mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-03 10:40:44 +08:00
df482c9cf2
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [uuid](https://redirect.github.com/uuidjs/uuid) | [`^13.0.0` → `^14.0.0`](https://renovatebot.com/diffs/npm/uuid/13.0.0/14.0.0) |  |  | --- ### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided [GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) <details> <summary>More information</summary> #### Details ##### Summary `v3`, `v5`, and `v6` accept external output buffers but do not reject out-of-range writes (small `buf` or large `offset`). By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on invalid bounds. This inconsistency allows **silent partial writes** into caller-provided buffers. ##### Affected code - `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds validation. - `src/v6.ts` writes `buf[offset + i]` without bounds validation. ##### Reproducible PoC ```bash cd /home/StrawHat/uuid npm ci npm run build node --input-type=module -e " import {v4,v5,v6} from './dist-node/index.js'; const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8'; for (const [name,fn] of [ ['v4',()=>v4({},new Uint8Array(8),4)], ['v5',()=>v5('x',ns,new Uint8Array(8),4)], ['v6',()=>v6({},new Uint8Array(8),4)], ]) { try { fn(); console.log(name,'NO_THROW'); } catch(e){ console.log(name,'THREW',e.name); } }" ``` Observed: - `v4 THREW RangeError` - `v5 NO_THROW` - `v6 NO_THROW` Example partial overwrite evidence captured during audit: ```text same true buf [ 170, 170, 170, 170, 75, 224, 100, 63 ] v6 [ 187, 187, 187, 187, 31, 19, 185, 64 ] ``` ##### Security impact - **Primary**: integrity/robustness issue (silent partial output). - If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error. - In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw. ##### Suggested fix Add the same guard used by `v4`/`v1`/`v7`: ```ts if (offset < 0 || offset + 16 > buf.length) { throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`); } ``` Apply to: - `src/v35.ts` (covers `v3` and `v5`) - `src/v6.ts` #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq) - [https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34) - [https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0) - [https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>uuidjs/uuid (uuid)</summary> ### [`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19) [Compare Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0) ##### Security - Fixes [GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq): `v3()`, `v5()`, and `v6()` did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid `offset` was provided. A `RangeError` is now thrown if `offset < 0` or `offset + 16 > buf.length`. ##### ⚠ BREAKING CHANGES - `crypto` is now expected to be globally defined (requires node\@​20+) ([#​935](https://redirect.github.com/uuidjs/uuid/issues/935)) - drop node\@​18 support ([#​934](https://redirect.github.com/uuidjs/uuid/issues/934)) - upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
95 lines
3.0 KiB
JSON
95 lines
3.0 KiB
JSON
{
|
|
"name": "@affine/electron",
|
|
"private": true,
|
|
"version": "0.26.3",
|
|
"main": "./dist/main.js",
|
|
"author": "toeverything",
|
|
"repository": {
|
|
"url": "https://github.com/toeverything/AFFiNE",
|
|
"type": "git"
|
|
},
|
|
"description": "AFFiNE Desktop App",
|
|
"homepage": "https://github.com/toeverything/AFFiNE",
|
|
"exports": {
|
|
"./helper/exposed": "./src/helper/exposed.ts",
|
|
"./main/exposed": "./src/main/exposed.ts",
|
|
"./preload/electron-api": "./src/preload/electron-api.ts",
|
|
"./preload/shared-storage": "./src/preload/shared-storage.ts",
|
|
"./main/shared-state-schema": "./src/main/shared-state-schema.ts",
|
|
"./main/updater/event": "./src/main/updater/event.ts",
|
|
"./main/windows-manager": "./src/main/windows-manager/index.ts"
|
|
},
|
|
"scripts": {
|
|
"start": "electron .",
|
|
"dev": "cross-env DEV_SERVER_URL=http://localhost:8080 node ./scripts/dev.ts",
|
|
"dev:prod": "node ./scripts/dev.ts",
|
|
"build": "cross-env NODE_ENV=production node ./scripts/build-layers.ts",
|
|
"build:dev": "node ./scripts/build-layers.ts",
|
|
"generate-assets": "node ./scripts/generate-assets.ts",
|
|
"package": "electron-forge package",
|
|
"make": "electron-forge make",
|
|
"make-squirrel": "node ./scripts/make-squirrel.ts",
|
|
"make-nsis": "node ./scripts/make-nsis.ts"
|
|
},
|
|
"devDependencies": {
|
|
"@affine-tools/utils": "workspace:*",
|
|
"@affine/i18n": "workspace:*",
|
|
"@affine/native": "workspace:*",
|
|
"@affine/nbstore": "workspace:*",
|
|
"@electron-forge/cli": "^7.11.1",
|
|
"@electron-forge/core": "^7.11.1",
|
|
"@electron-forge/maker-deb": "^7.11.1",
|
|
"@electron-forge/maker-dmg": "^7.11.1",
|
|
"@electron-forge/maker-flatpak": "^7.11.1",
|
|
"@electron-forge/maker-squirrel": "^7.11.1",
|
|
"@electron-forge/maker-zip": "^7.11.1",
|
|
"@electron-forge/plugin-auto-unpack-natives": "^7.11.1",
|
|
"@electron-forge/plugin-fuses": "^7.11.1",
|
|
"@electron-forge/shared-types": "^7.11.1",
|
|
"@reforged/maker-appimage": "^5.2.0",
|
|
"@sentry/electron": "^7.10.0",
|
|
"@sentry/esbuild-plugin": "^5.1.1",
|
|
"@toeverything/infra": "workspace:*",
|
|
"@types/set-cookie-parser": "^2.4.10",
|
|
"@vitejs/plugin-react": "^5.2.0",
|
|
"app-builder-lib": "^26.8.1",
|
|
"builder-util-runtime": "^9.5.1",
|
|
"cross-env": "^10.1.0",
|
|
"debug": "^4.4.0",
|
|
"electron": "^39.0.0",
|
|
"electron-log": "^5.4.3",
|
|
"electron-squirrel-startup": "1.0.1",
|
|
"electron-window-state": "^5.0.3",
|
|
"esbuild": "^0.25.0",
|
|
"fs-extra": "^11.2.0",
|
|
"glob": "^11.0.0",
|
|
"lodash-es": "^4.17.23",
|
|
"msw": "^2.13.2",
|
|
"nanoid": "^5.1.6",
|
|
"rxjs": "^7.8.2",
|
|
"semver": "^7.7.3",
|
|
"tree-kill": "^1.2.2",
|
|
"typescript": "^5.9.3",
|
|
"uuid": "^14.0.0",
|
|
"vitest": "^4.0.18",
|
|
"zod": "^3.25.76"
|
|
},
|
|
"dependencies": {
|
|
"async-call-rpc": "^6.4.2",
|
|
"electron-updater": "^6.8.3",
|
|
"link-preview-js": "^4.0.0",
|
|
"set-cookie-parser": "^2.7.1",
|
|
"yjs": "^13.6.27"
|
|
},
|
|
"build": {
|
|
"protocols": [
|
|
{
|
|
"name": "affine",
|
|
"schemes": [
|
|
"affine"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|