koa - npm Package Compare versions

Comparing version 2.16.1 to 2.16.2

lib/response.js

@@ -243,2 +243,18 @@
 
+  _getBackReferrer() {
+    const referrer = this.ctx.get('Referrer');
+    if (referrer) {
+      // referrer is a relative path
+      if (referrer.startsWith('/')) {
+        return referrer;
+      }
+
+      // referrer is an absolute URL, check if it's the same origin
+      const url = new URL(referrer, this.ctx.href);
+      if (url.host === this.ctx.host) {
+        return referrer;
+      }
+    }
+  },
+
   /**
@@ -265,3 +281,6 @@ * Perform a 302 redirect to `url`.
     // location
-    if ('back' === url) url = this.ctx.get('Referrer') || alt || '/';
+    if ('back' === url) {
+      url = this._getBackReferrer() || alt || '/';
+    }
+
     if (/^https?:\/\//i.test(url)) {
@@ -268,0 +287,0 @@ // formatting url again avoid security escapes

package.json

 {
   "name": "koa",
-  "version": "2.16.1",
+  "version": "2.16.2",
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest-2"
+  },
   "description": "Koa web app framework",
@@ -5,0 +9,0 @@ "main": "lib/application.js",

New alerts

Network access

Supply chain risk

This module accesses the network.

Found 4 instances in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Fixed alerts

Network access

Supply chain risk

This module accesses the network.

Found 4 instances in 1 package

Debug access

Supply chain risk

Uses debug, reflection and dynamic code execution features.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

62243

0.79%

Lines of code

1649

0.98%

No dependency changes