6543dd56e146f9725613af140 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:33:51 -0700 Subject: [PATCH 14/32] fix(deps): encodeurl@^2.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d4d8d7a..923645b 100644 --- a/package.json +++ b/package.json @@ -6,7 +6,7 @@ "license": "MIT", "repository": "expressjs/serve-static", "dependencies": { - "encodeurl": "~1.0.2", + "encodeurl": "^2.0.0", "escape-html": "~1.0.3", "parseurl": "~1.3.3", "send": "^1.0.0" From 050cf48243448dce0a829fb2d2930cf78192d870 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:34:24 -0700 Subject: [PATCH 15/32] fix(deps): excape-html@^1.0.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 923645b..92525fc 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "repository": "expressjs/serve-static", "dependencies": { "encodeurl": "^2.0.0", - "escape-html": "~1.0.3", + "escape-html": "^1.0.3", "parseurl": "~1.3.3", "send": "^1.0.0" }, From d3db1f6dc50d3ee92311b5b4ba23e9fc7e547da7 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:34:46 -0700 Subject: [PATCH 16/32] fix(deps): parseurl@^1.3.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 92525fc..e1840f0 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", - "parseurl": "~1.3.3", + "parseurl": "^1.3.3", "send": "^1.0.0" }, "devDependencies": { From 1c317e0eb02aa0559d2abf7d81a602e231c52910 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 26 Jul 2024 15:45:42 -0700 Subject: [PATCH 17/32] fix: update history.md --- HISTORY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/HISTORY.md b/HISTORY.md index 5bac370..9b30e61 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,16 @@ +unreleased +========================= + +* deps: + * parseurl@^1.3.3 + * excape-html@^1.0.3 + * encodeurl@^2.0.0 + * supertest@^6.3.4 + * safe-buffer@^5.2.1 + * nyc@^17.0.0 + * mocha@^10.7.0 +* Changes from 1.x + 2.0.0-beta.2 / 2024-03-20 ========================= From 707f803715ccbd2030aa87a6f756fb040a946262 Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Fri, 23 Aug 2024 15:58:56 -0500 Subject: [PATCH 18/32] 2.0.0 --- HISTORY.md | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 9b30e61..c59feda 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,5 @@ -unreleased -========================= +2.0.0 / 2024-08-23 +================== * deps: * parseurl@^1.3.3 diff --git a/package.json b/package.json index e1840f0..91a72fc 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "serve-static", "description": "Serve static files", - "version": "2.0.0-beta.2", + "version": "2.0.0", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static", From d79edcecd7875329f7d0648412cf20ec7315977b Mon Sep 17 00:00:00 2001 From: Wes Todd Date: Tue, 3 Sep 2024 09:14:33 -0500 Subject: [PATCH 19/32] Create SECURITY.md --- SECURITY.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..3817eaf --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,50 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the Express +project. + + * [Reporting a Bug](#reporting-a-bug) + * [Disclosure Policy](#disclosure-policy) + * [Comments on this Policy](#comments-on-this-policy) + +## Reporting a Bug + +The Express team and community take all security bugs in Express seriously. +Thank you for improving the security of Express. We appreciate your efforts and +responsible disclosure and will make every effort to acknowledge your +contributions. + +Report security bugs by emailing the lead maintainer in the Readme.md file. + +To ensure the timely response to your report, please ensure that the entirety +of the report is contained within the email body and not solely behind a web +link or an attachment. + +The lead maintainer will acknowledge your email within 48 hours, and will send a +more detailed response within 48 hours indicating the next steps in handling +your report. After the initial reply to your report, the security team will +endeavor to keep you informed of the progress towards a fix and full +announcement, and may ask for additional information or guidance. + +Report security bugs in third-party modules to the person or team maintaining +the module. + +## Disclosure Policy + +When the security team receives a security bug report, they will assign it to a +primary handler. This person will coordinate the fix and release process, +involving the following steps: + + * Confirm the problem and determine the affected versions. + * Audit code to find any potential similar problems. + * Prepare fixes for all releases still under maintenance. These fixes will be + released as fast as possible to npm. + +## The Express Threat Model + +We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) + +## Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request. From ce730896fddce1588111d9ef6fdf20896de5c6fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Tue, 10 Sep 2024 02:58:54 +0200 Subject: [PATCH 20/32] Merge commit from fork Co-authored-by: Chris de Almeida --- index.js | 3 +-- test/test.js | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/index.js b/index.js index 1c1bb46..1bee463 100644 --- a/index.js +++ b/index.js @@ -194,8 +194,7 @@ function createRedirectDirectoryListener () { // reformat the URL var loc = encodeUrl(url.format(originalUrl)) - var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + - escapeHtml(loc) + '') + var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc)) // send redirect response res.statusCode = 301 diff --git a/test/test.js b/test/test.js index 2603568..6984bcd 100644 --- a/test/test.js +++ b/test/test.js @@ -483,7 +483,7 @@ describe('serveStatic()', function () { request(server) .get('/users') .expect('Location', '/users/') - .expect(301, //, done) + .expect(301, /\/users\//, done) }) it('should redirect directories with query string', function (done) { @@ -505,7 +505,7 @@ describe('serveStatic()', function () { .get('/snow') .expect('Location', '/snow%20%E2%98%83/') .expect('Content-Type', /html/) - .expect(301, />Redirecting to \/snow%20%E2%98%83\/<\/a>Redirecting to \/snow%20%E2%98%83\/ Date: Tue, 10 Sep 2024 03:10:18 +0200 Subject: [PATCH 21/32] 2.1.0 --- HISTORY.md | 10 ++++++++++ package.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index c59feda..4e519ab 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,8 @@ +2.1.0 / 2024-09-10 +=================== + +* Changes from 1.16.0 + 2.0.0 / 2024-08-23 ================== @@ -26,6 +31,11 @@ - Use `mime-types` for file to content type mapping - deps: debug@3.1.0 +1.16.0 / 2024-09-10 +=================== + +* Remove link renderization in html while redirecting + 1.15.0 / 2022-03-24 =================== diff --git a/package.json b/package.json index 91a72fc..b70f167 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "serve-static", "description": "Serve static files", - "version": "2.0.0", + "version": "2.1.0", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static", From e2bf828a6899e18969e522ddce304fec497b058f Mon Sep 17 00:00:00 2001 From: Ayoub Mabrouk <77799760+Ayoub-Mabrouk@users.noreply.github.com> Date: Mon, 11 Nov 2024 17:29:56 +0100 Subject: [PATCH 22/32] refactor: zeroPad to use padStart for improved readability (#182) --- scripts/version-history.js | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/scripts/version-history.js b/scripts/version-history.js index b8a2b0e..0baecb7 100644 --- a/scripts/version-history.js +++ b/scripts/version-history.js @@ -53,11 +53,5 @@ function repeat (str, length) { } function zeroPad (number, length) { - var num = number.toString() - - while (num.length < length) { - num = '0' + num - } - - return num + return number.toString().padStart(length, '0') } From 96886b36519f0f07de25b9ab1ff2e780402c5b3f Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Thu, 28 Nov 2024 18:48:04 -0500 Subject: [PATCH 23/32] ci: add CodeQl (SAST) --- .github/workflows/codeql.yml | 66 ++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..9d1b304 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + languages: javascript + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + # - name: Autobuild + # uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + category: "/language:javascript" \ No newline at end of file From 2ceda4106d11449dad3cc69fe583901942400877 Mon Sep 17 00:00:00 2001 From: Ayoub-Mabrouk Date: Wed, 6 Nov 2024 02:26:03 +0100 Subject: [PATCH 24/32] Refactor HISTORY.md header update to use String.prototype.repeat Replaced the custom repeat function with String.prototype.repeat to simplify the code and improve readability. This change leverages modern JavaScript functionality, reducing complexity and improving efficiency when updating the HISTORY.md header. --- scripts/version-history.js | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/scripts/version-history.js b/scripts/version-history.js index 0baecb7..7938e69 100644 --- a/scripts/version-history.js +++ b/scripts/version-history.js @@ -30,7 +30,7 @@ if (historyFileLines[0].indexOf('x') !== -1) { } historyFileLines[0] = VERSION + ' / ' + getLocaleDate() -historyFileLines[1] = repeat('=', historyFileLines[0].length) +historyFileLines[1] = '='.repeat(historyFileLines[0].length) fs.writeFileSync(HISTORY_FILE_PATH, historyFileLines.join('\n')) @@ -42,16 +42,6 @@ function getLocaleDate () { zeroPad(now.getDate(), 2) } -function repeat (str, length) { - var out = '' - - for (var i = 0; i < length; i++) { - out += str - } - - return out -} - function zeroPad (number, length) { return number.toString().padStart(length, '0') } From 3f71a5403696b40db191a2d8c07f4293b44a4d65 Mon Sep 17 00:00:00 2001 From: Dustin Popp Date: Mon, 17 Feb 2025 09:31:04 -0600 Subject: [PATCH 25/32] fix(docs): retroactively note 2.0.0-beta.1 api change in history file (#194) Signed-off-by: Dustin Popp --- HISTORY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/HISTORY.md b/HISTORY.md index 4e519ab..33164ff 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -27,6 +27,7 @@ * Change `dotfiles` option default to `'ignore'` * Drop support for Node.js 0.8 * Remove `hidden` option; use `dotfiles` option instead + * Remove `mime` export; use `mime-types` package instead * deps: send@1.0.0-beta.1 - Use `mime-types` for file to content type mapping - deps: debug@3.1.0 From b51ab84ce105252909ae07e5a3c215352f2e0e6e Mon Sep 17 00:00:00 2001 From: ljeda Date: Thu, 20 Feb 2025 17:38:45 +0100 Subject: [PATCH 26/32] feat: conditionally set headers (if not already set) in redirect response (#190) * conditionally set headers (if not already set) in redirect response * add new function description --------- Co-authored-by: ljeda --- index.js | 21 ++++++++++++++++----- test/test.js | 12 +++++++++++- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/index.js b/index.js index 1bee463..a7d0083 100644 --- a/index.js +++ b/index.js @@ -198,11 +198,22 @@ function createRedirectDirectoryListener () { // send redirect response res.statusCode = 301 - res.setHeader('Content-Type', 'text/html; charset=UTF-8') - res.setHeader('Content-Length', Buffer.byteLength(doc)) - res.setHeader('Content-Security-Policy', "default-src 'none'") - res.setHeader('X-Content-Type-Options', 'nosniff') - res.setHeader('Location', loc) + setHeaderIfNotSet(res, 'Content-Type', 'text/html; charset=UTF-8') + setHeaderIfNotSet(res, 'Content-Length', Buffer.byteLength(doc)) + setHeaderIfNotSet(res, 'Content-Security-Policy', "default-src 'none'") + setHeaderIfNotSet(res, 'X-Content-Type-Options', 'nosniff') + setHeaderIfNotSet(res, 'Location', loc) res.end(doc) } } + +/** + * Set default value for the header only if it is not already set in the response + * @private + */ + +function setHeaderIfNotSet (res, name, value) { + if (!res.hasHeader(name)) { + res.setHeader(name, value) + } +} diff --git a/test/test.js b/test/test.js index 6984bcd..4a3ac85 100644 --- a/test/test.js +++ b/test/test.js @@ -469,6 +469,9 @@ describe('serveStatic()', function () { before(function () { server = createServer(fixtures, null, function (req, res) { req.url = req.url.replace(/\/snow(\/|$)/, '/snow \u2603$1') + if (req.url.match(/\/pets/)) { + res.setHeader('Content-Security-Policy', "default-src 'self'") + } }) }) @@ -508,13 +511,20 @@ describe('serveStatic()', function () { .expect(301, />Redirecting to \/snow%20%E2%98%83\/ Date: Mon, 3 Mar 2025 14:40:02 -0500 Subject: [PATCH 27/32] docs: remove security file (#195) --- SECURITY.md | 50 -------------------------------------------------- 1 file changed, 50 deletions(-) delete mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 3817eaf..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,50 +0,0 @@ -# Security Policies and Procedures - -This document outlines security procedures and general policies for the Express -project. - - * [Reporting a Bug](#reporting-a-bug) - * [Disclosure Policy](#disclosure-policy) - * [Comments on this Policy](#comments-on-this-policy) - -## Reporting a Bug - -The Express team and community take all security bugs in Express seriously. -Thank you for improving the security of Express. We appreciate your efforts and -responsible disclosure and will make every effort to acknowledge your -contributions. - -Report security bugs by emailing the lead maintainer in the Readme.md file. - -To ensure the timely response to your report, please ensure that the entirety -of the report is contained within the email body and not solely behind a web -link or an attachment. - -The lead maintainer will acknowledge your email within 48 hours, and will send a -more detailed response within 48 hours indicating the next steps in handling -your report. After the initial reply to your report, the security team will -endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. - -Report security bugs in third-party modules to the person or team maintaining -the module. - -## Disclosure Policy - -When the security team receives a security bug report, they will assign it to a -primary handler. This person will coordinate the fix and release process, -involving the following steps: - - * Confirm the problem and determine the affected versions. - * Audit code to find any potential similar problems. - * Prepare fixes for all releases still under maintenance. These fixes will be - released as fast as possible to npm. - -## The Express Threat Model - -We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) - -## Comments on this Policy - -If you have suggestions on how this process could be improved please submit a -pull request. From dc86b4aee0a25e1cdce68cda92dc703c7aae9e01 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 24 Mar 2025 00:31:12 +0100 Subject: [PATCH 28/32] chore(deps): remove devDependency `safe-buffer` (#191) --- package.json | 1 - test/test.js | 1 - 2 files changed, 2 deletions(-) diff --git a/package.json b/package.json index b70f167..a0b23d5 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,6 @@ "eslint-plugin-standard": "4.1.0", "mocha": "^10.7.0", "nyc": "^17.0.0", - "safe-buffer": "^5.2.1", "supertest": "^6.3.4" }, "files": [ diff --git a/test/test.js b/test/test.js index 4a3ac85..c92ce00 100644 --- a/test/test.js +++ b/test/test.js @@ -1,6 +1,5 @@ var assert = require('assert') -var Buffer = require('safe-buffer').Buffer var http = require('http') var path = require('path') var request = require('supertest') From 55475c7cc203b6c03cbf2a3585df10e4344178df Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Mon, 24 Mar 2025 00:31:46 +0100 Subject: [PATCH 29/32] ci: updated ci workflow and remove appveyor (#192) --- .github/workflows/ci.yml | 129 ++++++++++++++++++++++----------------- README.md | 5 +- appveyor.yml | 88 -------------------------- 3 files changed, 74 insertions(+), 148 deletions(-) delete mode 100644 appveyor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b902866..9030ed5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,78 +4,95 @@ on: push: branches: - master - - '2.0' paths-ignore: - '*.md' pull_request: paths-ignore: - '*.md' +permissions: + contents: read + +# Cancel in progress workflows +# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run +concurrency: + group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + jobs: - test: + lint: + name: Lint runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "lts/*" + + - name: Install dependencies + run: npm install --ignore-scripts --include=dev + + - name: Run lint + run: npm run lint + + test: + name: Test - Node.js ${{ matrix.node-version }} - ${{ matrix.os }} + runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: - name: - - Node.js 18.x - - Node.js 20.x - - Node.js 22.x + os: [ubuntu-latest, windows-latest] + # Node.js release schedule: https://nodejs.org/en/about/releases/ + node-version: [18, 19, 20, 21, 22, 23] + steps: + - uses: actions/checkout@v4 - include: - - name: Node.js 18.x - node-version: "18" + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + check-latest: true + node-version: ${{ matrix.node-version }} - - name: Node.js 20.x - node-version: "20" + - name: Configure npm loglevel + run: npm config set loglevel error - - name: Node.js 22.x - node-version: "22" + - name: Install dependencies + run: npm install - steps: - - uses: actions/checkout@v4 - - - name: Install Node.js ${{ matrix.node-version }} - shell: bash -eo pipefail -l {0} - run: | - nvm install --default ${{ matrix.node-version }} - dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - - - name: Configure npm - run: npm config set package-lock false - - - name: Install Node.js dependencies - run: npm install - - - name: List environment - id: list_env - shell: bash - run: | - echo "node@$(node -v)" - echo "npm@$(npm -v)" - npm -s ls ||: - (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }' - - - name: Run tests - shell: bash - run: npm run test-ci - - - name: Lint code - if: steps.list_env.outputs.eslint != '' - run: npm run lint - - - name: Collect code coverage - uses: coverallsapp/github-action@master - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - flag-name: run-${{ matrix.test_number }} - parallel: true + - name: Run tests + run: npm run test-ci + + - name: Upload code coverage + uses: actions/upload-artifact@v4 + with: + name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }} + path: ./coverage/lcov.info + retention-days: 1 coverage: needs: test runs-on: ubuntu-latest + permissions: + contents: read + checks: write steps: - - name: Upload code coverage - uses: coverallsapp/github-action@master - with: - github-token: ${{ secrets.github_token }} - parallel-finished: true + - uses: actions/checkout@v4 + + - name: Install lcov + run: sudo apt-get -y install lcov + + - name: Collect coverage reports + uses: actions/download-artifact@v4 + with: + path: ./coverage + pattern: coverage-node-* + + - name: Merge coverage reports + run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info + + - name: Upload coverage report + uses: coverallsapp/github-action@v2 + with: + file: ./lcov.info diff --git a/README.md b/README.md index 56268f7..70f01c3 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,7 @@ [![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][npm-url] -[![Linux Build][github-actions-ci-image]][github-actions-ci-url] -[![Windows Build][appveyor-image]][appveyor-url] +[![CI][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] ## Install @@ -243,8 +242,6 @@ function setCustomCacheControl (res, file) { [MIT](LICENSE) -[appveyor-image]: https://badgen.net/appveyor/ci/dougwilson/serve-static/master?label=windows -[appveyor-url]: https://ci.appveyor.com/project/dougwilson/serve-static [coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/serve-static/master [coveralls-url]: https://coveralls.io/r/expressjs/serve-static?branch=master [github-actions-ci-image]: https://badgen.net/github/checks/expressjs/serve-static/master?label=linux diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index fa48bc3..0000000 --- a/appveyor.yml +++ /dev/null @@ -1,88 +0,0 @@ -environment: - matrix: - - nodejs_version: "0.10" - - nodejs_version: "0.12" - - nodejs_version: "1.8" - - nodejs_version: "2.5" - - nodejs_version: "3.3" - - nodejs_version: "4.9" - - nodejs_version: "5.12" - - nodejs_version: "6.17" - - nodejs_version: "7.10" - - nodejs_version: "8.16" - - nodejs_version: "9.11" - - nodejs_version: "10.24" - - nodejs_version: "11.15" - - nodejs_version: "12.22" - - nodejs_version: "13.14" - - nodejs_version: "14.19" - - nodejs_version: "15.14" - - nodejs_version: "16.14" - - nodejs_version: "17.8" -cache: - - node_modules -install: - # Install Node.js - - ps: >- - try { Install-Product node $env:nodejs_version -ErrorAction Stop } - catch { Update-NodeJsInstallation (Get-NodeJsLatestBuild $env:nodejs_version) } - # Configure npm - - ps: | - # Skip updating shrinkwrap / lock - npm config set shrinkwrap false - # Remove all non-test dependencies - - ps: | - # Remove coverage dependency - npm rm --silent --save-dev nyc - # Remove lint dependencies - cmd.exe /c "node -pe `"Object.keys(require('./package').devDependencies).join('\n')`"" | ` - sls "^eslint(-|$)" | ` - %{ npm rm --silent --save-dev $_ } - # Setup Node.js version-specific dependencies - - ps: | - # mocha for testing - # - use 3.x for Node.js < 4 - # - use 5.x for Node.js < 6 - # - use 6.x for Node.js < 8 - # - use 7.x for Node.js < 10 - # - use 8.x for Node.js < 12 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev mocha@3.5.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev mocha@5.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev mocha@6.2.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 10) { - npm install --silent --save-dev mocha@7.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 12) { - npm install --silent --save-dev mocha@8.4.0 - } - - ps: | - # supertest for http calls - # - use 2.0.0 for Node.js < 4 - # - use 3.4.2 for Node.js < 6 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev supertest@2.0.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev supertest@3.4.2 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev supertest@6.1.6 - } - # Update Node.js modules - - ps: | - # Prune & rebuild node_modules - if (Test-Path -Path node_modules) { - npm prune - npm rebuild - } - # Install Node.js modules - - npm install -build: off -test_script: - # Output version data - - ps: | - node --version - npm --version - # Run test script - - npm test -version: "{build}" From 6a1aa93b476c2845ab50ffea86f6caf4a2b01d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 27 Mar 2025 11:17:19 +0100 Subject: [PATCH 30/32] deps: send@^1.2.0 (#198) --- HISTORY.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 33164ff..e097722 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -2,6 +2,7 @@ =================== * Changes from 1.16.0 +* deps: send@^1.2.0 2.0.0 / 2024-08-23 ================== diff --git a/package.json b/package.json index a0b23d5..28e8709 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,7 @@ "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", - "send": "^1.0.0" + "send": "^1.2.0" }, "devDependencies": { "eslint": "7.32.0", From 2e220869cd7f548a677ce8d8012b27174e08425b Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Thu, 27 Mar 2025 20:35:44 +0100 Subject: [PATCH 31/32] Revert "feat: conditionally set headers (if not already set) in redirect response (#190)" (#200) This reverts commit b51ab84ce105252909ae07e5a3c215352f2e0e6e. --- index.js | 21 +++++---------------- test/test.js | 12 +----------- 2 files changed, 6 insertions(+), 27 deletions(-) diff --git a/index.js b/index.js index a7d0083..1bee463 100644 --- a/index.js +++ b/index.js @@ -198,22 +198,11 @@ function createRedirectDirectoryListener () { // send redirect response res.statusCode = 301 - setHeaderIfNotSet(res, 'Content-Type', 'text/html; charset=UTF-8') - setHeaderIfNotSet(res, 'Content-Length', Buffer.byteLength(doc)) - setHeaderIfNotSet(res, 'Content-Security-Policy', "default-src 'none'") - setHeaderIfNotSet(res, 'X-Content-Type-Options', 'nosniff') - setHeaderIfNotSet(res, 'Location', loc) + res.setHeader('Content-Type', 'text/html; charset=UTF-8') + res.setHeader('Content-Length', Buffer.byteLength(doc)) + res.setHeader('Content-Security-Policy', "default-src 'none'") + res.setHeader('X-Content-Type-Options', 'nosniff') + res.setHeader('Location', loc) res.end(doc) } } - -/** - * Set default value for the header only if it is not already set in the response - * @private - */ - -function setHeaderIfNotSet (res, name, value) { - if (!res.hasHeader(name)) { - res.setHeader(name, value) - } -} diff --git a/test/test.js b/test/test.js index c92ce00..9933eed 100644 --- a/test/test.js +++ b/test/test.js @@ -468,9 +468,6 @@ describe('serveStatic()', function () { before(function () { server = createServer(fixtures, null, function (req, res) { req.url = req.url.replace(/\/snow(\/|$)/, '/snow \u2603$1') - if (req.url.match(/\/pets/)) { - res.setHeader('Content-Security-Policy', "default-src 'self'") - } }) }) @@ -510,20 +507,13 @@ describe('serveStatic()', function () { .expect(301, />Redirecting to \/snow%20%E2%98%83\/ Date: Thu, 27 Mar 2025 00:52:44 +0100 Subject: [PATCH 32/32] 2.2.0 --- HISTORY.md | 5 +++++ package.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index e097722..a3f174e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,8 @@ +2.2.0 / 2025-03-27 +================== + +* deps: send@^1.2.0 + 2.1.0 / 2024-09-10 =================== diff --git a/package.json b/package.json index 28e8709..38d3365 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "serve-static", "description": "Serve static files", - "version": "2.1.0", + "version": "2.2.0", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static",