New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
bedrock-express
Advanced tools
bedrock-express - npm Package Compare versions
Comparing version 6.2.0 to 6.2.1
| # bedrock-express ChangeLog | ||
| ## 6.2.1 - 2022-01-16 | ||
| ### Fixed | ||
| - Add patch to ensure current CORS behavior continues for bedrock-express | ||
| servers running on localhost. This is mostly for development purposes, | ||
| but does apply to any bedrock-express server that actually does run | ||
| in production on localhost. A new CORS security feature has been added | ||
| to Chrome to stop cross-origin requests from being made to private | ||
| networks (without specific permission via a new CORS header). The | ||
| header is: | ||
| `Access-control-allow-private-network: true` | ||
| This change enables sending that header on every response -- if the | ||
| bedrock server's host is configured such that the string `localhost` | ||
| appears in its value. This alone will not enable CORS on an endpoint, | ||
| the `Access-control-allow-origin` header must also be set. This | ||
| header is only set if the `cors` middleware has been used (or some | ||
| other means has been used) on a specific route. Therefore, this change | ||
| should not expose any routes that were not previously exposed via | ||
| CORS headers, rather, it should only enable any routes that were | ||
| previously exposed to continue to be hit just like before, provided | ||
| that they are running on localhost. If the server runs on some other | ||
| private network, the new version of Chrome will not allow them to be | ||
| accessed even if the other CORS headers have been set, because this | ||
| patch will not set the new header in that case. If this feature needs | ||
| to be disabled, set `bedrock.config.express.allowLocalhostCors=false`. | ||
| ## 6.2.0 - 2022-01-11 | ||
@@ -4,0 +32,0 @@ |
@@ -67,2 +67,11 @@ /*! | ||
| // until the `cors` middleware helps address this; there's a new spec at: | ||
| // https://wicg.github.io/private-network-access/ | ||
| // that has been implemented by Chrome that now prevents CORS from working | ||
| // when developing on localhost; this config option, by default, allows the | ||
| // previous behavior to continue when the bedrock server's host uses | ||
| // `localhost` in its name; to enable this new security feature on localhost, | ||
| // this config option has to be set to `false` | ||
| config.express.allowLocalhostCors = true; | ||
| /* | ||
@@ -69,0 +78,0 @@ * The Fastify module exports a factory function that is used to create new |
@@ -157,2 +157,10 @@ /* | ||
| } | ||
| // patch to disable new CORS private network restriction (when server is | ||
| // exposed on localhost) unless specifically turned off by config | ||
| if(config.express.allowLocalhostCors && | ||
| config.server.host.includes('localhost')) { | ||
| app.use(_allowLocalhostCors); | ||
| } | ||
| // static config | ||
@@ -575,1 +583,12 @@ const configStatic = | ||
| } | ||
| // until the `cors` middleware helps address this; there's a new spec at: | ||
| // https://wicg.github.io/private-network-access/ | ||
| // that has been implemented by Chrome that now prevents CORS from working | ||
| // when developing on localhost; this function allows the previous behavior | ||
| // to continue but does not allow the new security feature to be turned on | ||
| // when running on localhost (though this may be an uncommon use case) | ||
| function _allowLocalhostCors(req, res, next) { | ||
| res.setHeader('Access-Control-Allow-Private-Network', 'true'); | ||
| next(); | ||
| } |
| { | ||
| "name": "bedrock-express", | ||
| "version": "6.2.0", | ||
| "version": "6.2.1", | ||
| "description": "Bedrock express module", | ||
@@ -5,0 +5,0 @@ "main": "lib", |
No alert changes
Improved metrics
- Total package byte prevSize
49913
6.03%- Lines of code
635
3.93%No dependency changes