Serve-static is a popular Node.js package designed to serve static files with ease. Version 1.13.1, released on September 29, 2017, offers a minor update over its predecessor, version 1.13.0, released just a day prior on September 28, 2017. The core functionality of serving static files remains consistent, providing developers with a simple and efficient way to deliver assets like HTML, CSS, JavaScript, and images.
A key difference lies in the send dependency, which moves from version 0.16.0 in 1.13.0 to version 0.16.1 in 1.13.1, suggesting a bug fix or minor enhancement within that dependency. For developers, this likely translates to a more stable and potentially performant experience when handling file delivery, though the specifics would depend on the changes within the send package itself.
Both versions share the same set of development dependencies, including tools for linting (eslint, eslint-plugin-*), testing (mocha, supertest, istanbul), and code style enforcement (eslint-config-standard). The consistent development environment implies a continuous effort to maintain code quality and reliability.
The MIT license remains in effect, ensuring freedom and flexibility for developers to use and modify the package. Douglas Christopher Wilson continues to be the author, reinforcing the project's maintainership. Ultimately, the upgrade from 1.13.0 to 1.13.1 offers a refined experience, driven by the updated send dependency, contributing to a more robust solution for serving static content in Node.js applications.
All the vulnerabilities related to the version 1.13.1 of the package
serve-static vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code
this issue is patched in serve-static 1.16.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
