@ladjs/web - npm Package Compare versions

Comparing version 0.1.1 to 0.1.3

index.js

@@ -7,3 +7,2 @@ const http = require('http');
 const _ = require('lodash');
-const Boom = require('boom');
 const Koa = require('koa');
@@ -35,3 +34,2 @@ const Cabin = require('cabin');
 const flash = require('koa-better-flash');
-const CSRF = require('koa-csrf');
 const StoreIPAddress = require('@ladjs/store-ip-address');
@@ -45,2 +43,4 @@ const isajax = require('koa-isajax');
 const StateHelper = require('@ladjs/state-helper');
+const Boom = require('boom');
+const CSRF = require('koa-csrf');
 
@@ -91,2 +91,15 @@ class Server {
         cookiesKey: process.env.COOKIES_KEY || 'lad.sid',
+        // <https://github.com/pillarjs/cookies#cookiesset-name--value---options-->
+        // <https://github.com/koajs/generic-session/blob/master/src/session.js#L32-L38>
+        cookies: {
+          httpOnly: true,
+          path: '/',
+          overwrite: true,
+          signed: true,
+          maxAge: 24 * 60 * 60 * 1000,
+          secure: process.env.WEB_PROTOCOL === 'https',
+          // we use SameSite cookie support as an alternative to CSRF
+          // <https://scotthelme.co.uk/csrf-is-dead/>
+          sameSite: 'lax'
+        },
         livereload: {
@@ -219,3 +232,9 @@ port: process.env.LIVERELOAD_PORT || 35729
     app.keys = this.config.sessionKeys;
-    app.use(session({ store: redisStore, key: this.config.cookiesKey }));
+    app.use(
+      session({
+        store: redisStore,
+        key: this.config.cookiesKey,
+        cookie: this.config.cookies
+      })
+    );
 
@@ -244,3 +263,2 @@ // flash messages
 
-    // csrf (with added localization support)
     app.use((ctx, next) => {
@@ -252,2 +270,4 @@ // TODO: add cookies key until koa-better-error-handler issue is resolved
     });
+
+    // csrf (with added localization support)
     app.use(async (ctx, next) => {
@@ -254,0 +274,0 @@ if (process.env.NODE_ENV === 'test') {

package.json

 {
   "name": "@ladjs/web",
   "description": "Web server for Lad",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "author": "Nick Baugh <niftylettuce@gmail.com> (http://niftylettuce.com/)",
@@ -49,3 +49,3 @@ "bugs": {
     "koa-simple-ratelimit": "^2.3.3",
-    "koa-views": "https://github.com/niftylettuce/koa-views",
+    "koa-views": "^6.1.3",
     "lodash": "^4.17.4",
@@ -62,3 +62,3 @@ "redis": "^2.8.0"
     "cross-env": "^5.1.1",
-    "eslint": "^4.13.0",
+    "eslint": "^4.13.1",
     "eslint-config-prettier": "^2.9.0",
@@ -69,3 +69,3 @@ "eslint-plugin-prettier": "^2.3.1",
     "nyc": "^11.3.0",
-    "prettier": "^1.9.1",
+    "prettier": "^1.9.2",
     "remark-cli": "^4.0.0",
@@ -72,0 +72,0 @@ "remark-preset-github": "^0.0.7",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

HTTP dependency

Supply chain risk

Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.

Found 1 instance in 1 package

Manifest confusion

Supply chain risk

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

256328

increased by0.22%

Lines of code

314

increased by6.44%

Number of high supply chain risk alerts

0

decreased by-100%

Number of medium supply chain risk alerts

2

decreased by-33.33%

Worsened metrics

Number of low supply chain risk alerts

23

increased by4.55%

Dependency changes

• + Added@isaacs/cliui@8.0.2(transitive)

• + Added@one-ini/wasm@0.1.1(transitive)

• + Added@pkgjs/parseargs@0.11.0(transitive)

• + Addedabbrev@2.0.0(transitive)

• + Addedansi-regex@5.0.16.1.0(transitive)

• + Addedansi-styles@4.3.06.2.1(transitive)

• + Addedbalanced-match@1.0.2(transitive)

• + Addedbluebird@3.7.2(transitive)

• + Addedbrace-expansion@2.0.1(transitive)

• + Addedcolor-convert@2.0.1(transitive)

• + Addedcolor-name@1.1.4(transitive)

• + Addedcommander@10.0.1(transitive)

• + Addedcondense-newlines@0.2.1(transitive)

• + Addedconfig-chain@1.1.13(transitive)

• + Addedconsolidate@0.15.1(transitive)

• + Addedcross-spawn@7.0.3(transitive)

• + Addedeastasianwidth@0.2.0(transitive)

• + Addededitorconfig@1.0.4(transitive)

• + Addedemoji-regex@8.0.09.2.2(transitive)

• + Addedextend-shallow@2.0.1(transitive)

• + Addedforeground-child@3.3.0(transitive)

• + Addedget-paths@0.0.7(transitive)

• + Addedglob@10.4.5(transitive)

• + Addedini@1.3.8(transitive)

• + Addedis-buffer@1.1.6(transitive)

• + Addedis-extendable@0.1.1(transitive)

• + Addedis-fullwidth-code-point@3.0.0(transitive)

• + Addedis-whitespace@0.3.0(transitive)

• + Addedisexe@2.0.0(transitive)

• + Addedjackspeak@3.4.3(transitive)

• + Addedjs-beautify@1.15.1(transitive)

• + Addedjs-cookie@3.0.5(transitive)

• + Addedkind-of@3.2.2(transitive)

• + Addedkoa-send@5.0.1(transitive)

• + Addedkoa-views@6.3.1(transitive)

• + Addedlru-cache@10.4.3(transitive)

• + Addedminimatch@9.0.19.0.5(transitive)

• + Addedminipass@7.1.2(transitive)

• + Addednopt@7.2.1(transitive)

• + Addedpackage-json-from-dist@1.0.0(transitive)

• + Addedpath-key@3.1.1(transitive)

• + Addedpath-scurry@1.11.1(transitive)

• + Addedpify@4.0.1(transitive)

• + Addedpretty@2.0.0(transitive)

• + Addedproto-list@1.2.4(transitive)

• + Addedsemver@7.6.3(transitive)

• + Addedshebang-command@2.0.0(transitive)

• + Addedshebang-regex@3.0.0(transitive)

• + Addedsignal-exit@4.1.0(transitive)

• + Addedstring-width@4.2.35.1.2(transitive)

• + Addedstrip-ansi@6.0.17.1.0(transitive)

• + Addedwhich@2.0.2(transitive)

• + Addedwrap-ansi@7.0.08.1.0(transitive)

• Updatedkoa-views@^6.1.3