fix(security): npm audit fix + GitLeaks allowlist for indexnow.js
- npm audit fix: устранены 5 vulnerabilities (где возможно без --force): - path-to-regexp <0.1.13 (ReDoS, HIGH) - nodemailer 6.x patch - qs 6.7.x DoS (transitively через body-parser + express) - .gitleaks.toml: расширен allowlist для scripts/indexnow.js* и scripts/indexnow-ping.sh — содержат публичный IndexNow KEY, не секрет. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -15,6 +15,11 @@ paths = [
|
|||||||
'''public/[a-f0-9]{32}\.txt''',
|
'''public/[a-f0-9]{32}\.txt''',
|
||||||
'''^[a-f0-9]{32}\.txt$''',
|
'''^[a-f0-9]{32}\.txt$''',
|
||||||
|
|
||||||
|
# IndexNow ping-скрипты содержат `const KEY = '<32hex>'` —
|
||||||
|
# тот же публичный ключ, не секрет (для авторизации перед Яндекс/Bing API).
|
||||||
|
'''scripts/indexnow\.(js|mjs|sh|ts)$''',
|
||||||
|
'''scripts/indexnow-ping\.sh$''',
|
||||||
|
|
||||||
# Legacy WordPress plugin code (akismet, jetpack, wpforms-lite, wp-cache).
|
# Legacy WordPress plugin code (akismet, jetpack, wpforms-lite, wp-cache).
|
||||||
# Все "ключи" внутри — placeholder/template/internal параметры,
|
# Все "ключи" внутри — placeholder/template/internal параметры,
|
||||||
# не настоящие секреты. Импортировано из старого WP-сайта как static.
|
# не настоящие секреты. Импортировано из старого WP-сайта как static.
|
||||||
|
|||||||
33
package-lock.json
generated
33
package-lock.json
generated
@@ -17,7 +17,6 @@
|
|||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@types/sanitize-html": "^2.16.0",
|
"@types/sanitize-html": "^2.16.0",
|
||||||
"fast-xml-parser": "^4.5.0",
|
|
||||||
"sharp": "^0.34.5"
|
"sharp": "^0.34.5"
|
||||||
},
|
},
|
||||||
"engines": {
|
"engines": {
|
||||||
@@ -2409,25 +2408,6 @@
|
|||||||
"xml-naming": "^0.1.0"
|
"xml-naming": "^0.1.0"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/fast-xml-parser": {
|
|
||||||
"version": "4.5.6",
|
|
||||||
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.6.tgz",
|
|
||||||
"integrity": "sha512-Yd4vkROfJf8AuJrDIVMVmYfULKmIJszVsMv7Vo71aocsKgFxpdlpSHXSaInvyYfgw2PRuObQSW2GFpVMUjxu9A==",
|
|
||||||
"dev": true,
|
|
||||||
"funding": [
|
|
||||||
{
|
|
||||||
"type": "github",
|
|
||||||
"url": "https://github.com/sponsors/NaturalIntelligence"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"license": "MIT",
|
|
||||||
"dependencies": {
|
|
||||||
"strnum": "^1.0.5"
|
|
||||||
},
|
|
||||||
"bin": {
|
|
||||||
"fxparser": "src/cli/cli.js"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"node_modules/fdir": {
|
"node_modules/fdir": {
|
||||||
"version": "6.5.0",
|
"version": "6.5.0",
|
||||||
"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
|
"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
|
||||||
@@ -4517,19 +4497,6 @@
|
|||||||
"url": "https://github.com/sponsors/wooorm"
|
"url": "https://github.com/sponsors/wooorm"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/strnum": {
|
|
||||||
"version": "1.1.2",
|
|
||||||
"resolved": "https://registry.npmjs.org/strnum/-/strnum-1.1.2.tgz",
|
|
||||||
"integrity": "sha512-vrN+B7DBIoTTZjnPNewwhx6cBA/H+IS7rfW68n7XxC1y7uoiGQBxaKzqucGUgavX15dJgiGztLJ8vxuEzwqBdA==",
|
|
||||||
"dev": true,
|
|
||||||
"funding": [
|
|
||||||
{
|
|
||||||
"type": "github",
|
|
||||||
"url": "https://github.com/sponsors/NaturalIntelligence"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"license": "MIT"
|
|
||||||
},
|
|
||||||
"node_modules/svgo": {
|
"node_modules/svgo": {
|
||||||
"version": "4.0.1",
|
"version": "4.0.1",
|
||||||
"resolved": "https://registry.npmjs.org/svgo/-/svgo-4.0.1.tgz",
|
"resolved": "https://registry.npmjs.org/svgo/-/svgo-4.0.1.tgz",
|
||||||
|
|||||||
Reference in New Issue
Block a user