Vulnerabilities #375
Comments
|
Welcome to the NodeJS world @0xfederico ! I don't know exactly how Heroku button works but I'm pretty sure it will deploy whatever is in master/main branch right now. Unfortunately afaik at the moment |
|
Thanks @shaftoe for the reply, I'm going in to see ncu, I didn't know it. |
|
Yes but there still is 1 high severity issue Rate Limiting Bypass
|
|
it also appears in doing so it updates gitlab and that looks to remove es5 from it and now I get |
|
@0xfederico @shaftoe |
|
I'm sorry @tikicoder but I'm not active on Staticman anymore, I'm currently developing a very stripped down alternative to Staticman based on Probot called |
|
@shaftoe I will have to make note of it, if I knew about that before I got staticman working locally and hopefully in GCP connected to my GitHub I would have completely made the shift. However, now that I have made the change not sure I want to change unless it runs on serverless (functions as a service ), like GCP cloud functions, AWS lambda, or Azure functions. IF so I will probably make sure and switch sooner than later. First glance it looks like its missing at least 1 key piece (Google reCaptcha), and I just got that working on staticman. Either that or at some point I might roll my own, piviot my forked staticman. It looks like this community isn't as active as it once was. |
|
@tikicoder I started the project just a few days ago anyway (and yes, mostly because Staticman feels a little abandoned but most importantly I personally need just a small subset of features), no need to feel frustration about not jumping in earlier on 😉 So far I didn't have any need for a recaptcha for my personal website (https://a.l3x.in) which is very low traffic, sounds like a sensible feature to have though. Please feel free to open an issue/pull request on static-comments and who knows maybe it will get done (doesn't sound too complicated but I don't actually know, I might even try to implement that myself). Serverless: that was my initial idea but I put that on hold when I saw Probot has announced that the next version (v11) will be mostly dedicated to add serverless support for various platforms. Please feel free to join the conversation and drop your ideas there too: https://github.com/probot/probot/milestone/4 |
|
@shaftoe |
|
@tikicoder how about GH auth? at the moment using Probot (or static-comments) has the benefit of making it a GH app, which means you get repo-level auth out of the box (doesn't address limiting branch access though, I never thought it might be needed). I'm not sure that is possible with Staticman, or at least it's not well documented. Out of curiosity, what's your use case for the /encrypt endpoint? |
|
@shaftoe I know gh app would be better. Staticman I just updated the entry endpoint to ensure the branch and property is what I expect and if not I reject it. I need to test but it should work. Since I am not as familiar with this, small changes until I can do it right, or a better solution has the minimum I need without spending a lot to add it. |
I would like to host the staticman repository on heroku but when I download it with "git clone" and then run the "npm install" command, at least 1000 vulnerabilities of which 7 serious are found. Even running "npm update" or "npm audit fix" still remain several vulnerabilities. Is there a way to solve these vulnerabilities by updating the dependencies and is there any difference with the "deploy on heroku" button on the repo? Does this option ("deploy on heroku") run a newer version of staticman or is it affected by the same vulnerabilities?
P.S. thanks to this repository, I approached the world of nodejs, I open this issue just to understand.
The text was updated successfully, but these errors were encountered: