Version Details and Security Vulnerabilities

📦

serve-index

1.5.3

Comparision Betweeen 1.5.3 and 1.5.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.5.3 Details

Serve-index is a valuable Node.js middleware for Express applications, enabling automatic directory listings, enhancing the development experience and facilitating file sharing. Comparing version 1.5.3 with its predecessor, 1.5.2, reveals incremental improvements focusing on dependency updates.

Specifically, version 1.5.3 updates accepts from ~1.1.3 to ~1.1.4, mime-types from ~2.0.3 to ~2.0.4, and http-errors from ~1.2.7 to ~1.2.8. These updates likely include bug fixes, performance tweaks, and security enhancements within those respective dependencies. Additionally, istanbul was updated from 0.3.3 to 0.3.5.

For developers using serve-index, these changes imply a more reliable and potentially faster experience. While the core functionality of serving directory listings remains consistent, leveraging the latest dependencies ensures compatibility and takes advantage of the improvements made by the wider Node.js ecosystem. The updates to mime-types would suggest further improvements to file extentions definitions. Consequently, upgrading to version 1.5.3 is recommended for projects already using serve-index, as it offers a refined middleware solution. Staying updated with revisions such as these ensures the ongoing operation and stability of your software.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

serve-index

1.5.3

Comparision Betweeen 1.5.3 and 1.5.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.5.3 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.5.3 of the package serve-index.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.5.3 of the package

Summary:

Cross-Site Scripting in serve-index

Details:

Versions 1.6.2 and earlier of serve-index are affected by a cross-site scripting vulnerability. Because file and directory names are not escaped in the module's HTML output, a remote attacker that can influence file or directory names can launch a persistent cross-site scripting attack on the application.

Recommendation

Update to version 1.6.3 or later.

Details about serve-index@1.5.3

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.

Details about debug@2.1.3

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@2.1.3

Summary:

Regular Expression Denial of Service in ms

Details:

Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of Concept

var ms = require('ms');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Results

Showing increase in execution time based on the input string.

$ time node ms.js 10000

real	0m0.758s
user	0m0.724s
sys	0m0.031s

$ time node ms.js 20000

real	0m2.580s
user	0m2.494s
sys	0m0.047s

$ time node ms.js 30000

real	0m5.747s
user	0m5.483s
sys	0m0.080s

$ time node ms.js 80000

real	0m41.022s
user	0m38.894s
sys	0m0.529s

Details about ms@0.7.0

Summary:

Vercel ms Inefficient Regular Expression Complexity vulnerability

Details:

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Details about ms@0.7.0

Summary:

Regular Expression Denial of Service in negotiator

Details:

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

Recommendation

Update to version 0.6.1 or later.

Details about negotiator@0.4.9

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.5.3 of the package serve-index.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.5.3 of the package

Summary:

Cross-Site Scripting in serve-index

Details:

Recommendation

Update to version 1.6.3 or later.

Details about serve-index@1.5.3

Summary:

debug Inefficient Regular Expression Complexity vulnerability

Details:

Details about debug@2.1.3

Summary:

Regular Expression Denial of Service in debug

Details:

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.

Details about debug@2.1.3

Summary:

Regular Expression Denial of Service in ms

Details:

Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of Concept

var ms = require('ms');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Results

Showing increase in execution time based on the input string.

$ time node ms.js 10000

real	0m0.758s
user	0m0.724s
sys	0m0.031s

$ time node ms.js 20000

real	0m2.580s
user	0m2.494s
sys	0m0.047s

$ time node ms.js 30000

real	0m5.747s
user	0m5.483s
sys	0m0.080s

$ time node ms.js 80000

real	0m41.022s
user	0m38.894s
sys	0m0.529s

Details about ms@0.7.0

Summary:

Vercel ms Inefficient Regular Expression Complexity vulnerability

Details:

Details about ms@0.7.0

Summary:

Regular Expression Denial of Service in negotiator

Details:

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

Recommendation

Update to version 0.6.1 or later.

Details about negotiator@0.4.9

Version Details and Security Vulnerabilities

serve-index

Comparision Betweeen 1.5.3 and 1.5.2

Version 1.5.3 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

serve-index

Comparision Betweeen 1.5.3 and 1.5.2

Version 1.5.3 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Recommendation

Recommendation

Proof of Concept

Results

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Recommendation

Recommendation

Proof of Concept

Results

Recommendation

Version Details and Security Vulnerabilities

serve-index

Comparision Betweeen 1.5.3 and 1.5.2

Version 1.5.3 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

serve-index

Comparision Betweeen 1.5.3 and 1.5.2

Version 1.5.3 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

serve-index@1.5.3 GHSA-v633-x5vv-hqwc 6.1

Recommendation

debug@2.1.3 GHSA-9vvw-cc9w-f27h 7.5

debug@2.1.3 GHSA-gxpj-cx7g-858c 3.7

Recommendation

ms@0.7.0 GHSA-3fx5-fwvr-xrjg 7.5

Proof of Concept

Results

ms@0.7.0 GHSA-w9mr-4mfr-499f 5.3

negotiator@0.4.9 GHSA-7mc5-chhp-fmc3 N/A

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

serve-index@1.5.3 GHSA-v633-x5vv-hqwc 6.1

Recommendation

debug@2.1.3 GHSA-9vvw-cc9w-f27h 7.5

debug@2.1.3 GHSA-gxpj-cx7g-858c 3.7

Recommendation

ms@0.7.0 GHSA-3fx5-fwvr-xrjg 7.5

Proof of Concept

Results

ms@0.7.0 GHSA-w9mr-4mfr-499f 5.3

negotiator@0.4.9 GHSA-7mc5-chhp-fmc3 N/A

Recommendation