diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b902866..9030ed5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,78 +4,95 @@ on: push: branches: - master - - '2.0' paths-ignore: - '*.md' pull_request: paths-ignore: - '*.md' +permissions: + contents: read + +# Cancel in progress workflows +# in the scenario where we already had a run going for that PR/branch/tag but then triggered a new run +concurrency: + group: "${{ github.workflow }} ✨ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + jobs: - test: + lint: + name: Lint runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "lts/*" + + - name: Install dependencies + run: npm install --ignore-scripts --include=dev + + - name: Run lint + run: npm run lint + + test: + name: Test - Node.js ${{ matrix.node-version }} - ${{ matrix.os }} + runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: - name: - - Node.js 18.x - - Node.js 20.x - - Node.js 22.x + os: [ubuntu-latest, windows-latest] + # Node.js release schedule: https://nodejs.org/en/about/releases/ + node-version: [18, 19, 20, 21, 22, 23] + steps: + - uses: actions/checkout@v4 - include: - - name: Node.js 18.x - node-version: "18" + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + check-latest: true + node-version: ${{ matrix.node-version }} - - name: Node.js 20.x - node-version: "20" + - name: Configure npm loglevel + run: npm config set loglevel error - - name: Node.js 22.x - node-version: "22" + - name: Install dependencies + run: npm install - steps: - - uses: actions/checkout@v4 - - - name: Install Node.js ${{ matrix.node-version }} - shell: bash -eo pipefail -l {0} - run: | - nvm install --default ${{ matrix.node-version }} - dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - - - name: Configure npm - run: npm config set package-lock false - - - name: Install Node.js dependencies - run: npm install - - - name: List environment - id: list_env - shell: bash - run: | - echo "node@$(node -v)" - echo "npm@$(npm -v)" - npm -s ls ||: - (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }' - - - name: Run tests - shell: bash - run: npm run test-ci - - - name: Lint code - if: steps.list_env.outputs.eslint != '' - run: npm run lint - - - name: Collect code coverage - uses: coverallsapp/github-action@master - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - flag-name: run-${{ matrix.test_number }} - parallel: true + - name: Run tests + run: npm run test-ci + + - name: Upload code coverage + uses: actions/upload-artifact@v4 + with: + name: coverage-node-${{ matrix.node-version }}-${{ matrix.os }} + path: ./coverage/lcov.info + retention-days: 1 coverage: needs: test runs-on: ubuntu-latest + permissions: + contents: read + checks: write steps: - - name: Upload code coverage - uses: coverallsapp/github-action@master - with: - github-token: ${{ secrets.github_token }} - parallel-finished: true + - uses: actions/checkout@v4 + + - name: Install lcov + run: sudo apt-get -y install lcov + + - name: Collect coverage reports + uses: actions/download-artifact@v4 + with: + path: ./coverage + pattern: coverage-node-* + + - name: Merge coverage reports + run: find ./coverage -name lcov.info -exec printf '-a %q\n' {} \; | xargs lcov -o ./lcov.info + + - name: Upload coverage report + uses: coverallsapp/github-action@v2 + with: + file: ./lcov.info diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..9d1b304 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + languages: javascript + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + # - name: Autobuild + # uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + + # â„šī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + category: "/language:javascript" \ No newline at end of file diff --git a/HISTORY.md b/HISTORY.md index 4e519ab..a3f174e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,7 +1,13 @@ +2.2.0 / 2025-03-27 +================== + +* deps: send@^1.2.0 + 2.1.0 / 2024-09-10 =================== * Changes from 1.16.0 +* deps: send@^1.2.0 2.0.0 / 2024-08-23 ================== @@ -27,6 +33,7 @@ * Change `dotfiles` option default to `'ignore'` * Drop support for Node.js 0.8 * Remove `hidden` option; use `dotfiles` option instead + * Remove `mime` export; use `mime-types` package instead * deps: send@1.0.0-beta.1 - Use `mime-types` for file to content type mapping - deps: debug@3.1.0 diff --git a/README.md b/README.md index 56268f7..70f01c3 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,7 @@ [![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][npm-url] -[![Linux Build][github-actions-ci-image]][github-actions-ci-url] -[![Windows Build][appveyor-image]][appveyor-url] +[![CI][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] ## Install @@ -243,8 +242,6 @@ function setCustomCacheControl (res, file) { [MIT](LICENSE) -[appveyor-image]: https://badgen.net/appveyor/ci/dougwilson/serve-static/master?label=windows -[appveyor-url]: https://ci.appveyor.com/project/dougwilson/serve-static [coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/serve-static/master [coveralls-url]: https://coveralls.io/r/expressjs/serve-static?branch=master [github-actions-ci-image]: https://badgen.net/github/checks/expressjs/serve-static/master?label=linux diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 3817eaf..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,50 +0,0 @@ -# Security Policies and Procedures - -This document outlines security procedures and general policies for the Express -project. - - * [Reporting a Bug](#reporting-a-bug) - * [Disclosure Policy](#disclosure-policy) - * [Comments on this Policy](#comments-on-this-policy) - -## Reporting a Bug - -The Express team and community take all security bugs in Express seriously. -Thank you for improving the security of Express. We appreciate your efforts and -responsible disclosure and will make every effort to acknowledge your -contributions. - -Report security bugs by emailing the lead maintainer in the Readme.md file. - -To ensure the timely response to your report, please ensure that the entirety -of the report is contained within the email body and not solely behind a web -link or an attachment. - -The lead maintainer will acknowledge your email within 48 hours, and will send a -more detailed response within 48 hours indicating the next steps in handling -your report. After the initial reply to your report, the security team will -endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. - -Report security bugs in third-party modules to the person or team maintaining -the module. - -## Disclosure Policy - -When the security team receives a security bug report, they will assign it to a -primary handler. This person will coordinate the fix and release process, -involving the following steps: - - * Confirm the problem and determine the affected versions. - * Audit code to find any potential similar problems. - * Prepare fixes for all releases still under maintenance. These fixes will be - released as fast as possible to npm. - -## The Express Threat Model - -We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md) - -## Comments on this Policy - -If you have suggestions on how this process could be improved please submit a -pull request. diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index fa48bc3..0000000 --- a/appveyor.yml +++ /dev/null @@ -1,88 +0,0 @@ -environment: - matrix: - - nodejs_version: "0.10" - - nodejs_version: "0.12" - - nodejs_version: "1.8" - - nodejs_version: "2.5" - - nodejs_version: "3.3" - - nodejs_version: "4.9" - - nodejs_version: "5.12" - - nodejs_version: "6.17" - - nodejs_version: "7.10" - - nodejs_version: "8.16" - - nodejs_version: "9.11" - - nodejs_version: "10.24" - - nodejs_version: "11.15" - - nodejs_version: "12.22" - - nodejs_version: "13.14" - - nodejs_version: "14.19" - - nodejs_version: "15.14" - - nodejs_version: "16.14" - - nodejs_version: "17.8" -cache: - - node_modules -install: - # Install Node.js - - ps: >- - try { Install-Product node $env:nodejs_version -ErrorAction Stop } - catch { Update-NodeJsInstallation (Get-NodeJsLatestBuild $env:nodejs_version) } - # Configure npm - - ps: | - # Skip updating shrinkwrap / lock - npm config set shrinkwrap false - # Remove all non-test dependencies - - ps: | - # Remove coverage dependency - npm rm --silent --save-dev nyc - # Remove lint dependencies - cmd.exe /c "node -pe `"Object.keys(require('./package').devDependencies).join('\n')`"" | ` - sls "^eslint(-|$)" | ` - %{ npm rm --silent --save-dev $_ } - # Setup Node.js version-specific dependencies - - ps: | - # mocha for testing - # - use 3.x for Node.js < 4 - # - use 5.x for Node.js < 6 - # - use 6.x for Node.js < 8 - # - use 7.x for Node.js < 10 - # - use 8.x for Node.js < 12 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev mocha@3.5.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev mocha@5.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev mocha@6.2.3 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 10) { - npm install --silent --save-dev mocha@7.2.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 12) { - npm install --silent --save-dev mocha@8.4.0 - } - - ps: | - # supertest for http calls - # - use 2.0.0 for Node.js < 4 - # - use 3.4.2 for Node.js < 6 - if ([int]$env:nodejs_version.split(".")[0] -lt 4) { - npm install --silent --save-dev supertest@2.0.0 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 6) { - npm install --silent --save-dev supertest@3.4.2 - } elseif ([int]$env:nodejs_version.split(".")[0] -lt 8) { - npm install --silent --save-dev supertest@6.1.6 - } - # Update Node.js modules - - ps: | - # Prune & rebuild node_modules - if (Test-Path -Path node_modules) { - npm prune - npm rebuild - } - # Install Node.js modules - - npm install -build: off -test_script: - # Output version data - - ps: | - node --version - npm --version - # Run test script - - npm test -version: "{build}" diff --git a/package.json b/package.json index b70f167..38d3365 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "serve-static", "description": "Serve static files", - "version": "2.1.0", + "version": "2.2.0", "author": "Douglas Christopher Wilson ", "license": "MIT", "repository": "expressjs/serve-static", @@ -9,7 +9,7 @@ "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", - "send": "^1.0.0" + "send": "^1.2.0" }, "devDependencies": { "eslint": "7.32.0", @@ -21,7 +21,6 @@ "eslint-plugin-standard": "4.1.0", "mocha": "^10.7.0", "nyc": "^17.0.0", - "safe-buffer": "^5.2.1", "supertest": "^6.3.4" }, "files": [ diff --git a/scripts/version-history.js b/scripts/version-history.js index b8a2b0e..7938e69 100644 --- a/scripts/version-history.js +++ b/scripts/version-history.js @@ -30,7 +30,7 @@ if (historyFileLines[0].indexOf('x') !== -1) { } historyFileLines[0] = VERSION + ' / ' + getLocaleDate() -historyFileLines[1] = repeat('=', historyFileLines[0].length) +historyFileLines[1] = '='.repeat(historyFileLines[0].length) fs.writeFileSync(HISTORY_FILE_PATH, historyFileLines.join('\n')) @@ -42,22 +42,6 @@ function getLocaleDate () { zeroPad(now.getDate(), 2) } -function repeat (str, length) { - var out = '' - - for (var i = 0; i < length; i++) { - out += str - } - - return out -} - function zeroPad (number, length) { - var num = number.toString() - - while (num.length < length) { - num = '0' + num - } - - return num + return number.toString().padStart(length, '0') } diff --git a/test/test.js b/test/test.js index 6984bcd..9933eed 100644 --- a/test/test.js +++ b/test/test.js @@ -1,6 +1,5 @@ var assert = require('assert') -var Buffer = require('safe-buffer').Buffer var http = require('http') var path = require('path') var request = require('supertest')