renovate[bot]
aa759cc879
chore(deps): update dependency ts-jest to v29.1.5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 02:21:47 +00:00
renovate[bot]
c3fd6993d2
chore(deps): update dependency @tsconfig/node18 to v18.2.4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 02:15:21 +00:00
renovate[bot]
58defe5b3a
chore(deps): update dependency cypress to v13.6.6
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:52:41 +00:00
renovate[bot]
2cc71588fe
fix(deps): update dependency ws to v8.17.1 [security]
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 00:43:05 +02:00
renovate[bot]
d31b2af368
chore(deps): update codemirror
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:41:17 +00:00
renovate[bot]
de8f1abe2e
chore(deps): update dependency @dicebear/converter to v7.0.5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:38:49 +00:00
renovate[bot]
6a6fd3b099
chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.6.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 00:33:01 +02:00
renovate[bot]
7773fe1bdb
fix(deps): pin dependency @node-rs/argon2 to 1.8.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:23:56 +00:00
Erik Michelson
f30f0d8e51
fix(passwords): use argon2id instead of bcrypt
...
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
E2E Tests / Build test build of frontend (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
E2E Tests / frontend-cypress (1) (push) Has been cancelled
E2E Tests / frontend-cypress (2) (push) Has been cancelled
E2E Tests / frontend-cypress (3) (push) Has been cancelled
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.
While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].
This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).
The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.
[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-08 20:29:23 +02:00
renovate[bot]
3513377d2d
fix(deps): update dependency next to v14.1.1 [security]
...
Docker / build-and-push (frontend) (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
Docker / build-and-push (backend) (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
E2E Tests / Build test build of frontend (push) Has been cancelled
E2E Tests / frontend-cypress (1) (push) Has been cancelled
E2E Tests / frontend-cypress (2) (push) Has been cancelled
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS ${{ matrix.node }} (true, 20) (push) Has been cancelled
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-10 07:42:49 +00:00
renovate[bot]
662de1e9f8
fix(deps): update dependency reveal.js to v5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 11:40:15 +02:00
renovate[bot]
9aaec95398
fix(deps): update dependency @nestjs/schedule to v4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 11:31:07 +02:00
renovate[bot]
8b501915f5
chore(deps): upgrade redux packages
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 10:55:38 +02:00
renovate[bot]
ad3859c9df
fix(deps): update dependency katex to v0.16.10 [security]
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-25 23:21:37 +00:00
renovate[bot]
a6c2bbe1e7
fix(deps): update dependency copy-webpack-plugin to v12
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-23 01:36:41 +01:00
renovate[bot]
f56abf74e0
fix(deps): update dependency sass to v1.71.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-01 18:10:49 +01:00
renovate[bot]
61bf3adf99
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-01 17:51:22 +01:00
renovate[bot]
5775b07b2d
chore(deps): update dependency @types/node to v20.11.18
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-15 15:34:38 +00:00
renovate[bot]
fc7b6f8d3d
fix(deps): update dependency @orama/orama to v2.0.6
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-13 21:34:53 +00:00
renovate[bot]
ecce1adc16
fix(deps): update nestjs packages to v10.3.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 13:13:48 +00:00
renovate[bot]
3dad5fce2c
fix(deps): update dependency twemoji-colr-font to v15
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 12:47:14 +01:00
renovate[bot]
e7f33c9002
chore(deps): update dependency turbo to v1.12.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 01:23:50 +01:00
renovate[bot]
b47d728698
fix(deps): update dependency markdown-it-emoji to v3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 00:46:57 +01:00
renovate[bot]
144b8e29d8
fix(deps): update dependency react-i18next to v14
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-11 23:58:52 +01:00
Erik Michelson
e7e7f84f7b
chore(deps): regenerate lockfile
...
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-02-11 23:54:55 +01:00
renovate[bot]
7a2f0c5c4b
chore(deps): lock file maintenance
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 23:17:20 +00:00
Tilman Vatteroth
d8c22f62f1
regenerate yarn.lock
...
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
a090070c79
fix(deps): update dependency mermaid to v10.8.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
73e34755a1
fix(deps): update dependency joi to v17.12.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
315d43f209
fix(deps): update dependency htmlparser2 to v9.1.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
b87a978f25
fix(deps): update dependency flowchart.js to v1.18.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
b58c475f83
fix(deps): update dependency express-session to v1.18.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
c871b69324
fix(deps): update dependency abcjs to v6.3.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
c8d4607101
fix(deps): update dependency @redux-devtools/core to v3.14.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
0eb473e5fc
chore(deps): update typescript-eslint monorepo to v6.21.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
37af638054
chore(deps): update testing-library
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
eb71573227
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
01257ea7ac
chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.5.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
d1bc150035
fix(deps): update vega
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
2d1428333d
fix(deps): update i18next
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
d089634369
fix(deps): update dependency ws to v8.16.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
dcaeb98fa1
fix(deps): update dependency tlds to v1.250.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
1257d070ba
fix(deps): update dependency sass to v1.70.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
20c41578f3
fix(deps): update dependency reflect-metadata to v0.2.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
609883f7a4
fix(deps): update dependency react-use to v17.5.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
de1c7f769b
fix(deps): update dependency react-bootstrap to v2.10.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
01a24607ce
chore(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
970686202d
chore(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
1ccf02bab6
fix(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
0474dbbac8
fix(deps): update dependency typeorm to v0.3.20
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
