Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@mashroom/mashroom-helmet

Package Overview
Dependencies
Maintainers
0
Versions
85
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@mashroom/mashroom-helmet - npm Package Versions

23
9

2.7.1

Diff

Changelog

Source

2.7.1 (July 8, 2024)

  • All package.json fixed to avoid errors during publishing
jkofler
published 2.7.0 •

Changelog

Source

2.7.0 (July 8, 2024)

  • VHost Path Mapper: Replace the location header URL with the relative path if the host matches the frontend host. This saves an unnecessary round trip if the protocol does not match the frontend protocol (see #121)
  • VHost Path Mapper: Fixed reverse mapping of the location header if the URL is absolute
  • HTTP Proxy: Adds now a proper x-forwarded-host header (if createForwardedForHeaders is set)
  • HTTP Proxy: Added missing createForwardedForHeaders config prop to the JSON schema
  • Portal: It is now possible to configure what should happen if the authentication expires. Until now the strategy was to just reload the current page, now you can choose between multiple strategies:
    • stayOnPage
    • reload (Default, same behaviour as before)
    • redirect (redirect to another page)
    • displayDomElement (set display: block on the DOM element with given ID)
    BREAKING CHANGE: Mashroom Portal WebApp plugin properties warnBeforeAuthenticationExpiresSec and autoExtendAuthentication have been removed, instead it expects a configuration like this:
      "authenticationExpiration": {
        "warnBeforeExpirationSec": 60,
        "autoExtend": false,
        "onExpiration": {
          "strategy": "reload"
        }
      },
    
  • LDAP Security Provider: Replaced decommissioned ldapjs client
  • Session Plugin: Uses now a session cookie (without a maxAge) by default, so, the session can only expire on the server side and not because the cookie expires
jkofler
published 2.6.1 •

Changelog

Source

2.6.1 (Nay 12, 2024)

  • Portal: Fixed detection which App wrote a browser console error (the portalAppName will now be set properly in the server log)
jkofler
published 2.6.0 •

Changelog

Source

2.6.0 (April 6, 2024)

  • Supply Chain Safety: Generate npm provenance statements when publishing (via Github Actions workflow)
  • Supply Chain Safety: Disabled all dependency lifecycle scripts by default
  • HTTP Proxy: Added support for transforming the request/response body. Proxy interceptors can now return streamTransformers (implementing stream.Transform) that can be used to compress/encrypt the communication to backend servers. See #116. Example:
    export default class MyInterceptor implements MashroomHttpProxyInterceptor {
       async interceptRequest(targetUri) {
           if (targetUri.startsWith('https://my-backend-server.com')) {
               return {
                   addHeaders: {
                       'content-encoding': 'gzip',
                   },
                   streamTransformers: [
                       zlib.createGzip(),
                   ],
               };
           }
       }
       async interceptResponse(targetUri, existingHeaders) {
           if (targetUri.startsWith('https://my-backend-server.com') && existingHeaders['content-encoding'] === 'gzip') {
               return {
                   removeHeaders: [
                       'content-encoding',
                   ],
                   streamTransformers: [
                       zlib.createGunzip(),
                   ],
               };
           }
       }
    }
    
  • HTTP Proxy: Removed request based proxy implementation because the module is deprecated for over 4 years now
  • Upgrade to Express 4.19 + all other libraries upgraded
  • Portal: Fixed the problem that remote subscriptions can receive the same message multiple times if subscription patterns overlap See #115
jkofler
published 2.5.4 •

Changelog

Source

2.5.4 (January 28, 2024)

  • HTTP Proxy: Ignore empty headers added by HTTP interceptors because it will lead to an error
  • HTTP Proxy: Don't log an error if the client aborts during sending the request body
  • Portal: Don't log an error if the client aborts before the resource response is being sent (Error: aborted)
jkofler
published 2.5.3 •

Changelog

Source

2.5.3 (January 22, 2024)

  • Remote App Registry: Renamed and added metrics:
    • Renamed: mashroom_remote_apps_total -> mashroom_remote_app_endpoints_total
    • Renamed: mashroom_remote_apps_error_total -> mashroom_remote_app_endpoints_error_total
    • Renamed: mashroom_remote_apps_connection_timeout_total -> mashroom_remote_app_endpoints_connection_timeout_total
    • Added: mashroom_remote_app_endpoints_connection_failed_total
    • Added: mashroom_remote_app_k8s_services_connection_failed_total
  • K8S Remote App Registry: Renamed and added metrics:
    • Renamed: mashroom_remote_apps_k8s_total -> mashroom_remote_app_k8s_services_total
    • Renamed: mashroom_remote_apps_k8s_error_total -> mashroom_remote_app_k8s_services_error_total
    • Renamed: mashroom_remote_apps_k8s_connection_timeout_total -> mashroom_remote_app_k8s_services_connection_timeout_total
    • Added: mashroom_remote_app_k8s_services_no_plugin_definition_total
    • Added: mashroom_remote_app_k8s_services_connection_failed_total
  • K8S Remote App Registry: Added a config property serviceProcessingBatchSize that determines how many services are processed in parallel. Can be used to optimize the time until the plugin (and therefore the Pod) gets ready on Kubernetes.
  • Remote App Registry: Made sure all endpoint URLs and properly registered before the first scan starts
  • Remote App Registry and K8S Remote App Registry: Improved error handling (shows now in the Admin UI which kind of error occurred, e.g. Timeout)
jkofler
published 2.5.2 •

Changelog

Source

2.5.2 (January 19, 2024)

  • Background Jobs: Fixed measuring execution time for async jobs
  • Background Jobs: Added a config property invokeImmediately to invoke the job immediately once (in addition to the cron schedule)
  • Remote App Registry and K8S Remote App Registry: Made sure the plugins do not get ready until the first full scan has completed. On Kubernetes this means the Pod only gets ready if all Remote Apps have been registered already.
jkofler
published 2.5.1 •

Changelog

Source

2.5.1 (January 17, 2024)

  • Portal: Doesn't log an error anymore if the client just aborted the connection (ERR_STREAM_PREMATURE_CLOSE)
jkofler
published 2.5.0 •

Changelog

Source

2.5.0 (January 10, 2024)

  • PM2 Metric Exporter: Allows it now to grab the OpenTelemetry metrics from PM2 workers via inter-process communication. Works similar to the approach previously implemented in the Prometheus Metric Exporter, only the serialization to Prometheus format is not done automatically

  • Prometheus Metric Exporter: BREAKING CHANGE Removed the possibility to fetch prometheus metrics via inter-process communication within a PM2 cluster

  • Metrics Collector: Uses now OpenTelemetry to gather and export metrics. Changes:

    • The collector service supports now asynchronous metric gathering via callback
    • It is possible now to directly use the OpenTelemetry API
    • The metrics are more accurate since the get measured during export

    Due to the API structure of OpenTelemetry there are also BREAKING CHANGES if you use the metrics collector service in your custom plugins:

    • Summary metrics are no longer available (use Prometheus histogram_quantile())
    • Aggregation is no longer integrated (use Prometheus aggregations)
    • Histograms: observe() has been renamed to record()
    • Counters exist now as synchronous version with only an inc() method and as an asynchronous version with a set() method
    • Gauges only exists synchronous version with a set() method now
    • Asynchronous metrics can be used in the service.addObservableCallback() callback, like so:
      const collectorService: MashroomMonitoringMetricsCollectorService = pluginContext.services.metrics.service;
    
      collectorService.addObservableCallback((asyncCollectorService) => {
          // ... somehow get the value to measure
          asyncCollectorService.gauge('http_pool_active_connections', 'HTTP Pool Active Connections').set(theValue);
      });
    
  • Portal: Added metrics for remote resource requests (mashroom_portal_remote_resources_), like request count, error count and pool stats

  • HTTP Proxy: The proxies do no longer automatically add x-forwarded- headers, because if you are using public APIs you might not want to disclose details of your internal network. Added a new config property createForwardedForHeaders to explicitly turn this feature on again. Also fixed the implementation, it takes now existing headers from reverse proxies into consideration and keeps them or extends them (which means x-forwarded-for contains now the IP address of the original client as well if there are reverse proxies).

  • HTTP Proxy: Added metrics:

    • mashroom_http_proxy_requests_ws_connection_errors

    BREAKING CHANGE Renamed metrics:

    • mashroom_http_proxy_requests_connection_errors -> mashroom_http_proxy_requests_http_connection_errors
    • mashroom_http_proxy_requests_timeouts -> mashroom_http_proxy_requests_http_timeouts
  • HTTP Proxy: The pool properties like poolMaxSocketsPerHost are now only for HTTP requests, WebSockets are handled separately and can be limited by wsMaxConnectionsPerHost

  • HTTP Proxy: Added a new implementation based on the Node.js Stream API, which is also the default now. It deliberately does not use any 3rd party libraries, because those available (like request and node-http-server) are either deprecated or unmaintained. It uses the Stream.pipeline API introduced in Node.js 10 which has an improved error handling and cleanup mechanisms compared to the old Readable.pipe used by most libraries. The performance and resource usage characteristics are very similar to the node-http-proxy based implementation. According to our tests you can even expect slightly improved throughput. If you run into to troubles here you can switch back to the previous implementation like this:

     "Mashroom Http Proxy Services": {
       "proxyImpl": "nodeHttpProxy"
     }
    
  • HTTP Proxy: Return HTTP 502 (Bad Gateway) instead of 503 if the target does not respond or is not available

  • HTTP Proxy: Fixed target URL in metrics (protocol part contained two colons)

  • Portal: Fetching and delivering App resources (js/css) improved

    • Fetching resources from remote servers and slow network devices has now a proper timeout set, because non-responding servers could potentially lead to a memory leak due to an increasing number of socket/file handles
    • The content-length header is now always correctly set
    • For remote resource 502 (Bad Gateway) or 504 (Gateway Timeout) is returned instead of just 500 if something goes wrong
    • Properties like timeout and max sockets can now be set like this in the server config:
       "Mashroom Portal WebApp": {
         "resourceFetchConfig": {
           "fetchTimeoutMs": 3000,
           "httpMaxSocketsPerHost": 10,
           "httpRejectUnauthorized": true
         }
       }
      
  • mashroom-utils refactoring: Added an index file that should be used exclusively to import utils BREAKING CHANGE: If you have used mashroom-utils in your custom plugins you have to change the imports

  • LDAP Security Provider: Fixed escaping of special characters in the DN. Didn't work if the same special character occurred multiple times.

  • Dropped support for Node.js 16 - required is now >= 18

  • All 3rd party libraries upgrades and switched to npm workspaces for dependency management BREAKING CHANGE: The request.session type no longer accept any property, you have to declare your session properties like this now:

      declare module 'express-session' {
        interface SessionData {
          foo?: string;
        }
      }
    
  • File Storage: Performance improvements:

    • It polls for external changes to the DB file every checkExternalChangePeriodMs instead with every access. This will reduce the CPU load slightly. Default value of checkExternalChangePeriodMs is now 100, but you can increase it further if you run a single server, the config is readonly or performance is more important than consistency
    • The DB file will no longer be reloaded periodically, but only if the modified timestamp of the DB file changes
  • HTTP Proxy: fixed deprecated API usages

jkofler
published 2.4.5 •

Changelog

Source

2.4.5 (November 29, 2023)

  • Portal: It is now guaranteed that all client-side (browser) errors are actually sent to the server and logged there, even if there is a huge amount of errors and also on the browser unload event.
  • Core: Fixed deprecation warnings from the spdy module. It is now loaded lazy, but since it is no longer maintained and only works with Node.js <= 14 HTTP/2 support is de-facto broken. Shouldn't be a big deal because usual a reverse proxy handles HTTP/2 and TLS.
23
9
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc