Merge branch 'devel' into release-1.10

History.md

@@ -11,9 +11,6 @@ N/A
 
 ### Changes
 
-* Node.js has been updated to version
-  [12.14.1](https://nodejs.org/en/blog/release/v12.14.1/).
-
 * The version of MongoDB used by Meteor in development has been updated
   from 4.0.6 to 4.2.1, and the `mongodb` driver package has been updated
   from 3.2.7 to 3.4.0, thanks to [@klaussner](https://github.com/klaussner).
@@ -49,6 +46,24 @@ N/A
 
 * The `typescript` npm package has been updated to version 3.7.4.
 
+## v1.9.1, 2020-02-18
+
+### Breaking changes
+
+N/A
+
+### Migration Steps
+N/A
+
+### Changes
+
+* Node.js has been updated to version
+  12.16.0 from 12.14.0, which includes
+  security updates and small changes:
+  * [12.16.0](https://nodejs.org/en/blog/release/v12.16.0/)
+    * Updated V8 to [release v7.8](https://v8.dev/blog/v8-release-78) which includes improvements in performance, for example, object destructuring now is as fast as the equivalent variable assignment.
+  * [12.15.0](https://nodejs.org/en/blog/release/v12.15.0/)
+
 ## v1.9, 2020-01-09
 
 ### Breaking changes
@@ -89,6 +104,8 @@ N/A
   [Feature #335](https://github.com/meteor/meteor-feature-requests/issues/335)
   [PR #10345](https://github.com/meteor/meteor/pull/10345)
 
+* Facebook OAuth has been updated to call v5 API endpoints. [PR #10738](https://github.com/meteor/meteor/pull/10738)
+
 ## v1.8.3, 2019-12-19
 
 ### Migration Steps

Roadmap.md

@@ -164,8 +164,8 @@ Provide a skeleton with SSR configurations already in place.
 Provide samples on how to run tests in Meteor these samples should include unit tests and also cypress tests.
 
 ## First-class citizen Technologies
-Consider Vue.js, Svelte, React Native, and Apollo as first-class citizen, for 
-each technology we would like to have:  
+Consider Vue.js, Svelte, React Native, and Apollo as first-class citizen, for
+each technology we would like to have:
 - skeleton (meteor create)
 - tutorial
 - documentation (how to use)
@@ -174,7 +174,7 @@ each technology we would like to have:
 as we already have for Blaze, React and Angular.
 
 ### Vue.js
-- Leaders: <you?>
+- Leaders: [Tsega](https://github.com/tsega)
 - Status: -
 - PRs: -
 

meteor

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-BUNDLE_VERSION=12.14.1.2
+BUNDLE_VERSION=12.16.0.1
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.

packages/accounts-base/accounts_server.js

@@ -1555,18 +1555,18 @@ const setupUsersCollection = users => {
   });
 
   /// DEFAULT INDEXES ON USERS
-  users._ensureIndex('username', {unique: 1, sparse: 1});
-  users._ensureIndex('emails.address', {unique: 1, sparse: 1});
+  users._ensureIndex('username', { unique: true, sparse: true });
+  users._ensureIndex('emails.address', { unique: true, sparse: true });
   users._ensureIndex('services.resume.loginTokens.hashedToken',
-    {unique: 1, sparse: 1});
+    { unique: true, sparse: true });
   users._ensureIndex('services.resume.loginTokens.token',
-    {unique: 1, sparse: 1});
+    { unique: true, sparse: true });
   // For taking care of logoutOtherClients calls that crashed before the
   // tokens were deleted.
   users._ensureIndex('services.resume.haveLoginTokensToDelete',
-    { sparse: 1 });
+    { sparse: true });
   // For expiring login tokens
-  users._ensureIndex("services.resume.loginTokens.when", { sparse: 1 });
+  users._ensureIndex("services.resume.loginTokens.when", { sparse: true });
   // For expiring password tokens
-  users._ensureIndex('services.password.reset.when', { sparse: 1 });
+  users._ensureIndex('services.password.reset.when', { sparse: true });
 };

packages/accounts-github/package.js

@@ -1,6 +1,6 @@
 Package.describe({
   summary: 'Login service for Github accounts',
-  version: '1.4.2',
+  version: '1.4.3',
 });
 
 Package.onUse(api => {

packages/accounts-oauth/oauth_common.js

@@ -15,7 +15,7 @@ Accounts.oauth.registerService = name => {
     // so this should be a unique index. You might want to add indexes for other
     // fields returned by your service (eg services.github.login) but you can do
     // that in your app.
-    Meteor.users._ensureIndex(`services.${name}.id`, {unique: 1, sparse: 1});
+    Meteor.users._ensureIndex(`services.${name}.id`, {unique: true, sparse: true});
   }
 };
 

packages/accounts-password/password_server.js

@@ -164,7 +164,7 @@ Accounts._findUserByQuery = query => {
  * @returns {Object} A user if found, else null
  * @importFromPackage accounts-base
  */
-Accounts.findUserByUsername = 
+Accounts.findUserByUsername =
   username => Accounts._findUserByQuery({ username });
 
 /**
@@ -592,7 +592,7 @@ Accounts.generateResetToken = (userId, email, reason, extraTokenData) => {
   }
 
   // make sure we have a valid email
-  if (!email || 
+  if (!email ||
     !(pluckAddresses(user.emails).includes(email))) {
     handleError("No such email for user.");
   }
@@ -654,7 +654,7 @@ Accounts.generateVerificationToken = (userId, email, extraTokenData) => {
   }
 
   // make sure we have a valid email
-  if (!email || 
+  if (!email ||
     !(pluckAddresses(user.emails).includes(email))) {
     handleError("No such email for user.");
   }
@@ -977,7 +977,7 @@ Accounts.addEmail = (userId, newEmail, verified) => {
       } else {
         return prev;
       }
-    }, 
+    },
     false
   );
 
@@ -1151,6 +1151,6 @@ Accounts.createUser = (options, callback) => {
 /// PASSWORD-SPECIFIC INDEXES ON USERS
 ///
 Meteor.users._ensureIndex('services.email.verificationTokens.token',
-                          {unique: 1, sparse: 1});
+                          { unique: true, sparse: true });
 Meteor.users._ensureIndex('services.password.reset.token',
-                          {unique: 1, sparse: 1});
+                          { unique: true, sparse: true });

packages/appcache/appcache-server.js

@@ -7,6 +7,7 @@ import path from 'path';
 
 let _disableSizeCheck = false;
 let disabledBrowsers = {};
+let enableCallback = null;
 
 Meteor.AppCache = {
   config: options => {
@@ -21,6 +22,9 @@ Meteor.AppCache = {
           RoutePolicy.declare(urlPrefix, 'static-online')
         );
       }
+      else if (option === 'enableCallback') {
+        enableCallback = value;
+      }
       // option to suppress warnings for tests.
       else if (option === '_disableSizeCheck') {
         _disableSizeCheck = value;
@@ -37,7 +41,13 @@ Meteor.AppCache = {
   }
 };
 
-const browserDisabled = request => disabledBrowsers[request.browser.name];
+const browserDisabled = request => {
+  if (enableCallback) {
+    return !enableCallback(request);
+  }
+
+  return disabledBrowsers[request.browser.name];
+}
 
 // Cache of previously computed app.manifest files.
 const manifestCache = new Map;

packages/appcache/package.js

@@ -1,6 +1,6 @@
 Package.describe({
   summary: "Enable the application cache in the browser",
-  version: "1.2.4",
+  version: "1.2.5",
 });
 
 Package.onUse(api => {

packages/boilerplate-generator/template-web.browser.js

@@ -42,6 +42,7 @@ export const headTemplate = ({
 // Template function for rendering the boilerplate html for browsers
 export const closeTemplate = ({
   meteorRuntimeConfig,
+  meteorRuntimeHash,
   rootUrlPathPrefix,
   inlineScriptsAllowed,
   js,
@@ -54,8 +55,9 @@ export const closeTemplate = ({
     ? template('  <script type="text/javascript">__meteor_runtime_config__ = JSON.parse(decodeURIComponent(<%= conf %>))</script>')({
       conf: meteorRuntimeConfig,
     })
-    : template('  <script type="text/javascript" src="<%- src %>/meteor_runtime_config.js"></script>')({
+    : template('  <script type="text/javascript" src="<%- src %>/meteor_runtime_config.js?hash=<%- hash %>"></script>')({
       src: rootUrlPathPrefix,
+      hash: meteorRuntimeHash,
     }),
   '',
 

packages/facebook-oauth/facebook_client.js

@@ -31,7 +31,7 @@ Facebook.requestCredential = (options, credentialRequestCompleteCallback) => {
   const loginStyle = OAuth._loginStyle('facebook', config, options);
 
   let loginUrl =
-      `https://www.facebook.com/v3.0/dialog/oauth?client_id=${config.appId}` +
+      `https://www.facebook.com/v5.0/dialog/oauth?client_id=${config.appId}` +
       `&redirect_uri=${OAuth._redirectUri('facebook', config)}` +
       `&display=${display}&scope=${scope}` +
       `&state=${OAuth._stateParam(loginStyle, credentialToken, options && options.redirectUrl)}`;

packages/facebook-oauth/facebook_server.js

@@ -53,7 +53,7 @@ const getTokenResponse = query => {
   try {
     // Request an access token
     responseContent = HTTP.get(
-      "https://graph.facebook.com/v3.0/oauth/access_token", {
+      "https://graph.facebook.com/v5.0/oauth/access_token", {
         params: {
           client_id: config.appId,
           redirect_uri: OAuth._redirectUri('facebook', config),
@@ -92,7 +92,7 @@ const getIdentity = (accessToken, fields) => {
   hmac.update(accessToken);
 
   try {
-    return HTTP.get("https://graph.facebook.com/v3.0/me", {
+    return HTTP.get("https://graph.facebook.com/v5.0/me", {
       params: {
         access_token: accessToken,
         appsecret_proof: hmac.digest('hex'),

packages/facebook-oauth/package.js

@@ -1,6 +1,6 @@
 Package.describe({
   summary: "Facebook OAuth flow",
-  version: "1.6.0"
+  version: "1.7.0"
 });
 
 Package.onUse(api => {

packages/facts-base/facts_base.tests.js

@@ -1,4 +1,6 @@
 Tinytest.add('facts-base - increments server facts', test => {
+  Facts.resetServerFacts()
+
   Facts.incrementServerFact('newPackage', 'skyIsBlue', 42);
   test.equal(Facts._factsByPackage.newPackage, { skyIsBlue: 42 });
 

packages/facts-base/facts_base_server.js

@@ -45,6 +45,12 @@ Facts.incrementServerFact = function (pkg, fact, increment) {
   });
 };
 
+Facts.resetServerFacts = function () {
+  for (let pkg in factsByPackage) {
+    delete factsByPackage[pkg];
+  }
+};
+
 // Deferred, because we have an unordered dependency on livedata.
 // XXX is this safe? could somebody try to connect before Meteor.publish is
 // called?

packages/github-oauth/github_server.js

@@ -62,8 +62,7 @@ const getIdentity = accessToken => {
   try {
     return HTTP.get(
       "https://api.github.com/user", {
-        headers: {"User-Agent": userAgent}, // http://developer.github.com/v3/#user-agent-required
-        params: {access_token: accessToken}
+        headers: {"User-Agent": userAgent, "Authorization": `token ${accessToken}`}, // http://developer.github.com/v3/#user-agent-required
       }).data;
   } catch (err) {
     throw Object.assign(
@@ -77,8 +76,7 @@ const getEmails = accessToken => {
   try {
     return HTTP.get(
       "https://api.github.com/user/emails", {
-        headers: {"User-Agent": userAgent}, // http://developer.github.com/v3/#user-agent-required
-        params: {access_token: accessToken}
+        headers: {"User-Agent": userAgent, "Authorization": `token ${accessToken}`}, // http://developer.github.com/v3/#user-agent-required
       }).data;
   } catch (err) {
     return [];

packages/github-oauth/package.js

@@ -1,6 +1,6 @@
 Package.describe({
   summary: 'GitHub OAuth flow',
-  version: '1.2.2'
+  version: '1.2.3'
 });
 
 Package.onUse(api => {

packages/mongo/collection.js

@@ -176,7 +176,7 @@ Object.assign(Mongo.Collection.prototype, {
       // XXX better specify this interface (not in terms of a wire message)?
       update(msg) {
         var mongoId = MongoID.idParse(msg.id);
-        var doc = self._collection.findOne(mongoId);
+        var doc = self._collection._docs.get(mongoId);
 
         // Is this a "replace the whole doc" message coming from the quiescence
         // of method writes to an object? (Note that 'undefined' is a valid

packages/oauth/pending_credentials.js

@@ -16,7 +16,7 @@ OAuth._pendingCredentials = new Mongo.Collection(
     _preventAutopublish: true
   });
 
-OAuth._pendingCredentials._ensureIndex('key', {unique: 1});
+OAuth._pendingCredentials._ensureIndex('key', { unique: true });
 OAuth._pendingCredentials._ensureIndex('credentialSecret');
 OAuth._pendingCredentials._ensureIndex('createdAt');
 

packages/oauth1/oauth1_pending_request_tokens.js

@@ -25,7 +25,7 @@ OAuth._pendingRequestTokens = new Mongo.Collection(
     _preventAutopublish: true
   });
 
-OAuth._pendingRequestTokens._ensureIndex('key', {unique: 1});
+OAuth._pendingRequestTokens._ensureIndex('key', { unique: true });
 OAuth._pendingRequestTokens._ensureIndex('createdAt');
 
 

packages/webapp/webapp_server.js

@@ -317,9 +317,11 @@ WebAppInternals.generateBoilerplateInstance = function (arch,
                                                         additionalOptions) {
   additionalOptions = additionalOptions || {};
 
-  var runtimeConfig = _.extend(
-    _.clone(__meteor_runtime_config__),
-    additionalOptions.runtimeConfigOverrides || {}
+  const meteorRuntimeConfig = JSON.stringify(
+    encodeURIComponent(JSON.stringify({
+      ...__meteor_runtime_config__,
+      ...(additionalOptions.runtimeConfigOverrides || {})
+    }))
   );
 
   return new Boilerplate(arch, manifest, _.extend({
@@ -342,8 +344,8 @@ WebAppInternals.generateBoilerplateInstance = function (arch,
       // end up inside a <script> tag so we need to be careful to not include
       // "</script>", but normal {{spacebars}} escaping escapes too much! See
       // https://github.com/meteor/meteor/issues/3730
-      meteorRuntimeConfig: JSON.stringify(
-        encodeURIComponent(JSON.stringify(runtimeConfig))),
+      meteorRuntimeConfig,
+      meteorRuntimeHash: sha1(meteorRuntimeConfig),
       rootUrlPathPrefix: __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || '',
       bundledJsCssUrlRewriteHook: bundledJsCssUrlRewriteHook,
       sriMode: sriMode,

scripts/admin/meteor-release-official.json

@@ -1,6 +1,6 @@
 {
   "track": "METEOR",
-  "version": "1.9",
+  "version": "1.9.1",
   "recommended": false,
   "official": true,
   "description": "The Official Meteor Distribution"

scripts/build-dev-bundle-common.sh

@@ -5,7 +5,7 @@ set -u
 
 UNAME=$(uname)
 ARCH=$(uname -m)
-NODE_VERSION=12.14.1
+NODE_VERSION=12.16.0
 MONGO_VERSION_64BIT=4.2.1
 MONGO_VERSION_32BIT=3.2.22
 NPM_VERSION=6.13.6

tools/isobuild/resolver.ts

@@ -22,17 +22,9 @@ import {
 } from "../fs/optimistic";
 
 const nativeModulesMap: Record<string, string> = Object.create(null);
-const nativeNames = Object.keys((process as any).binding("natives"));
-
-// Node 0.10 does not include process as a built-in module, but later
-// versions of Node do, and we provide a stub for it on the client.
-nativeNames.push("process");
-
-nativeNames.forEach(id => {
-  if (id.startsWith("internal/")) {
-    return;
-  }
+const nativeNames = require('module').builtinModules;
 
+nativeNames.forEach((id: string) => {
   // When a native Node module is imported, we register a dependency on a
   // meteor-node-stubs/deps/* module of the same name, so that the
   // necessary stub modules will be included in the bundle. This alternate

tools/tests/apps/link-config-npm-package/.gitignore

@@ -0,0 +1 @@
+node_modules/

tools/tests/apps/link-config-npm-package/.meteor/.finished-upgraders

@@ -0,0 +1,19 @@
+# This file contains information which helps Meteor properly upgrade your
+# app when you run 'meteor update'. You should check it into version control
+# with your project.
+
+notices-for-0.9.0
+notices-for-0.9.1
+0.9.4-platform-file
+notices-for-facebook-graph-api-2
+1.2.0-standard-minifiers-package
+1.2.0-meteor-platform-split
+1.2.0-cordova-changes
+1.2.0-breaking-changes
+1.3.0-split-minifiers-package
+1.4.0-remove-old-dev-bundle-link
+1.4.1-add-shell-server-package
+1.4.3-split-account-service-packages
+1.5-add-dynamic-import-package
+1.7-split-underscore-from-meteor-base
+1.8.3-split-jquery-from-blaze

tools/tests/apps/link-config-npm-package/.meteor/.gitignore

@@ -0,0 +1 @@
+local

tools/tests/apps/link-config-npm-package/.meteor/.id

@@ -0,0 +1,7 @@
+# This file contains a token that is unique to your project.
+# Check it into your repository along with the rest of this directory.
+# It can be used for purposes such as:
+#   - ensuring you don't accidentally deploy one app on top of another
+#   - providing package authors with aggregated statistics
+
+j09yfxg8pwz74.sw6lv8bt1n0m

tools/tests/apps/link-config-npm-package/.meteor/packages

@@ -0,0 +1,15 @@
+# Meteor packages used by this project, one per line.
+# Check this file (and the other files in this directory) into your repository.
+#
+# 'meteor add' and 'meteor remove' will edit this file for you,
+# but you can also edit it by hand.
+
+meteor                  # Shared foundation for all Meteor packages
+static-html             # Define static page content in .html files
+standard-minifier-css   # CSS minifier run for production mode
+standard-minifier-js    # JS minifier run for production mode
+es5-shim                # ECMAScript 5 compatibility for older browsers
+ecmascript              # Enable ECMAScript2015+ syntax in app code
+shell-server            # Server-side component of the `meteor shell` command
+webapp                  # Serves a Meteor app over HTTP
+server-render           # Support for server-side rendering

tools/tests/apps/link-config-npm-package/.meteor/platforms

@@ -0,0 +1,2 @@
+server
+browser

tools/tests/apps/link-config-npm-package/.meteor/release

@@ -0,0 +1 @@
+none

tools/tests/apps/link-config-npm-package/.meteor/versions

@@ -0,0 +1,39 @@
+babel-compiler@7.2.0-rc171.6
+babel-runtime@1.3.0-rc171.6
+base64@1.0.11
+blaze-tools@1.0.10
+boilerplate-generator@1.6.0-rc171.6
+caching-compiler@1.2.0-rc171.6
+caching-html-compiler@1.1.3
+dynamic-import@0.5.0-rc171.6
+ecmascript@0.12.0-rc171.6
+ecmascript-runtime@0.7.0
+ecmascript-runtime-client@0.8.0-rc171.6
+ecmascript-runtime-server@0.7.1
+ejson@1.1.0
+es5-shim@4.8.0
+fetch@0.1.0
+html-tools@1.0.11
+htmljs@1.0.11
+inter-process-messaging@0.1.0-rc171.6
+logging@1.1.20
+meteor@1.9.2
+minifier-css@1.3.1
+minifier-js@2.4.0-rc171.6
+modern-browsers@0.1.2
+modules@0.13.0-rc171.6
+modules-runtime@0.10.2
+promise@0.11.1
+random@1.1.0
+routepolicy@1.1.0-rc171.6
+server-render@0.3.1
+shell-server@0.4.0
+spacebars-compiler@1.1.3
+standard-minifier-css@1.4.1
+standard-minifier-js@2.4.0-rc171.6
+static-html@1.2.2
+templating-tools@1.1.2
+tracker@1.2.0
+underscore@1.0.10
+webapp@1.7.0-rc171.6
+webapp-hashing@1.0.9

tools/tests/apps/link-config-npm-package/main.js

@@ -0,0 +1 @@
+console.log("main", require("config").id);

tools/tests/apps/link-config-npm-package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "link-config-npm-package",
+  "private": true,
+  "scripts": {
+    "start": "meteor run",
+    "test": "meteor test --once --driver-package meteortesting:mocha",
+    "test-app": "TEST_WATCH=1 meteor test --full-app --driver-package meteortesting:mocha",
+    "visualize": "meteor --production --extra-packages bundle-visualizer"
+  },
+  "dependencies": {
+    "@babel/runtime": "^7.5.0",
+    "config": "file:../config-package",
+    "meteor-node-stubs": "^1.0.0"
+  },
+  "meteor": {
+    "mainModule": {
+      "client": false,
+      "server": "main.js"
+    }
+  }
+}

tools/tests/bundle.js

@@ -81,3 +81,44 @@ selftest.define("build - linked external npm package (#10177)", function () {
     "bundle/programs/server/npm/node_modules/external-package/package.json"
   ));
 });
+
+selftest.define("build - link npm package named 'config' (#10892)", function () {
+  const s = new Sandbox();
+
+  s.mkdir("config-package");
+  s.cd("config-package");
+
+  s.write(
+      "package.json",
+      JSON.stringify({
+        name: "config",
+        version: "1.0.0",
+        private: true,
+        main: "index.js"
+      }, null, 2) + "\n"
+  );
+
+  s.write(
+      "index.js",
+      "exports.id = module.id;\n"
+  );
+
+  s.cd(s.home);
+
+  s.createApp("app", "link-config-npm-package");
+  s.cd("app");
+
+  const run = s.run();
+  run.waitSecs(30);
+  run.match("config-package/index.js");
+  run.stop();
+
+  const build = s.run("build", "../build");
+  build.waitSecs(60);
+  build.expectExit(0);
+
+  const command = "cd " + files.pathJoin(s.home, "build") + " && tar -xzf app.tar.gz bundle/programs/server/packages/modules.js && grep -c \"meteorInstall({\\\"node_modules\\\":{\\\"config\\\":\" bundle/programs/server/packages/modules.js";
+  const commandResult = execSync(command,{ maxBuffer }).toString("utf8");
+
+  selftest.expectTrue(commandResult === "1\n");
+});