From 40bf5f86da299c3a457d2594bf65ae720257d333 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Thu, 29 Apr 2021 13:24:18 +0200 Subject: [PATCH 01/14] Start work on security policy --- SECURITY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..7b86670c5e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 2.x.y | ✅ | +| 1.12.x | 🚧 | +| < 1.11.x | ❌ | + +## Reporting a Vulnerability + + From d91c87f50d5629ba92addc945539affc1d17dd8a Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Thu, 6 May 2021 13:11:42 +0200 Subject: [PATCH 02/14] Adjust policy from Node.js --- SECURITY.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 7b86670c5e..2f26021cd7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,4 +10,50 @@ ## Reporting a Vulnerability +Report security bugs to security@meteor.com. +Your report will be acknowledged within 24 hours, and you’ll receive a more +detailed response to your report within 48 hours indicating the next steps in +handling your submission. + +After the initial reply to your report, the security team will endeavor to keep +you informed of the progress being made towards a fix and full announcement, +and may ask for additional information or guidance surrounding the reported +issue. + +## Reporting a security bug in a third party module + +Security bugs in third party modules should be reported to their respective +maintainers. + +Thank you for improving the security of Meteor and its ecosystem. Your efforts +and responsible disclosure are greatly appreciated and will be acknowledged. + +## Disclosure policy + +Here is the security disclosure policy for Meteor + +* The security report is received and is assigned a primary handler. This + person will coordinate the fix and release process. The problem is confirmed + and a list of all affected versions is determined. Code is audited to find + any potential similar problems. Fixes are prepared for all releases which are + still under maintenance. These fixes are not committed to the public + repository but rather held locally pending the announcement. + +* A suggested embargo date for this vulnerability is chosen and a CVE (Common + Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability. + +* On the embargo date, the Node.js security mailing list is sent a copy of the + announcement. The changes are pushed to the public repository and new builds + are deployed to nodejs.org. Within 6 hours of the mailing list being + notified, a copy of the advisory will be published on the Node.js blog. + +* Typically the embargo date will be set 72 hours from the time the CVE is + issued. However, this may vary depending on the severity of the bug or + difficulty in applying a fix. + +* This process can take some time, especially when coordination is required + with maintainers of other projects. Every effort will be made to handle the + bug in as timely a manner as possible; however, it’s important that we follow + the release process above to ensure that the disclosure is handled in a + consistent manner. From 4717ded30be63c01a93b6f057ae9423a74116bb9 Mon Sep 17 00:00:00 2001 From: Harry Adel Date: Tue, 11 May 2021 12:22:53 +0200 Subject: [PATCH 03/14] Replace lolex with @sinonjs/fake-timers --- .../.npm/package/npm-shrinkwrap.json | 18 ++++++++++++++---- packages/ddp-client/package.js | 2 +- .../test/livedata_connection_tests.js | 4 ++-- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/packages/ddp-client/.npm/package/npm-shrinkwrap.json b/packages/ddp-client/.npm/package/npm-shrinkwrap.json index 5d2c645d18..f8f3715903 100644 --- a/packages/ddp-client/.npm/package/npm-shrinkwrap.json +++ b/packages/ddp-client/.npm/package/npm-shrinkwrap.json @@ -1,10 +1,20 @@ { "lockfileVersion": 1, "dependencies": { - "lolex": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/lolex/-/lolex-2.3.2.tgz", - "integrity": "sha512-A5pN2tkFj7H0dGIAM6MFvHKMJcPnjZsOMvR7ujCjfgW5TbV6H9vb1PgxLtHvjqNZTHsUolz+6/WEO0N1xNx2ng==" + "@sinonjs/commons": { + "version": "1.8.3", + "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.3.tgz", + "integrity": "sha512-xkNcLAn/wZaX14RPlwizcKicDk9G3F8m2nU3L7Ukm5zBgTwiT0wsoFAHx9Jq56fJA1z/7uKGtCRu16sOUCLIHQ==" + }, + "@sinonjs/fake-timers": { + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-7.0.5.tgz", + "integrity": "sha512-fUt6b15bjV/VW93UP5opNXJxdwZSbK1EdiwnhN7XrQrcpaOhMJpZ/CjwFpM3THpxwA+YviBUJKSuEqKlCK5alw==" + }, + "type-detect": { + "version": "4.0.8", + "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.0.8.tgz", + "integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==" } } } diff --git a/packages/ddp-client/package.js b/packages/ddp-client/package.js index ff13d25b8e..ec6a76bdae 100644 --- a/packages/ddp-client/package.js +++ b/packages/ddp-client/package.js @@ -5,7 +5,7 @@ Package.describe({ }); Npm.depends({ - lolex: '2.3.2' + '@sinonjs/fake-timers': '7.0.5' }); Package.onUse((api) => { diff --git a/packages/ddp-client/test/livedata_connection_tests.js b/packages/ddp-client/test/livedata_connection_tests.js index b66855fc6c..32e014ccbf 100644 --- a/packages/ddp-client/test/livedata_connection_tests.js +++ b/packages/ddp-client/test/livedata_connection_tests.js @@ -1,4 +1,4 @@ -import lolex from 'lolex'; +import FakeTimers from '@sinonjs/fake-timers'; import { DDP } from '../common/namespace.js'; import { Connection } from '../common/livedata_connection.js'; @@ -114,7 +114,7 @@ Tinytest.add('livedata stub - receive data', function(test) { Tinytest.add('livedata stub - buffering data', function(test) { // Install special setTimeout that allows tick-by-tick control in tests using sinonjs 'lolex' // This needs to be before the connection is instantiated. - const clock = lolex.install(); + const clock = FakeTimers.install(); const tick = timeout => clock.tick(timeout); const stream = new StubStream(); From d7f47b21518e90756a4628ae09667e6f182e0c57 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Tue, 11 May 2021 15:57:02 +0200 Subject: [PATCH 04/14] Published dev-error-overlay@0.1.1. --- History.md | 4 +++- packages/dev-error-overlay/client.js | 1 + packages/dev-error-overlay/package.js | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/History.md b/History.md index 364c815fda..51923d2f33 100644 --- a/History.md +++ b/History.md @@ -1,4 +1,4 @@ -## v2.2.1, UNRELEASED +## v2.3.0, UNRELEASED #### Independent Releases @@ -10,6 +10,8 @@ * Released `mongo-id@1.0.8` removing unused dependency `id-map`. +* Released `dev-error-overlay@0.1.1` fixing sometimes page content being on top of error overlay + ## v2.2, 2021-04-15 #### Highlights diff --git a/packages/dev-error-overlay/client.js b/packages/dev-error-overlay/client.js index 9712548f22..52b702206c 100644 --- a/packages/dev-error-overlay/client.js +++ b/packages/dev-error-overlay/client.js @@ -13,6 +13,7 @@ const styles = ` box-shadow: inset 0 0 100px #e411111f, 0 0 20px #00000085; box-sizing: border-box; overflow-y: auto; + z-index: 1000000; } .section { diff --git a/packages/dev-error-overlay/package.js b/packages/dev-error-overlay/package.js index 72a362776f..aab5125c2f 100644 --- a/packages/dev-error-overlay/package.js +++ b/packages/dev-error-overlay/package.js @@ -1,5 +1,5 @@ Package.describe({ - version: '0.1.0', + version: '0.1.1', summary: 'Show build errors in client when using HMR', documentation: 'README.md', devOnly: true From 860674d5537d16791f39e1b2f396c78a3b534a34 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Wed, 12 May 2021 14:26:50 +0200 Subject: [PATCH 05/14] Fix react-fast-refresh for IE11 --- packages/react-fast-refresh/client-runtime.js | 18 ++++++++++-------- packages/react-fast-refresh/package.js | 2 +- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/packages/react-fast-refresh/client-runtime.js b/packages/react-fast-refresh/client-runtime.js index b564ee31ae..c65aff1ad7 100644 --- a/packages/react-fast-refresh/client-runtime.js +++ b/packages/react-fast-refresh/client-runtime.js @@ -6,7 +6,7 @@ if (enabled && process.env.NODE_ENV !== 'production' && module.hot) { let timeout = null; function scheduleRefresh() { if (!timeout) { - timeout = setTimeout(() => { + timeout = setTimeout(function() { timeout = null; runtime.performReactRefresh(); }, 0); @@ -69,11 +69,13 @@ if (enabled && process.env.NODE_ENV !== 'production' && module.hot) { runtime.injectIntoGlobalHook(window); - window.$RefreshReg$ = () => { }; - window.$RefreshSig$ = () => type => type; + window.$RefreshReg$ = function() { }; + window.$RefreshSig$ = function() { + return function(type) { return type; }; + }; module.hot.onRequire({ - before(module) { + before: function(module) { if (module.loaded) { // The module was already executed return; @@ -83,18 +85,18 @@ if (enabled && process.env.NODE_ENV !== 'production' && module.hot) { var prevRefreshSig = window.$RefreshSig$; window.RefreshRuntime = runtime; - window.$RefreshReg$ = (type, _id) => { + window.$RefreshReg$ = function(type, _id) { const fullId = module.id + ' ' + _id; RefreshRuntime.register(type, fullId); } window.$RefreshSig$ = RefreshRuntime.createSignatureFunctionForTransform; return { - prevRefreshReg, - prevRefreshSig + prevRefreshReg: prevRefreshReg, + prevRefreshSig: prevRefreshSig }; }, - after(module, beforeData) { + after: function(module, beforeData) { // TODO: handle modules with errors if (!beforeData) { return; diff --git a/packages/react-fast-refresh/package.js b/packages/react-fast-refresh/package.js index 13e8fec931..f6b63688b9 100644 --- a/packages/react-fast-refresh/package.js +++ b/packages/react-fast-refresh/package.js @@ -1,6 +1,6 @@ Package.describe({ name: 'react-fast-refresh', - version: '0.1.0', + version: '0.1.1', summary: 'Automatically update React components with HMR', documentation: 'README.md', devOnly: true From bb1d5186fcdfb4f0596273ce25723c02bd32d235 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filipe=20N=C3=A9vola?= Date: Wed, 12 May 2021 13:29:33 -0400 Subject: [PATCH 06/14] Update SECURITY.md --- SECURITY.md | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 2f26021cd7..3d8082de37 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,8 +12,8 @@ Report security bugs to security@meteor.com. -Your report will be acknowledged within 24 hours, and you’ll receive a more -detailed response to your report within 48 hours indicating the next steps in +Your report will be acknowledged within 2 work days, and you'll receive a more +detailed response to your report within 6 work days indicating the next steps in handling your submission. After the initial reply to your report, the security team will endeavor to keep @@ -21,6 +21,8 @@ you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue. +We don't have any bounty program. + ## Reporting a security bug in a third party module Security bugs in third party modules should be reported to their respective @@ -39,21 +41,3 @@ Here is the security disclosure policy for Meteor any potential similar problems. Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement. - -* A suggested embargo date for this vulnerability is chosen and a CVE (Common - Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability. - -* On the embargo date, the Node.js security mailing list is sent a copy of the - announcement. The changes are pushed to the public repository and new builds - are deployed to nodejs.org. Within 6 hours of the mailing list being - notified, a copy of the advisory will be published on the Node.js blog. - -* Typically the embargo date will be set 72 hours from the time the CVE is - issued. However, this may vary depending on the severity of the bug or - difficulty in applying a fix. - -* This process can take some time, especially when coordination is required - with maintainers of other projects. Every effort will be made to handle the - bug in as timely a manner as possible; however, it’s important that we follow - the release process above to ensure that the disclosure is handled in a - consistent manner. From 57ee10322d2ae39d3d8c4d29d96c933d84d00180 Mon Sep 17 00:00:00 2001 From: Dirk Stolle Date: Thu, 13 May 2021 01:02:31 +0200 Subject: [PATCH 07/14] fix typos in several files --- History.md | 16 ++++++++-------- Roadmap.md | 2 +- packages/accounts-base/accounts_server.js | 6 +++--- packages/accounts-password/password_server.js | 2 +- packages/accounts-password/password_tests.js | 2 +- packages/babel-compiler/README.md | 2 +- packages/ddp/DDP.md | 2 +- packages/es5-shim/README.md | 2 +- packages/logic-solver/README.md | 2 +- packages/minifier-css/minifier.js | 2 +- packages/rate-limit/README.md | 4 ++-- packages/url/legacy.js | 2 +- packages/url/modern.js | 2 +- packages/url/server.js | 4 ++-- packages/url/tests/main.js | 2 +- packages/webapp/connect.js | 4 ++-- packages/webapp/webapp_tests.js | 2 +- scripts/doctool.md | 4 ++-- tools/README.md | 2 +- 19 files changed, 32 insertions(+), 32 deletions(-) diff --git a/History.md b/History.md index 51923d2f33..e585548d65 100644 --- a/History.md +++ b/History.md @@ -394,7 +394,7 @@ N/A 4.2.1 to 4.2.5. [PR #11020](https://github.com/meteor/meteor/pull/11020) -* The `url` package now provides an isomorphic implentation of the [WHATWG `url()` +* The `url` package now provides an isomorphic implementation of the [WHATWG `url()` API](https://url.spec.whatwg.org/). While remaining backwards compatible, you can now also import `URL` and `URLSearchParams` from `meteor/url`. These will work for both modern and legacy browsers as well as node. @@ -3253,7 +3253,7 @@ N/A fibers unless the `METEOR_DISABLE_FS_FIBERS` environment variable is explicitly set to a falsy value. For larger apps, this change results in significant build performance improvements due to the creation of fewer - fibers and the avoidance of unnecessary asyncronous delays. + fibers and the avoidance of unnecessary asynchronous delays. https://github.com/meteor/meteor/pull/7975/commits/ca4baed90ae0675e55c93976411d4ed91f12dd63 * Running Meteor as `root` is still discouraged, and results in a fatal @@ -3660,7 +3660,7 @@ N/A * `App.appendToConfig` allows adding custom tags to config.xml. [#7307](https://github.com/meteor/meteor/pull/7307) -* When using `ROOT_URL` with a path, relative CSS URLs are rewriten +* When using `ROOT_URL` with a path, relative CSS URLs are rewritten accordingly. [#5837](https://github.com/meteor/meteor/issues/5837) * Fixed bugs: @@ -3779,7 +3779,7 @@ N/A * Adds `defineMutationMethods` option (default: true) to `new Mongo.Collection` to override default behavior that sets up mutation methods (/collection/[insert|update...]) [PR #5778](https://github.com/meteor/meteor/pull/5778) -* Allow overridding the default warehouse url by specifying `METEOR_WAREHOUSE_URLBASE` [PR #7054](https://github.com/meteor/meteor/pull/7054) +* Allow overriding the default warehouse url by specifying `METEOR_WAREHOUSE_URLBASE` [PR #7054](https://github.com/meteor/meteor/pull/7054) * Allow `_id` in `$setOnInsert` in Minimongo: https://github.com/meteor/meteor/pull/7066 @@ -3796,7 +3796,7 @@ N/A * PhantomJS is no longer included in the Meteor dev bundle (#6905). If you previously relied on PhantomJS for local testing, the `spiderable` package, Velocity tests, or testing Meteor from a checkout, you should - now install PhantomJS yourself, by running the following commmand: + now install PhantomJS yourself, by running the following command: `meteor npm install -g phantomjs-prebuilt` * The `babel-compiler` package now looks for `.babelrc` files and @@ -4298,7 +4298,7 @@ a shorter list of breaking changes you should be aware of when upgrading. * `meteor-platform` has been deprecated in favor of the smaller `meteor-base`, with apps listing their other dependencies explicitly. The v1.2 upgrader will rewrite `meteor-platform` in existing apps. `meteor-base` puts fewer - symbols in the global namepsace, so it's no longer true that all apps + symbols in the global namespace, so it's no longer true that all apps have symbols like `Random` and `EJSON` in the global namespace. * New packages: `ecmascript`, `es5-shim`, `ecmascript-collections`, `promise`, @@ -5544,7 +5544,7 @@ will not be able to use versions of packages that use the new features. ### Other Changes -* Offically support `Meteor.wrapAsync` (renamed from +* Officially support `Meteor.wrapAsync` (renamed from `Meteor._wrapAsync`). Additionally, `Meteor.wrapAsync` now lets you pass an object to bind as `this` in the wrapped call. See https://docs.meteor.com/#meteor_wrapasync. @@ -7826,7 +7826,7 @@ tmeasday, and workmad3. * On the client, `Meteor.apply` takes a new `wait` option, which ensures that no further method calls are sent to the server until this method is finished; it is used for login and logout methods in order to keep the user ID - well-defined. You can also specifiy an `onReconnect` handler which is run when + well-defined. You can also specify an `onReconnect` handler which is run when re-establishing a connection; Meteor Accounts uses this to log back in on reconnect. diff --git a/Roadmap.md b/Roadmap.md index 278f07b469..9b2526457c 100644 --- a/Roadmap.md +++ b/Roadmap.md @@ -67,7 +67,7 @@ Meteor free deploy is back. - Status: shipped in January 2021 - PRs: https://github.com/meteor/meteor/pull/11117 -HMR is avaible since Meteor 2.0 +HMR is available since Meteor 2.0 ### Vue.js - Leaders: [Brian Mulhall](https://github.com/BrianMulhall) diff --git a/packages/accounts-base/accounts_server.js b/packages/accounts-base/accounts_server.js index 13ac0c3ea8..dd70b1ba0f 100644 --- a/packages/accounts-base/accounts_server.js +++ b/packages/accounts-base/accounts_server.js @@ -107,7 +107,7 @@ export class AccountsServer extends AccountsCommon { // @override of "abstract" non-implementation in accounts_common.js userId() { // This function only works if called inside a method or a pubication. - // Using any of the infomation from Meteor.user() in a method or + // Using any of the information from Meteor.user() in a method or // publish function will always use the value from when the function first // runs. This is likely not what the user expects. The way to make this work // in a method or publish function is to do Meteor.find(this.userId).observe @@ -348,7 +348,7 @@ export class AccountsServer extends AccountsCommon { if (!result) throw new Error("result is required"); - // XXX A programming error in a login handler can lead to this occuring, and + // XXX A programming error in a login handler can lead to this occurring, and // then we don't call onLogin or onLoginFailure callbacks. Should // tryLoginMethod catch this case and turn it into an error? if (!result.userId && !result.error) @@ -721,7 +721,7 @@ export class AccountsServer extends AccountsCommon { this._server.publish("meteor.loginServiceConfiguration", () => { const { ServiceConfiguration } = Package['service-configuration']; return ServiceConfiguration.configurations.find({}, {fields: {secret: 0}}); - }, {is_auto: true}); // not techincally autopublish, but stops the warning. + }, {is_auto: true}); // not technically autopublish, but stops the warning. // Use Meteor.startup to give other packages a chance to call // setDefaultPublishFields. diff --git a/packages/accounts-password/password_server.js b/packages/accounts-password/password_server.js index c09b7bb5f8..e98de6e691 100644 --- a/packages/accounts-password/password_server.js +++ b/packages/accounts-password/password_server.js @@ -222,7 +222,7 @@ const generateCasePermutationsForString = string => { permutations = [].concat(...(permutations.map(prefix => { const lowerCaseChar = ch.toLowerCase(); const upperCaseChar = ch.toUpperCase(); - // Don't add unneccesary permutations when ch is not a letter + // Don't add unnecessary permutations when ch is not a letter if (lowerCaseChar === upperCaseChar) { return [prefix + ch]; } else { diff --git a/packages/accounts-password/password_tests.js b/packages/accounts-password/password_tests.js index 207982e894..db4071b18d 100644 --- a/packages/accounts-password/password_tests.js +++ b/packages/accounts-password/password_tests.js @@ -877,7 +877,7 @@ if (Meteor.isClient) (() => { logoutStep, function (test, expect) { // Test that Meteor.logoutOtherClients logs out a second - // authentcated connection while leaving Accounts.connection + // authenticated connection while leaving Accounts.connection // logged in. const secondConn = DDP.connect(Meteor.absoluteUrl()); let token; diff --git a/packages/babel-compiler/README.md b/packages/babel-compiler/README.md index cf7031e241..38ae94d12b 100644 --- a/packages/babel-compiler/README.md +++ b/packages/babel-compiler/README.md @@ -21,7 +21,7 @@ Meteor's Babel support consists of the following core packages: The `babel-compiler` package exports the `Babel` symbol, which exposes functionality provided by the [`meteor-babel`](https://www.npmjs.com/package/meteor-babel) NPM package, -which is in turn implmented using the +which is in turn implemented using the [`babel-core`](https://www.npmjs.com/package/babel-core) NPM package. Note that you can only use the `babel-compiler` package on the server. diff --git a/packages/ddp/DDP.md b/packages/ddp/DDP.md index d9ce63731f..487aa42c5f 100644 --- a/packages/ddp/DDP.md +++ b/packages/ddp/DDP.md @@ -26,7 +26,7 @@ minor revisions of DDP might add extra fields without changing the DDP version; the client must therefore silently ignore unknown fields. However, the client must not send extra fields other than those documented in the DDP protocol, in case these extra fields have meaning to future servers. On the server, all -field changes must be optional/ignorable for compatability with older clients; +field changes must be optional/ignorable for compatibility with older clients; otherwise a new protocol version would be required. ## Establishing a DDP Connection: diff --git a/packages/es5-shim/README.md b/packages/es5-shim/README.md index db2c865add..1f5c4ac6fb 100644 --- a/packages/es5-shim/README.md +++ b/packages/es5-shim/README.md @@ -2,7 +2,7 @@ [Source code of released version](https://github.com/meteor/meteor/tree/master/packages/es5-shim) | [Source code of development version](https://github.com/meteor/meteor/tree/devel/packages/es5-shim) *** -This package improves ECMAScript 5 compliance in all browers, particularly older browsers, and especially Internet Explorer 8 (and earlier). +This package improves ECMAScript 5 compliance in all browsers, particularly older browsers, and especially Internet Explorer 8 (and earlier). Like the `ecmascript` package, `es5-shim` is [installed by default](https://github.com/meteor/meteor/blob/22bd755918/tools/static-assets/skel/.meteor/packages#L11) for all new apps. Though it technically can be removed, the expectation is that it will only be removed if the app author wishes to install an equivalent package instead (e.g. something based on [`core-js`](https://github.com/zloirock/core-js)), or wishes to drop support for older browsers altogether. diff --git a/packages/logic-solver/README.md b/packages/logic-solver/README.md index 696d3f37b7..f589eae6f8 100644 --- a/packages/logic-solver/README.md +++ b/packages/logic-solver/README.md @@ -1050,7 +1050,7 @@ time-consuming operation. Finds a Solution that minimizes the value of `Logic.weightedSum(formulas, weights)`, and adds a requirement that -this mininum value is obtained (in the sense of calling +this minimum value is obtained (in the sense of calling `Solver#require` on this Solver). To determine this minimum value, call diff --git a/packages/minifier-css/minifier.js b/packages/minifier-css/minifier.js index 5a9d30d4fa..174452f1ee 100644 --- a/packages/minifier-css/minifier.js +++ b/packages/minifier-css/minifier.js @@ -14,7 +14,7 @@ const CssTools = { */ parseCss(cssText, options = {}) { // This function previously used the `css-parse` npm package, which - // set the name of the css file being pased using { source: 'filename' }. + // set the name of the css file being parsed using { source: 'filename' }. // If included, we'll convert this to the `postcss` equivalent, to maintain // backwards compatibility. if (options.source) { diff --git a/packages/rate-limit/README.md b/packages/rate-limit/README.md index 1cddca4aaf..e418608a2c 100644 --- a/packages/rate-limit/README.md +++ b/packages/rate-limit/README.md @@ -46,7 +46,7 @@ called a certain method and restrict them to a certain number of calls per user defined time frame. So we generate a unique string key (to be used as keys in a counters object) to represent each specific methodName + user combination. Since this rule applies to multiple user, we need to concatenate -the differnet input key names with their values. For example, if we had a rule +the different input key names with their values. For example, if we had a rule with matchers as such: ```javascript @@ -71,4 +71,4 @@ every time the intervalTime is passed, at which point we delete the current dictionary of counters we store. Every time a rule matches to an input, we determine the unique key string and check if it's counters have exceeded the allowed amounts, returning an error to the user letting them know that a rate -limit has been reached. \ No newline at end of file +limit has been reached. diff --git a/packages/url/legacy.js b/packages/url/legacy.js index 5324357c05..d88cf97e4b 100644 --- a/packages/url/legacy.js +++ b/packages/url/legacy.js @@ -10,5 +10,5 @@ try { ].join("\n")); } -// backwards compatability +// backwards compatibility require('./modern.js'); diff --git a/packages/url/modern.js b/packages/url/modern.js index 26cde8e385..6cc668d836 100644 --- a/packages/url/modern.js +++ b/packages/url/modern.js @@ -4,5 +4,5 @@ URLSearchParams = global.URLSearchParams; exports.URL = URL; exports.URLSearchParams = URLSearchParams; -// backwards compatability +// backwards compatibility Object.assign(URL, require('./bc/url_client')); diff --git a/packages/url/server.js b/packages/url/server.js index 612c33fd20..71baddada1 100644 --- a/packages/url/server.js +++ b/packages/url/server.js @@ -21,5 +21,5 @@ setMinimumBrowserVersions({ electron: [0, 20], }, module.id); -// backwards compatability -Object.assign(exports.URL, require('./bc/url_server')); \ No newline at end of file +// backwards compatibility +Object.assign(exports.URL, require('./bc/url_server')); diff --git a/packages/url/tests/main.js b/packages/url/tests/main.js index 51bd5f1c26..a7f5833c82 100644 --- a/packages/url/tests/main.js +++ b/packages/url/tests/main.js @@ -5,5 +5,5 @@ Tinytest.add("url - sanity", function (test) { test.equal(typeof URLSearchParams, "function"); }); -// backwards compatability +// backwards compatibility require('../bc/url_tests'); diff --git a/packages/webapp/connect.js b/packages/webapp/connect.js index 124ab1edda..712e19b35f 100644 --- a/packages/webapp/connect.js +++ b/packages/webapp/connect.js @@ -5,7 +5,7 @@ export function connect(...connectArgs) { const originalUse = handlers.use; // Wrap the handlers.use method so that any provided handler functions - // alway run in a Fiber. + // always run in a Fiber. handlers.use = function use(...useArgs) { const { stack } = this; const originalLength = stack.length; @@ -21,7 +21,7 @@ export function connect(...connectArgs) { if (originalHandle.length >= 4) { // If the original handle had four (or more) parameters, the // wrapper must also have four parameters, since connect uses - // handle.length to dermine whether to pass the error as the first + // handle.length to determine whether to pass the error as the first // argument to the handle function. entry.handle = function handle(err, req, res, next) { return Promise.asyncApply(originalHandle, this, arguments); diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js index 553bfa7001..fce54981f1 100644 --- a/packages/webapp/webapp_tests.js +++ b/packages/webapp/webapp_tests.js @@ -157,7 +157,7 @@ Tinytest.addAsync( }; // It's okay to set this global state because we're not going to yield - // before settng it back to what it was originally. + // before setting it back to what it was originally. WebAppInternals.setInlineScriptsAllowed(true); { diff --git a/scripts/doctool.md b/scripts/doctool.md index 38f8ae5a6a..92cc37bf40 100644 --- a/scripts/doctool.md +++ b/scripts/doctool.md @@ -26,7 +26,7 @@ Examples: * For lines that don't, no big deal. - Leading whitspace will be preserved here. + Leading whitespace will be preserved here. * We can create a bullet list in here: * @@ -54,4 +54,4 @@ no stripping of `*` characters on any line. /// Multiple consecutive lines that start with `///` are /// treated together as a single doc comment. /** Separate doc comments get separate paragraphs. */ -``` \ No newline at end of file +``` diff --git a/tools/README.md b/tools/README.md index 40d057058e..46b8a18009 100644 --- a/tools/README.md +++ b/tools/README.md @@ -126,7 +126,7 @@ variable `SELF_TEST_TOOL_NODE_FLAGS` could be used the same way `TOOL_NODE_FLAGS` is used. If you are setting the env variable `SELF_TEST_TOOL_NODE_FLAGS` with `TOOL_NODE_FLAGS`, consider specifying a custom port, as they could collide trying to listen to the same port. -To set a custom port, you could set the variable in the followind manner +To set a custom port, you could set the variable in the following manner `SELF_TEST_TOOL_NODE_FLAGS="--debug-brk=5859"` and the debugger will listen to the port 5859 and not the default 5858. From be8b02f45776da40ae0796b7cacb165d7dd7d0bc Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 18 May 2021 05:48:04 -0500 Subject: [PATCH 08/14] [Idmap 1.1.1]: Removed unused function and update declarations (#11438) * Replaced Lodash functions w/ Native * livedata_server bug fix * Migrate Session from prototype in livedata_server to isolated class based file * Migrated Session Document View to class, minor performance improvements * Replace .get() w/ ES2020 * Fix bug with Session.getCollectionView * Modified SessionCollectionView.diffDocument to utilize core/diff-sequence makeChangedFields w/ Map instead of Object * Convert livedata_server in @ddp-server to Class structure w/ minimal performance improvements * modern vdeclerations and removal of unused hasOwnProperty * Cleanup mixed branches * Change decleration in loop * testing bug * Add missing package Co-authored-by: Jan Dvorak --- packages/id-map/id-map.js | 17 ++++++++--------- packages/id-map/package.js | 2 +- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/packages/id-map/id-map.js b/packages/id-map/id-map.js index 0dc4e53f0c..7824848898 100644 --- a/packages/id-map/id-map.js +++ b/packages/id-map/id-map.js @@ -1,4 +1,3 @@ -const hasOwn = Object.prototype.hasOwnProperty; export class IdMap { constructor(idStringify, idParse) { @@ -13,22 +12,22 @@ export class IdMap { // set of methods that overlap between the two.) get(id) { - var key = this._idStringify(id); + const key = this._idStringify(id); return this._map.get(key); } set(id, value) { - var key = this._idStringify(id); + const key = this._idStringify(id); this._map.set(key, value); } remove(id) { - var key = this._idStringify(id); + const key = this._idStringify(id); this._map.delete(key); } has(id) { - var key = this._idStringify(id); + const key = this._idStringify(id); return this._map.has(key); } @@ -43,8 +42,8 @@ export class IdMap { // Iterates over the items in the map. Return `false` to break the loop. forEach(iterator) { // don't use _.each, because we can't break out of it. - for (const [key, value] of this._map){ - var breakIfFalse = iterator.call( + for (let [key, value] of this._map){ + const breakIfFalse = iterator.call( null, value, this._idParse(key) @@ -60,7 +59,7 @@ export class IdMap { } setDefault(id, def) { - var key = this._idStringify(id); + const key = this._idStringify(id); if (this._map.has(key)) { return this._map.get(key); } @@ -71,7 +70,7 @@ export class IdMap { // Assumes that values are EJSON-cloneable, and that we don't need to clone // IDs (ie, that nobody is going to mutate an ObjectId). clone() { - var clone = new IdMap(this._idStringify, this._idParse); + const clone = new IdMap(this._idStringify, this._idParse); // copy directly to avoid stringify/parse overhead this._map.forEach(function(value, key){ clone._map.set(key, EJSON.clone(value)); diff --git a/packages/id-map/package.js b/packages/id-map/package.js index e618cccd2d..a09437b817 100644 --- a/packages/id-map/package.js +++ b/packages/id-map/package.js @@ -1,6 +1,6 @@ Package.describe({ summary: "Dictionary data structure allowing non-string keys", - version: '1.1.0' + version: '1.1.1' }); Package.onUse(function (api) { From 54ded60eab8212006b0655e65a4601e62f9832af Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Tue, 18 May 2021 12:49:54 +0200 Subject: [PATCH 09/14] Published id-map@1.1.1 --- History.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/History.md b/History.md index e585548d65..0b69a9978c 100644 --- a/History.md +++ b/History.md @@ -12,6 +12,8 @@ * Released `dev-error-overlay@0.1.1` fixing sometimes page content being on top of error overlay +* Released `id-map@1.1.1` removing unused dependencies and modernizing the code + ## v2.2, 2021-04-15 #### Highlights From 9bdc604f43b2447d1d399bf1495ef8fc7ea810fd Mon Sep 17 00:00:00 2001 From: denyhs Date: Wed, 19 May 2021 14:58:07 -0400 Subject: [PATCH 10/14] Improving document for the field defaultFieldSelector --- packages/accounts-base/accounts_common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/accounts-base/accounts_common.js b/packages/accounts-base/accounts_common.js index 7e3e581f25..e1f030e448 100644 --- a/packages/accounts-base/accounts_common.js +++ b/packages/accounts-base/accounts_common.js @@ -168,7 +168,7 @@ export class AccountsCommon { * @param {Number} options.passwordEnrollTokenExpirationInDays The number of days from when a link to set initial password is sent until token expires and user can't set password with the link anymore. Defaults to 30. * @param {Number} options.passwordEnrollTokenExpiration The number of milliseconds from when a link to set initial password is sent until token expires and user can't set password with the link anymore. If `passwordEnrollTokenExpirationInDays` is set, it takes precedent. * @param {Boolean} options.ambiguousErrorMessages Return ambiguous error messages from login failures to prevent user enumeration. Defaults to false. - * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks. Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. + * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks. Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include email, for example, when excluting the fields, you can have problems with function like `forgotPassword`, they can break. It's recommend that you always keep the fields _id, username, and email. */ config(options) { // We don't want users to accidentally only call Accounts.config on the From 4a6cf5188841f7c596f67c96195b721f55bf7b20 Mon Sep 17 00:00:00 2001 From: denyhs Date: Wed, 19 May 2021 15:02:24 -0400 Subject: [PATCH 11/14] Improving document for the field defaultFieldSelector --- packages/accounts-base/accounts_common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/accounts-base/accounts_common.js b/packages/accounts-base/accounts_common.js index e1f030e448..fd282c3462 100644 --- a/packages/accounts-base/accounts_common.js +++ b/packages/accounts-base/accounts_common.js @@ -168,7 +168,7 @@ export class AccountsCommon { * @param {Number} options.passwordEnrollTokenExpirationInDays The number of days from when a link to set initial password is sent until token expires and user can't set password with the link anymore. Defaults to 30. * @param {Number} options.passwordEnrollTokenExpiration The number of milliseconds from when a link to set initial password is sent until token expires and user can't set password with the link anymore. If `passwordEnrollTokenExpirationInDays` is set, it takes precedent. * @param {Boolean} options.ambiguousErrorMessages Return ambiguous error messages from login failures to prevent user enumeration. Defaults to false. - * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks. Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include email, for example, when excluting the fields, you can have problems with function like `forgotPassword`, they can break. It's recommend that you always keep the fields _id, username, and email. + * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks. Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include email, for example, when excluting the fields, you can have problems with functions like `forgotPassword`, they can break. It's recommend that you always keep the fields _id, username, and email. */ config(options) { // We don't want users to accidentally only call Accounts.config on the From 81ab2fe4973787de97bac5bf08ed14c1373e2e49 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Thu, 20 May 2021 19:57:50 +0200 Subject: [PATCH 12/14] Remove loud deprecation warning for use of deprecation flag in package (#11442) * Remove loud deprecation warning for use of deprecation flag in package * Add history for http@1.4.4 --- History.md | 3 +++ packages/deprecated/http/httpcall_common.js | 9 --------- packages/deprecated/http/package.js | 6 +++--- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/History.md b/History.md index 0b69a9978c..b6c570eda9 100644 --- a/History.md +++ b/History.md @@ -14,6 +14,9 @@ * Released `id-map@1.1.1` removing unused dependencies and modernizing the code +* `http@1.4.4` + - Used the new deprecation package flag instead of loud console warning. + ## v2.2, 2021-04-15 #### Highlights diff --git a/packages/deprecated/http/httpcall_common.js b/packages/deprecated/http/httpcall_common.js index 2114b92257..c8462eb56b 100644 --- a/packages/deprecated/http/httpcall_common.js +++ b/packages/deprecated/http/httpcall_common.js @@ -1,10 +1,6 @@ var MAX_LENGTH = 500; // if you change this, also change the appropriate test var slice = Array.prototype.slice; -var deprecationMessage = function() { - Log.debug('The http package has been deprecated, please migrate to the fetch package and new web standards.'); -}; - exports.makeErrorByStatus = function(statusCode, content) { var message = "failed [" + statusCode + "]"; @@ -56,7 +52,6 @@ var HTTP = exports.HTTP = {}; * @deprecated */ HTTP.get = function (/* varargs */) { - deprecationMessage(); return HTTP.call.apply(this, ["GET"].concat(slice.call(arguments))); }; @@ -69,7 +64,6 @@ HTTP.get = function (/* varargs */) { * @deprecated */ HTTP.post = function (/* varargs */) { - deprecationMessage(); return HTTP.call.apply(this, ["POST"].concat(slice.call(arguments))); }; @@ -82,7 +76,6 @@ HTTP.post = function (/* varargs */) { * @deprecated */ HTTP.put = function (/* varargs */) { - deprecationMessage(); return HTTP.call.apply(this, ["PUT"].concat(slice.call(arguments))); }; @@ -95,7 +88,6 @@ HTTP.put = function (/* varargs */) { * @deprecated */ HTTP.del = function (/* varargs */) { - deprecationMessage(); return HTTP.call.apply(this, ["DELETE"].concat(slice.call(arguments))); }; @@ -108,6 +100,5 @@ HTTP.del = function (/* varargs */) { * @deprecated */ HTTP.patch = function (/* varargs */) { - deprecationMessage(); return HTTP.call.apply(this, ["PATCH"].concat(slice.call(arguments))); }; diff --git a/packages/deprecated/http/package.js b/packages/deprecated/http/package.js index fa72508abf..a1e4035474 100644 --- a/packages/deprecated/http/package.js +++ b/packages/deprecated/http/package.js @@ -1,6 +1,7 @@ Package.describe({ summary: "Make HTTP calls to remote servers", - version: '1.4.3' + version: '1.4.4', + deprecated: 'Please use fetch' }); Npm.depends({ @@ -14,8 +15,7 @@ Package.onUse(function (api) { // This package intentionally does not depend on ecmascript, so that // ecmascript and its dependencies can depend on http without creating // package dependency cycles. - 'modules', - 'logging' // For deprecation message + 'modules' ]); api.mainModule('httpcall_client.js', 'client'); From 7ea2fa233255ac953cfe4429bca5b6fb361ff259 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Fri, 21 May 2021 16:37:40 +0200 Subject: [PATCH 13/14] Improve comment language --- packages/accounts-base/accounts_common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/accounts-base/accounts_common.js b/packages/accounts-base/accounts_common.js index fd282c3462..5a14d071ba 100644 --- a/packages/accounts-base/accounts_common.js +++ b/packages/accounts-base/accounts_common.js @@ -168,7 +168,7 @@ export class AccountsCommon { * @param {Number} options.passwordEnrollTokenExpirationInDays The number of days from when a link to set initial password is sent until token expires and user can't set password with the link anymore. Defaults to 30. * @param {Number} options.passwordEnrollTokenExpiration The number of milliseconds from when a link to set initial password is sent until token expires and user can't set password with the link anymore. If `passwordEnrollTokenExpirationInDays` is set, it takes precedent. * @param {Boolean} options.ambiguousErrorMessages Return ambiguous error messages from login failures to prevent user enumeration. Defaults to false. - * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks. Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include email, for example, when excluting the fields, you can have problems with functions like `forgotPassword`, they can break. It's recommend that you always keep the fields _id, username, and email. + * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks. Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include `email` when excluding the fields, you can have problems with functions like `forgotPassword` that will break because they won't have the required data available. It's recommend that you always keep the fields `_id`, `username`, and `email`. */ config(options) { // We don't want users to accidentally only call Accounts.config on the From ba158392f0dd1bad825def5adc8f15c0f15d2f63 Mon Sep 17 00:00:00 2001 From: Jan Dvorak Date: Tue, 25 May 2021 15:25:17 +0200 Subject: [PATCH 14/14] Update faye-websocket dependency in socket-stream-client --- History.md | 3 +++ .../socket-stream-client/.npm/package/npm-shrinkwrap.json | 6 +++--- packages/socket-stream-client/package.js | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/History.md b/History.md index b6c570eda9..ae1a342ae1 100644 --- a/History.md +++ b/History.md @@ -16,6 +16,9 @@ * `http@1.4.4` - Used the new deprecation package flag instead of loud console warning. + +* `socket-stream-client@0.3.3` + - Update `faye-websocket` dependency to v0.11.4. ## v2.2, 2021-04-15 diff --git a/packages/socket-stream-client/.npm/package/npm-shrinkwrap.json b/packages/socket-stream-client/.npm/package/npm-shrinkwrap.json index 574a3812aa..0d1feb6873 100644 --- a/packages/socket-stream-client/.npm/package/npm-shrinkwrap.json +++ b/packages/socket-stream-client/.npm/package/npm-shrinkwrap.json @@ -2,9 +2,9 @@ "lockfileVersion": 1, "dependencies": { "faye-websocket": { - "version": "0.11.3", - "resolved": "https://registry.npmjs.org/faye-websocket/-/faye-websocket-0.11.3.tgz", - "integrity": "sha512-D2y4bovYpzziGgbHYtGCMjlJM36vAl/y+xUyn1C+FVx8szd1E+86KwVw6XvYSzOP8iMpm1X0I4xJD+QtUb36OA==" + "version": "0.11.4", + "resolved": "https://registry.npmjs.org/faye-websocket/-/faye-websocket-0.11.4.tgz", + "integrity": "sha512-CzbClwlXAuiRQAlUyfqPgvPoNKTckTPGfwZV4ZdAhVcP2lh9KUxJg2b5GkE7XbjKQ3YJnQ9z6D9ntLAlB+tP8g==" }, "http-parser-js": { "version": "0.5.3", diff --git a/packages/socket-stream-client/package.js b/packages/socket-stream-client/package.js index 54c1692d5e..c8cf3654f0 100644 --- a/packages/socket-stream-client/package.js +++ b/packages/socket-stream-client/package.js @@ -1,12 +1,12 @@ Package.describe({ name: "socket-stream-client", - version: "0.3.2", + version: "0.3.3", summary: "Provides the ClientStream abstraction used by ddp-client", documentation: "README.md" }); Npm.depends({ - "faye-websocket": "0.11.3", + "faye-websocket": "0.11.4", "permessage-deflate": "0.1.7" });