From bd68938f02a572b9fab50a97c20c90e5dd235634 Mon Sep 17 00:00:00 2001 From: Necoti Date: Wed, 5 Mar 2025 17:55:02 +0300 Subject: [PATCH 1/4] Create SECURITY.md --- SECURITY.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..1066371 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ +# LibrisAPI Security Policy + +At LibrisAPI, we are committed to maintaining the highest level of security for our users' data. This document outlines our security policies and how to report security vulnerabilities. + +## Supported Versions + +| Version | Support Status | +| ------- | -------------- | +| 1.x | Supported | +| < 1.0 | Not Supported | + +Security updates will only be applied to supported versions. + +## Reporting Security Vulnerabilities + +If you discover a security vulnerability in LibrisAPI, please report it to us by following these steps: + +1. **Description:** Prepare a detailed report that includes a description of the vulnerability, how to reproduce it, and the potential impact. +2. **Contact:** Send your report via email to [core@necoti.dev](mailto:core@necoti.dev). Please encrypt your email (e.g., using GPG) and include your public key. +3. **Confidentiality:** Avoid disclosing the vulnerability publicly. After contacting us, we will work together to resolve the issue and release the necessary updates. + +## Security Measures + +The following security measures are implemented in LibrisAPI: + +* **Password Hashing:** User passwords are securely hashed using bcryptjs. +* **JWT (JSON Web Token) Authentication:** Authentication is performed securely using JWT. +* **Input Validation:** User inputs are validated to prevent potential security vulnerabilities. +* **HTTPS Usage:** Communication between the API and users is encrypted using the HTTPS protocol. +* **Dependency Updates:** All dependencies used in the project are regularly updated to patch security vulnerabilities. +* **Rate Limiting:** Request rates are limited to prevent abuse of the API. + +## Disclaimer + +LibrisAPI is provided "as is" and without any warranty. We are not responsible for any security breaches or data loss resulting from the use of this project. + +## Contact + +If you have any security-related questions or concerns, please contact us at [core@necoti.dev](mailto:core@necoti.dev). + +This core policy is continuously updated to ensure the core of LibrisAPI. Please check back regularly. From 0f58b6ae0e90fa0bf6a34ffe15cb9e6c595f3a3b Mon Sep 17 00:00:00 2001 From: Necoti Date: Wed, 5 Mar 2025 17:56:30 +0300 Subject: [PATCH 2/4] Create dependabot.yml --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ed7ca7f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From 66bcea23d44c1969eaa35febf79f42a287d6ec55 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:57:36 +0000 Subject: [PATCH 3/4] Bump mongoose from 8.11.0 to 8.12.1 Bumps [mongoose](https://github.com/Automattic/mongoose) from 8.11.0 to 8.12.1. - [Release notes](https://github.com/Automattic/mongoose/releases) - [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md) - [Commits](https://github.com/Automattic/mongoose/compare/8.11.0...8.12.1) --- updated-dependencies: - dependency-name: mongoose dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package-lock.json | 37 +++++++++++++++++++++++++------------ package.json | 2 +- 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8f9a181..e569ce1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,7 +15,7 @@ "express": "^4.18.2", "express-rate-limit": "^7.5.0", "jsonwebtoken": "^9.0.2", - "mongoose": "^8.0.3" + "mongoose": "^8.12.1" }, "devDependencies": { "nodemon": "^3.0.2" @@ -25,6 +25,7 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/@mongodb-js/saslprep/-/saslprep-1.2.0.tgz", "integrity": "sha512-+ywrb0AqkfaYuhHs6LxKWgqbh3I72EpEgESCw37o+9qPx9WTCkgDm2B+eMrwehGtHBWHFU4GXvnSCNiFhhausg==", + "license": "MIT", "dependencies": { "sparse-bitfield": "^3.0.3" } @@ -32,12 +33,14 @@ "node_modules/@types/webidl-conversions": { "version": "7.0.3", "resolved": "https://registry.npmjs.org/@types/webidl-conversions/-/webidl-conversions-7.0.3.tgz", - "integrity": "sha512-CiJJvcRtIgzadHCYXw7dqEnMNRjhGZlYK05Mj9OyktqV8uVT8fD2BFOB7S1uwBE3Kj2Z+4UyPmFw/Ixgw/LAlA==" + "integrity": "sha512-CiJJvcRtIgzadHCYXw7dqEnMNRjhGZlYK05Mj9OyktqV8uVT8fD2BFOB7S1uwBE3Kj2Z+4UyPmFw/Ixgw/LAlA==", + "license": "MIT" }, "node_modules/@types/whatwg-url": { "version": "11.0.5", "resolved": "https://registry.npmjs.org/@types/whatwg-url/-/whatwg-url-11.0.5.tgz", "integrity": "sha512-coYR071JRaHa+xoEvvYqvnIHaVqaYrLPbsufM9BF63HkwI5Lgmy2QR8Q5K/lYDYo5AK82wOvSOS0UsLTpTG7uQ==", + "license": "MIT", "dependencies": { "@types/webidl-conversions": "*" } @@ -144,6 +147,7 @@ "version": "6.10.3", "resolved": "https://registry.npmjs.org/bson/-/bson-6.10.3.tgz", "integrity": "sha512-MTxGsqgYTwfshYWTRdmZRC+M7FnG1b4y7RO7p2k3X24Wq0yv1m77Wsj0BzlPzd/IowgESfsruQCUToa7vbOpPQ==", + "license": "Apache-2.0", "engines": { "node": ">=16.20.1" } @@ -781,7 +785,8 @@ "node_modules/memory-pager": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/memory-pager/-/memory-pager-1.5.0.tgz", - "integrity": "sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg==" + "integrity": "sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg==", + "license": "MIT" }, "node_modules/merge-descriptors": { "version": "1.0.3", @@ -842,9 +847,10 @@ } }, "node_modules/mongodb": { - "version": "6.13.1", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.13.1.tgz", - "integrity": "sha512-gdq40tX8StmhP6akMp1pPoEVv+9jTYFSrga/g23JxajPAQhH39ysZrHGzQCSd9PEOnuEQEdjIWqxO7ZSwC0w7Q==", + "version": "6.14.2", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.14.2.tgz", + "integrity": "sha512-kMEHNo0F3P6QKDq17zcDuPeaywK/YaJVCEQRzPF3TOM/Bl9MFg64YE5Tu7ifj37qZJMhwU1tl2Ioivws5gRG5Q==", + "license": "Apache-2.0", "dependencies": { "@mongodb-js/saslprep": "^1.1.9", "bson": "^6.10.3", @@ -854,7 +860,7 @@ "node": ">=16.20.1" }, "peerDependencies": { - "@aws-sdk/credential-providers": "^3.632.0", + "@aws-sdk/credential-providers": "^3.188.0", "@mongodb-js/zstd": "^1.1.0 || ^2.0.0", "gcp-metadata": "^5.2.0", "kerberos": "^2.0.1", @@ -890,19 +896,21 @@ "version": "3.0.2", "resolved": "https://registry.npmjs.org/mongodb-connection-string-url/-/mongodb-connection-string-url-3.0.2.tgz", "integrity": "sha512-rMO7CGo/9BFwyZABcKAWL8UJwH/Kc2x0g72uhDWzG48URRax5TCIcJ7Rc3RZqffZzO/Gwff/jyKwCU9TN8gehA==", + "license": "Apache-2.0", "dependencies": { "@types/whatwg-url": "^11.0.2", "whatwg-url": "^14.1.0 || ^13.0.0" } }, "node_modules/mongoose": { - "version": "8.11.0", - "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-8.11.0.tgz", - "integrity": "sha512-xaQSuaLk2JKmXI5zDVVWXVCQTnWhAe8MFOijMnwOuP/wucKVphd3f+ouDKivCDMGjYBDrR7dtoyV0U093xbKqA==", + "version": "8.12.1", + "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-8.12.1.tgz", + "integrity": "sha512-UW22y8QFVYmrb36hm8cGncfn4ARc/XsYWQwRTaj0gxtQk1rDuhzDO1eBantS+hTTatfAIS96LlRCJrcNHvW5+Q==", + "license": "MIT", "dependencies": { - "bson": "^6.10.1", + "bson": "^6.10.3", "kareem": "2.6.3", - "mongodb": "~6.13.0", + "mongodb": "~6.14.0", "mpath": "0.9.0", "mquery": "5.0.0", "ms": "2.1.3", @@ -1111,6 +1119,7 @@ "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", + "license": "MIT", "engines": { "node": ">=6" } @@ -1342,6 +1351,7 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/sparse-bitfield/-/sparse-bitfield-3.0.3.tgz", "integrity": "sha512-kvzhi7vqKTfkh0PZU+2D2PIllw2ymqJKujUcyPMd9Y75Nv4nPbGJZXNhxsgdQab2BmlDct1YnfQCguEvHr7VsQ==", + "license": "MIT", "dependencies": { "memory-pager": "^1.0.2" } @@ -1399,6 +1409,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/tr46/-/tr46-5.0.0.tgz", "integrity": "sha512-tk2G5R2KRwBd+ZN0zaEXpmzdKyOYksXwywulIX95MBODjSzMIuQnQ3m8JxgbhnL1LeVo7lqQKsYa1O3Htl7K5g==", + "license": "MIT", "dependencies": { "punycode": "^2.3.1" }, @@ -1452,6 +1463,7 @@ "version": "7.0.0", "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz", "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==", + "license": "BSD-2-Clause", "engines": { "node": ">=12" } @@ -1460,6 +1472,7 @@ "version": "14.1.1", "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-14.1.1.tgz", "integrity": "sha512-mDGf9diDad/giZ/Sm9Xi2YcyzaFpbdLpJPr+E9fSkyQ7KpQD4SdFcugkRQYzhmfI4KeV4Qpnn2sKPdo+kmsgRQ==", + "license": "MIT", "dependencies": { "tr46": "^5.0.0", "webidl-conversions": "^7.0.0" diff --git a/package.json b/package.json index 53ab61c..9ac5e6a 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ "express": "^4.18.2", "express-rate-limit": "^7.5.0", "jsonwebtoken": "^9.0.2", - "mongoose": "^8.0.3" + "mongoose": "^8.12.1" }, "devDependencies": { "nodemon": "^3.0.2" From 3b3f5c796989076b9d675ffef03f7b2abee210f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:57:41 +0000 Subject: [PATCH 4/4] Bump bcryptjs from 2.4.3 to 3.0.2 Bumps [bcryptjs](https://github.com/dcodeIO/bcrypt.js) from 2.4.3 to 3.0.2. - [Release notes](https://github.com/dcodeIO/bcrypt.js/releases) - [Commits](https://github.com/dcodeIO/bcrypt.js/compare/2.4.3...v3.0.2) --- updated-dependencies: - dependency-name: bcryptjs dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package-lock.json | 12 ++++++++---- package.json | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8f9a181..d4c396d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "license": "ISC", "dependencies": { - "bcryptjs": "^2.4.3", + "bcryptjs": "^3.0.2", "cors": "^2.8.5", "dotenv": "^16.3.1", "express": "^4.18.2", @@ -79,9 +79,13 @@ "dev": true }, "node_modules/bcryptjs": { - "version": "2.4.3", - "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz", - "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==" + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-3.0.2.tgz", + "integrity": "sha512-k38b3XOZKv60C4E2hVsXTolJWfkGRMbILBIe2IBITXciy5bOsTKot5kDrf3ZfufQtQOUN5mXceUEpU1rTl9Uog==", + "license": "BSD-3-Clause", + "bin": { + "bcrypt": "bin/bcrypt" + } }, "node_modules/binary-extensions": { "version": "2.3.0", diff --git a/package.json b/package.json index 53ab61c..471e6bf 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "dev": "nodemon server.js" }, "dependencies": { - "bcryptjs": "^2.4.3", + "bcryptjs": "^3.0.2", "cors": "^2.8.5", "dotenv": "^16.3.1", "express": "^4.18.2",