From 71a0126f33ddf6805a18f470e90554c8853524cb Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:08:08 -0700 Subject: [PATCH 01/11] superfluous time artifact removal --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 4b56df7..084a6f8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -56,7 +56,7 @@ The following potential vulnerabilities were **resolved** after detection. - **Detected by:** Dependabot & Snyk - **Vulnerable package:** [path-to-regexp](https://www.npmjs.com/package/path-to-regexp) (via [serve](https://www.npmjs.com/package/serve)) -- **Detection times:** September 24, 2024, at 19:48 +- **Detection times:** - **Dependabot**: 2024-09-24 19:48 - **Snyk**: 2024-09-23 19:08 - **Resolution time:** 2024-09-25 5:05 From e03b30822114ef9c4e8bf451e0986c09680a3d9f Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:09:27 -0700 Subject: [PATCH 02/11] unordered lists replace comma-separated lists --- SECURITY.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 084a6f8..0e1c655 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -50,7 +50,9 @@ The following potential vulnerabilities were **resolved** after detection. - **CVSS (severity):** 8.3 (high) - **Advisory:** [GHSA-gcx4-mw62-g8wm](https://github.com/advisories/GHSA-gcx4-mw62-g8wm) - **CVE:** [CVE-2024-47068](https://nvd.nist.gov/vuln/detail/CVE-2024-47068) -- **CWEs:** [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)), [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output) +- **CWEs:** + - [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)) + - [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output) ### Regular expression denial of service (ReDoS) in `path-to-regexp` @@ -81,4 +83,6 @@ The following potential vulnerabilities were **resolved** after detection. - [#37](https://github.com/Stassi/leaf/pull/37) (feature/sanitize-tutorials-dom-xss) - **CVSS (severity):** 6.1 (medium) - **Advisory:** [CodeQL js/html-constructed-from-input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) -- **CWEs:** [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)), [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output) +- **CWEs:** + - [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)) + - [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output) From 119ccb3f05a8b825a884b4aa0301e6b3a80feb8a Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:25:03 -0700 Subject: [PATCH 03/11] npm latest version badge screen reader text --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 0e1c655..fd1f83a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ ## Updates -[![npm version](https://img.shields.io/npm/v/%40stassi%2Fleaf)](https://www.npmjs.com/package/@stassi/leaf) +[![The project's latest version published to the npm registry.](https://img.shields.io/npm/v/%40stassi%2Fleaf "npm latest version badge")](https://www.npmjs.com/package/@stassi/leaf) **Always use the latest version of `@stassi/leaf`** via the `npm update` command ([documentation](https://docs.npmjs.com/cli/v10/commands/npm-update)) to ensure the latest security updates are received. From 1dbba4705460efc69d50877a5cf6394bdc5ba176 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:25:26 -0700 Subject: [PATCH 04/11] automated security analysis status badge screen reader text --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index fd1f83a..add531c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,7 @@ If you discover a **potential vulnerability in the `@stassi/leaf` codebase**, pl ## Maintenance -[![Security](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/security.yml) +[![Displays the pass-fail status of the project's automated security scans via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg "automated security analysis status badge")](https://github.com/Stassi/leaf/actions/workflows/security.yml) Automated security scans are integrated into the [continuous delivery (CD)](https://en.wikipedia.org/wiki/Continuous_delivery) pipeline. From 4d3c96444cff4f6f18757585560357bd772566e2 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:27:59 -0700 Subject: [PATCH 05/11] title case --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index add531c..7fb533c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,7 +16,7 @@ If you discover a **potential vulnerability in the `@stassi/leaf` codebase**, pl ## Maintenance -[![Displays the pass-fail status of the project's automated security scans via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg "automated security analysis status badge")](https://github.com/Stassi/leaf/actions/workflows/security.yml) +[![Displays the pass-fail status of the project's automated security scans via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg "Automated security analysis status badge")](https://github.com/Stassi/leaf/actions/workflows/security.yml) Automated security scans are integrated into the [continuous delivery (CD)](https://en.wikipedia.org/wiki/Continuous_delivery) pipeline. From 85b49076c147799e050e82e0286a83c4112ac180 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:35:51 -0700 Subject: [PATCH 06/11] bold titles precede hyperlinks in list sub-elements (consistent formatting) --- SECURITY.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7fb533c..2c6e135 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -51,8 +51,8 @@ The following potential vulnerabilities were **resolved** after detection. - **Advisory:** [GHSA-gcx4-mw62-g8wm](https://github.com/advisories/GHSA-gcx4-mw62-g8wm) - **CVE:** [CVE-2024-47068](https://nvd.nist.gov/vuln/detail/CVE-2024-47068) - **CWEs:** - - [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)) - - [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output) + - **CWE-79**: [Cross-site scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html) + - **CWE-116**: [Improper encoding or escaping of output](https://cwe.mitre.org/data/definitions/116.html) ### Regular expression denial of service (ReDoS) in `path-to-regexp` @@ -79,10 +79,10 @@ The following potential vulnerabilities were **resolved** after detection. - **Detection time:** 2024-09-24 16:03 - **Resolution time:** 2024-10-04 03:17 - **Resolution pull requests (PRs):** - - [#34](https://github.com/Stassi/leaf/pull/34) (feature/sanitize-leaflet) - - [#37](https://github.com/Stassi/leaf/pull/37) (feature/sanitize-tutorials-dom-xss) + - **#34**: [feature/sanitize-leaflet](https://github.com/Stassi/leaf/pull/34) + - **#37**: [feature/sanitize-tutorials-dom-xss](https://github.com/Stassi/leaf/pull/37) - **CVSS (severity):** 6.1 (medium) - **Advisory:** [CodeQL js/html-constructed-from-input](https://codeql.github.com/codeql-query-help/javascript/js-html-constructed-from-input/) - **CWEs:** - - [CWE-79](https://cwe.mitre.org/data/definitions/79.html) (Cross-site scripting (XSS)) - - [CWE-116](https://cwe.mitre.org/data/definitions/116.html) (Improper encoding or escaping of output) + - **CWE-79**: [Cross-site scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html) + - **CWE-116**: [Improper encoding or escaping of output](https://cwe.mitre.org/data/definitions/116.html) From f70310f6413657a1266de27cfb0bd9b49346beb1 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:41:07 -0700 Subject: [PATCH 07/11] screen reader text imported from `SECURITY.md` for badges: - automated security analysis status - npm latest version --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 58194ff..d7e2b27 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # leaf -[![npm version](https://img.shields.io/npm/v/%40stassi%2Fleaf)](https://www.npmjs.com/package/@stassi/leaf) +[![The project's latest version published to the npm registry.](https://img.shields.io/npm/v/%40stassi%2Fleaf "npm latest version badge")](https://www.npmjs.com/package/@stassi/leaf) [![npm license](https://img.shields.io/npm/l/%40stassi%2Fleaf)](LICENSE) [![npm types](https://img.shields.io/npm/types/%40stassi%2Fleaf)](tsconfig.json) [![Node.js LTS versions](https://img.shields.io/node/v-lts/%40stassi%2Fleaf)](package.json) @@ -8,6 +8,6 @@ [![Snyk package health](https://snyk.io/advisor/npm-package/@stassi/leaf/badge.svg)](https://snyk.io/advisor/npm-package/@stassi/leaf) [![Continuous integration (CI)](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml) [![Continuous delivery (CD)](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml) -[![Security](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/security.yml) +[![Displays the pass-fail status of the project's automated security scans via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg "Automated security analysis status badge")](https://github.com/Stassi/leaf/actions/workflows/security.yml) Leaflet adapter. From 8a5170d76f6c0db4fd78f83754819f5afca71896 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 20:45:35 -0700 Subject: [PATCH 08/11] empty anchor prevents GitHub hyperlinking to badge provider image --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d7e2b27..86377cc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![npm license](https://img.shields.io/npm/l/%40stassi%2Fleaf)](LICENSE) [![npm types](https://img.shields.io/npm/types/%40stassi%2Fleaf)](tsconfig.json) [![Node.js LTS versions](https://img.shields.io/node/v-lts/%40stassi%2Fleaf)](package.json) -![GitHub repo size](https://img.shields.io/github/repo-size/Stassi/leaf) +[![GitHub repo size](https://img.shields.io/github/repo-size/Stassi/leaf)](#) [![Snyk package health](https://snyk.io/advisor/npm-package/@stassi/leaf/badge.svg)](https://snyk.io/advisor/npm-package/@stassi/leaf) [![Continuous integration (CI)](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml) [![Continuous delivery (CD)](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml) From e2c7c5e75488a01b50d7f9ca8d17e6c615e6a2a8 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 22:47:10 -0700 Subject: [PATCH 09/11] screen reader text inserted for all badges --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 86377cc..c7b8976 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@ # leaf [![The project's latest version published to the npm registry.](https://img.shields.io/npm/v/%40stassi%2Fleaf "npm latest version badge")](https://www.npmjs.com/package/@stassi/leaf) -[![npm license](https://img.shields.io/npm/l/%40stassi%2Fleaf)](LICENSE) -[![npm types](https://img.shields.io/npm/types/%40stassi%2Fleaf)](tsconfig.json) -[![Node.js LTS versions](https://img.shields.io/node/v-lts/%40stassi%2Fleaf)](package.json) -[![GitHub repo size](https://img.shields.io/github/repo-size/Stassi/leaf)](#) -[![Snyk package health](https://snyk.io/advisor/npm-package/@stassi/leaf/badge.svg)](https://snyk.io/advisor/npm-package/@stassi/leaf) -[![Continuous integration (CI)](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml) -[![Continuous delivery (CD)](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml/badge.svg)](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml) +[![The license information for this project.](https://img.shields.io/npm/l/%40stassi%2Fleaf "npm license badge")](LICENSE) +[![Indicates type definitions are included in the project.](https://img.shields.io/npm/types/%40stassi%2Fleaf "npm types badge")](tsconfig.json) +[![Lists Node.js LTS versions supported by this package.](https://img.shields.io/node/v-lts/%40stassi%2Fleaf "Node.js LTS versions badge")](package.json) +[![Displays the size of the project's GitHub repository in bytes.](https://img.shields.io/github/repo-size/Stassi/leaf "GitHub repository size badge")](#) +[![Displays the Snyk Advisor package health score for this project.](https://snyk.io/advisor/npm-package/@stassi/leaf/badge.svg "Snyk Advisor package health badge")](https://snyk.io/advisor/npm-package/@stassi/leaf) +[![Displays the status of the continuous integration (CI) workflow.](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml/badge.svg "Continuous integration status badge")](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml) +[![Displays the status of continuous delivery (CD) workflow.](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml/badge.svg "Continuous delivery status badge")](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml) [![Displays the pass-fail status of the project's automated security scans via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg "Automated security analysis status badge")](https://github.com/Stassi/leaf/actions/workflows/security.yml) Leaflet adapter. From 763bf04e86f193d574b41a9ea5699e0b580f74a1 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 22:52:09 -0700 Subject: [PATCH 10/11] describe GitHub Actions in all applicable badges --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c7b8976..a8a9b4d 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ [![Lists Node.js LTS versions supported by this package.](https://img.shields.io/node/v-lts/%40stassi%2Fleaf "Node.js LTS versions badge")](package.json) [![Displays the size of the project's GitHub repository in bytes.](https://img.shields.io/github/repo-size/Stassi/leaf "GitHub repository size badge")](#) [![Displays the Snyk Advisor package health score for this project.](https://snyk.io/advisor/npm-package/@stassi/leaf/badge.svg "Snyk Advisor package health badge")](https://snyk.io/advisor/npm-package/@stassi/leaf) -[![Displays the status of the continuous integration (CI) workflow.](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml/badge.svg "Continuous integration status badge")](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml) -[![Displays the status of continuous delivery (CD) workflow.](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml/badge.svg "Continuous delivery status badge")](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml) +[![Displays the status of the continuous integration (CI) workflow via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml/badge.svg "Continuous integration status badge")](https://github.com/Stassi/leaf/actions/workflows/continuous-integration.yml) +[![Displays the status of continuous delivery (CD) workflow via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml/badge.svg "Continuous delivery status badge")](https://github.com/Stassi/leaf/actions/workflows/continuous-delivery.yml) [![Displays the pass-fail status of the project's automated security scans via GitHub Actions.](https://github.com/Stassi/leaf/actions/workflows/security.yml/badge.svg "Automated security analysis status badge")](https://github.com/Stassi/leaf/actions/workflows/security.yml) Leaflet adapter. From 1a265947a9b2c9d4f09537a00b1b1ba9f1a0b777 Mon Sep 17 00:00:00 2001 From: Andreas Stassivik Date: Fri, 4 Oct 2024 22:54:18 -0700 Subject: [PATCH 11/11] 0.0.41 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 34c89ad..764aecb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@stassi/leaf", - "version": "0.0.40", + "version": "0.0.41", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@stassi/leaf", - "version": "0.0.40", + "version": "0.0.41", "cpu": [ "arm64", "x64" diff --git a/package.json b/package.json index f32a17b..ce809a1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@stassi/leaf", - "version": "0.0.40", + "version": "0.0.41", "description": "Leaflet adapter.", "keywords": [ "cartography",