Skip to content
This repository has been archived by the owner on May 30, 2024. It is now read-only.

Snyk vulnerability - URL Parse - Improper Input Validation #209

Closed
naveentej opened this issue Mar 12, 2021 · 7 comments
Closed

Snyk vulnerability - URL Parse - Improper Input Validation #209

naveentej opened this issue Mar 12, 2021 · 7 comments

Comments

@naveentej
Copy link

https://snyk.io/vuln/SNYK-JS-URLPARSE-1078283

launchdarkly-node-server-sdk@5.13.3,launchdarkly-eventsource@1.3.1,original@1.0.2,url-parse@1.4.7

@bwoskow-ld
Copy link
Member

Hi @naveentej,

Thanks for the vulnerability report. The launchdarkly-eventsource package currently uses the latest available original release (1.0.2). I see that original's maintainer has already updated their package dependencies for this issue on master but has not yet released this in a new version.

In the meantime, given that version 1.0.2 defines the url-parse version constraint as ^1.4.3, this version constraint is compatible with 1.5.0 and higher which contains the vulnerability resolution. As a result, this vulnerability shouldn't actually affect you -- when you install you should be able to get a patched url-parse version.

Cheers,
@bwoskow-ld

@eli-darkly
Copy link
Contributor

The 5.14.5 release changed the dependency declarations to explicitly exclude vulnerable versions of url-parse.

LaunchDarklyReleaseBot added a commit that referenced this issue Feb 19, 2022
* fix tests

* object shorthand

* add more end-to-end tests, improve HTTP test helpers, general cleanup

* rm nock

* Node 6 compatibility

* remove redundant helper, misc cleanup

* Node 6 compatibility

* fix comment

* change asyncify to promisifySingle

* misc fixes

* add Windows CircleCI job

* fix config

* syntax

* diagnostic events, part 2: initial event and stats, except for stream inits

* comments

* add test for stats event

* capture stream connection stats in diagnostic events

* fix test

* remove eventReportingDisabled from diagnostic event; only create diagnosticsManager if needed

* revise tests to use new helper package

* misc cleanup

* use launchdarkly-js-test-helpers 1.0.0

* fix package reference

* minor fixes to config validation messages + add comment

* diagnostic eventsInQueue counter should be # of events at last flush

* rename eventsInQueue to eventsInLastBatch

* don't let user fall outside of last bucket in rollout

* add unit tests for basic bucketing logic and edge case

* avoid redundant property lookups

* fix Redis client parameter to match TS declaration (but still support old incorrect parameter)

* add event payload ID

* remove mistakenly checked-in test code (note, this SDK key was only valid on staging)

* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
LaunchDarklyReleaseBot added a commit that referenced this issue Mar 10, 2022
* rm nock

* Node 6 compatibility

* remove redundant helper, misc cleanup

* Node 6 compatibility

* fix comment

* change asyncify to promisifySingle

* misc fixes

* add Windows CircleCI job

* fix config

* syntax

* diagnostic events, part 2: initial event and stats, except for stream inits

* comments

* add test for stats event

* capture stream connection stats in diagnostic events

* fix test

* remove eventReportingDisabled from diagnostic event; only create diagnosticsManager if needed

* revise tests to use new helper package

* misc cleanup

* use launchdarkly-js-test-helpers 1.0.0

* fix package reference

* minor fixes to config validation messages + add comment

* diagnostic eventsInQueue counter should be # of events at last flush

* rename eventsInQueue to eventsInLastBatch

* don't let user fall outside of last bucket in rollout

* add unit tests for basic bucketing logic and edge case

* avoid redundant property lookups

* fix Redis client parameter to match TS declaration (but still support old incorrect parameter)

* add event payload ID

* remove mistakenly checked-in test code (note, this SDK key was only valid on staging)

* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
LaunchDarklyReleaseBot added a commit that referenced this issue Mar 23, 2022
* Node 6 compatibility

* remove redundant helper, misc cleanup

* Node 6 compatibility

* fix comment

* change asyncify to promisifySingle

* misc fixes

* add Windows CircleCI job

* fix config

* syntax

* diagnostic events, part 2: initial event and stats, except for stream inits

* comments

* add test for stats event

* capture stream connection stats in diagnostic events

* fix test

* remove eventReportingDisabled from diagnostic event; only create diagnosticsManager if needed

* revise tests to use new helper package

* misc cleanup

* use launchdarkly-js-test-helpers 1.0.0

* fix package reference

* minor fixes to config validation messages + add comment

* diagnostic eventsInQueue counter should be # of events at last flush

* rename eventsInQueue to eventsInLastBatch

* don't let user fall outside of last bucket in rollout

* add unit tests for basic bucketing logic and edge case

* avoid redundant property lookups

* fix Redis client parameter to match TS declaration (but still support old incorrect parameter)

* add event payload ID

* remove mistakenly checked-in test code (note, this SDK key was only valid on staging)

* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
@ryanpcmcquen
Copy link

@eli-darkly

The 5.14.5 release changed the dependency declarations to explicitly exclude vulnerable versions of url-parse.

This still gets marked as a vulnerability by Snyk for 5.14.5.

Issues with no direct upgrade or patch:
  ✗ Improper Input Validation [High Severity][https://snyk.io/vuln/SNYK-JS-URLPARSE-2407770] in url-parse@1.5.3
    introduced by launchdarkly-node-server-sdk@5.14.5 > launchdarkly-eventsource@1.4.1 > original@1.0.2 > url-parse@1.5.3 and 1 other path(s)
  This issue was fixed in versions: 1.5.9

Is Snyk getting confused here?

@eli-darkly
Copy link
Contributor

eli-darkly commented Mar 24, 2022

@ryanpcmcquen I think the answer is 1. it's talking about a different vulnerability, and 2. Snyk may be behaving as designed but I think the output is misleading.

The issue you're commenting on here is from over a year ago, when the latest 1.5.x version of url-parse did not have any known problems, and Snyk was complaining about a problem in 1.4.x. There are now known problems in all versions of url-parse below 1.5.9. So Snyk is correct in that sense.

However, I'm not sure why Snyk thinks our SDK has a dependency specifically on version 1.5.3 of url-parse. As described in the original response to this issue, the transitive dependency via original uses a loose version constraint with a ^ prefix, so the version of url-parse you actually get should be the latest 1.x version— currently 1.5.10.

My best guess is that Snyk is looking at the package-lock.json file that existed in the node-server-sdk repository at the time our version 5.14.5 was released. That reflects the version of url-parse that was the latest at that time. But, since package-lock.json is not used at all when NPM is resolving transitive dependencies, that is misleading. That's why in later releases of our SDK, we removed package-lock.json from source control; it doesn't really make sense to check in the lockfile for library code, as opposed to application code.

The 5.14.x version is almost at end of life, but it still has another three months of support, so it might make sense for us to put out a 5.14.6 patch that would make this warning go away. It wouldn't have any code changes at all, it just wouldn't have a lockfile.

@ryanpcmcquen
Copy link

The 5.14.x version is almost at end of life, but it still has another three months of support, so it might make sense for us to put out a 5.14.6 patch that would make this warning go away. It wouldn't have any code changes at all, it just wouldn't have a lockfile.

That would be great.

@eli-darkly
Copy link
Contributor

@ryanpcmcquen We've released a 5.14.6 patch which addresses this.

@ryanpcmcquen
Copy link

@ryanpcmcquen We've released a 5.14.6 patch which addresses this.

Thank you!

LaunchDarklyReleaseBot added a commit that referenced this issue Apr 26, 2022
* comments

* add test for stats event

* capture stream connection stats in diagnostic events

* fix test

* remove eventReportingDisabled from diagnostic event; only create diagnosticsManager if needed

* revise tests to use new helper package

* misc cleanup

* use launchdarkly-js-test-helpers 1.0.0

* fix package reference

* minor fixes to config validation messages + add comment

* diagnostic eventsInQueue counter should be # of events at last flush

* rename eventsInQueue to eventsInLastBatch

* don't let user fall outside of last bucket in rollout

* add unit tests for basic bucketing logic and edge case

* avoid redundant property lookups

* fix Redis client parameter to match TS declaration (but still support old incorrect parameter)

* add event payload ID

* remove mistakenly checked-in test code (note, this SDK key was only valid on staging)

* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

* remove package-lock.json

* adjust test expectation about error message to work in recent Node versions

* Adds link to Relay Proxy docs

* Update index.d.ts

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* ensure setTimeout task is cleared when polling is stopped

* fix some flaky tests using async blocking logic

* rm unused

* simplify polling implementation using setInterval

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com>
Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com>
LaunchDarklyReleaseBot added a commit that referenced this issue Jun 6, 2022
* revise tests to use new helper package

* misc cleanup

* use launchdarkly-js-test-helpers 1.0.0

* fix package reference

* minor fixes to config validation messages + add comment

* diagnostic eventsInQueue counter should be # of events at last flush

* rename eventsInQueue to eventsInLastBatch

* don't let user fall outside of last bucket in rollout

* add unit tests for basic bucketing logic and edge case

* avoid redundant property lookups

* fix Redis client parameter to match TS declaration (but still support old incorrect parameter)

* add event payload ID

* remove mistakenly checked-in test code (note, this SDK key was only valid on staging)

* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

* remove package-lock.json

* adjust test expectation about error message to work in recent Node versions

* Adds link to Relay Proxy docs

* Update index.d.ts

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* ensure setTimeout task is cleared when polling is stopped

* fix some flaky tests using async blocking logic

* rm unused

* simplify polling implementation using setInterval

* use newer js-test-helpers for async tests

* add request number to timeout message

* Enforce 64 character limit for application tag values. (#263)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com>
Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com>
LaunchDarklyReleaseBot added a commit that referenced this issue Sep 6, 2022
* revise tests to use new helper package

* misc cleanup

* use launchdarkly-js-test-helpers 1.0.0

* fix package reference

* minor fixes to config validation messages + add comment

* diagnostic eventsInQueue counter should be # of events at last flush

* rename eventsInQueue to eventsInLastBatch

* don't let user fall outside of last bucket in rollout

* add unit tests for basic bucketing logic and edge case

* avoid redundant property lookups

* fix Redis client parameter to match TS declaration (but still support old incorrect parameter)

* add event payload ID

* remove mistakenly checked-in test code (note, this SDK key was only valid on staging)

* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

* remove package-lock.json

* adjust test expectation about error message to work in recent Node versions

* Adds link to Relay Proxy docs

* Update index.d.ts

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* ensure setTimeout task is cleared when polling is stopped

* fix some flaky tests using async blocking logic

* rm unused

* simplify polling implementation using setInterval

* use newer js-test-helpers for async tests

* add request number to timeout message

* Enforce 64 character limit for application tag values. (#263)

* Fixed operator field key name in TestDataRuleBuilder (#246)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com>
Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com>
LaunchDarklyReleaseBot added a commit that referenced this issue Dec 7, 2022
* add mention of singleton usage

* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* Initial draft of typescript types. (#236)

* Implement attribute reference support.

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

* remove package-lock.json

* adjust test expectation about error message to work in recent Node versions

* #3 Add context filtering and legacy to single kind conversion. (#238)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #4 Switch from user to context for events. (#244)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #5 Rlamb/sc 142950/implement u2c evaluation (#248)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #6 Rlamb/sc 145767/attribute reference improvements (#250)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #7 Rlamb/sc 146614/do not support bucketby for experiments (#251)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #8 Rlamb/sc 147263/treat cyclic segements as errors (#252)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Do not use the secondary key for experiments. (#256)

* Resolve issues with V2 test harness. (#258)

* Adds link to Relay Proxy docs

* Update index.d.ts

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* ensure setTimeout task is cleared when polling is stopped

* fix some flaky tests using async blocking logic

* rm unused

* simplify polling implementation using setInterval

* Update the test data source for U2C. (#257)

* use newer js-test-helpers for async tests

* add request number to timeout message

* Enforce 64 character limit for application tag values. (#263)

* Changed transient back to anonymous. (#264)

* Fixed operator field key name in TestDataRuleBuilder (#246)

* Do not set `inExperiment`  if there is not a context for the specified kind. (#266)

* [sc-160948] Switch to partial URL encoding. (#265)

* Update event schema version. (#267)

* [sc-171125] Do now allow indexing into an array with an attribute reference. (#268)

* [sc-174033] Remove support for secondary. (#269)

* Treat 'kind' and '/kind' the same. (#270)

* [sc-176598] Update node U2C with latest changes from main. (#272)

* [sc-176599] Update documentation for privateAttributes _meta attribute of contexts. (#271)

* Remove copy/paste error. (#274)

* [sc-177983] Add support for executing old style user tests. (#275)

* Update release metadata.

* Do not generate events for bad contexts. (#277)

Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com>

* Handle nested segment dependencies. (#278)

Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com>
Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com>
Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com>
LaunchDarklyReleaseBot added a commit that referenced this issue Feb 8, 2023
* update diagnostic event info for OS name, data store type, Node version

* standardize linting

* disallow window and document

* fix null/undef checks

* misc linting fixes

* inlineUsersInEvents is not an unknown option

* drop node-sha1 dependency

* don't omit streamInits.failed when it's false

* bump request dependency to get security patch; loosen some exact dependencies

* remove request package; improve polling cache logic + add test

* bump typescript version to fix build error in Node 6

* update @types/node to fix TypeScript check step

* lint

* make sure we keep polling regardless of whether we got new data

* use launchdarkly-eventsource, make stream retry behavior consistent

* stream retry delay option should be in seconds & should be included in diagnostics

* minor test fix

* fix: Throw an error on malformed user-supplied logger

* don't call unref() on Redis client; ensure that database integration tests close the store

* update Redis driver to major version 3

* add test case

* allow redisOpts parameter to be omitted

* add logger adapter shim + tests

* minor cleanup and comments for ch74741 fix (logger wrapper)

* fix proxy tunnel configuration and make sure it's used in streaming

* change some string concatenation expressions to use interpolation

* feat: upgrade winston (#189)

* fix merge

* remove support for indirect/patch and indirect/put (#182)

* reuse same Promise and same event listeners for all waitForInitialization calls

* better docs for waitForInitialization + misc doc cleanup (#184)

* update js-eventsource to 1.3.1 for stream parsing bugfix (#185)

* fix broken logger format (#186)

* retroactively update changelog for bugfix in 5.13.2 release

* allow get/getAll Redis queries to be queued if Redis client hasn't yet connected

* set stream read timeout

* adding the alias functionality (#190)

* Removed the guides link

* remove monkey-patching of setImmediate

* Persist contextKind property during feature and custom event transformations (#194)

* add inlineUsersInEvents option in TypeScript

* Add support for seed to bucketUser

* Add note for incorporating seed into evaluation

* Send events when the evaluation is from an experiment

* Use seed to evaluate.

* Clean up test descriptions

* Rename variable to be less confusing

* Use ternary to eliminate mutation

* Make return signature more consistent

* Un-prettier the tests

* redis lower bounds bump (#199)

* update launchdarkly-js-test-helpers to fix TLS tests (#200)

* update js-eventsource to remove vulnerability warning (#201)

* add CI jobs for all compatible Node versions

* CI fixes

* more CI fixes

* comment

* use default value to simplify config

* (6.0 - #1) stop saying we're compatible with Node <12 (#203)

* add CI jobs for all compatible Node versions (#202)

* (6.0 - #2) remove Redis integration (#204)

* allow feature store to be specified as a factory (so it can get our logger)

* (6.0 - #3) remove Winston (#205)

* remove deprecated things for 6.0 (#206)

* update node-cache to 5.x (drops old Node compat)

* update semver to 7.x (drops old Node compat)

* update uuid to 8.x (Node compat, perf improvements, bugfixes)

* update dev dependencies

* linter

* replace lrucache package with lru-cache (#209)

* make yaml dependency optional (#210)

* update release metadata to include maintenance branch

* remove package-lock.json (#211)

* rm prerelease changelog

* (big segments #1) add interfaces for big segments (#212)

* (big segments #2) add all components for big segments except evaluation (#213)

* (big segments #3) implement big segments in flag evaluation (#214)

* (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215)

* move new interfaces to a module instead of a namespace (#216)

* fix TS export of CachingStoreWrapper

* use Releaser v2 config

* fix overly specific test expectation that breaks in Node 17

* Initial work on FlagBuilder (#219)

* Add TestData factory(with some dummy methods); Initial work on FlagBuilder

* fixed indentation and linter errors; fixed an error in update; fixed incorrect test label

* fixed typo in TestData store

* converted boolean variation constants to be file variables instead of class variables

Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>

* implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface

* converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped

* Implement stream processor(data source) interface for test data

* Add TestData to index.js and write out the types for TestData and friends

* added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag

* Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments

* modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor.

* Fix linter error on defaulted callback

* explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason

* capitalize Big Segments in docs & logs

* documentation comment fixes for TestData

* pin TypeScript to 4.4.x

* move TestData and FIleDataSource to integrations module

* lint

* rename types used by TestData for clarity (#229)

* use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230)

* don't ever use for...in (#232)

* don't ever use for...in

* add null guard

* bump launchdarkly-eventsource dependency for sc-136154 fix

* use TestData in our own tests (#231)

* use TestData in our own tests

* update TS interface

* lint

* typo

* fix allFlagsState behavior regarding experimentation

* lint

* allow "secondary" to be referenced in clauses

* don't throw an exception for non-string in semver comparison

* correctly handle "client not ready" condition in allFlagsState

* lint

* Flags with a version of 0 reported as 'unknown' in summary events. (#239)

* Initial draft of typescript types. (#236)

* Implement attribute reference support.

* implement contract test service, not including big segments (#242)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Implement Application tags for the node SDK. (#241)

* update js-eventsource to 1.4.4 for security fix

* remove package-lock.json

* adjust test expectation about error message to work in recent Node versions

* #3 Add context filtering and legacy to single kind conversion. (#238)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #4 Switch from user to context for events. (#244)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #5 Rlamb/sc 142950/implement u2c evaluation (#248)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #6 Rlamb/sc 145767/attribute reference improvements (#250)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #7 Rlamb/sc 146614/do not support bucketby for experiments (#251)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* #8 Rlamb/sc 147263/treat cyclic segements as errors (#252)

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* Do not use the secondary key for experiments. (#256)

* Resolve issues with V2 test harness. (#258)

* Adds link to Relay Proxy docs

* Update index.d.ts

Co-authored-by: Eli Bishop <eli@launchdarkly.com>

* ensure setTimeout task is cleared when polling is stopped

* fix some flaky tests using async blocking logic

* rm unused

* simplify polling implementation using setInterval

* Update the test data source for U2C. (#257)

* use newer js-test-helpers for async tests

* add request number to timeout message

* Enforce 64 character limit for application tag values. (#263)

* Changed transient back to anonymous. (#264)

* Fixed operator field key name in TestDataRuleBuilder (#246)

* Do not set `inExperiment`  if there is not a context for the specified kind. (#266)

* [sc-160948] Switch to partial URL encoding. (#265)

* Update event schema version. (#267)

* [sc-171125] Do now allow indexing into an array with an attribute reference. (#268)

* [sc-174033] Remove support for secondary. (#269)

* Treat 'kind' and '/kind' the same. (#270)

* [sc-176598] Update node U2C with latest changes from main. (#272)

* [sc-176599] Update documentation for privateAttributes _meta attribute of contexts. (#271)

* Remove copy/paste error. (#274)

* [sc-177983] Add support for executing old style user tests. (#275)

* Update release metadata.

* Do not generate events for bad contexts. (#277)

Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com>

* Handle nested segment dependencies. (#278)

* fix: bump async dependencies

---------

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com>
Co-authored-by: Chris West <solo-github@goeswhere.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Mike Zorn <mike@launchdarkly.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Robert J. Neal <rneal@launchdarkly.com>
Co-authored-by: Ben Levy <benjaminlevy007@gmail.com>
Co-authored-by: charukiewicz <christian@foxhound.systems>
Co-authored-by: belevy <ben@foxhound.systems>
Co-authored-by: charukiewicz <charukiewicz@protonmail.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com>
Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com>
Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com>
Co-authored-by: Louis Chan <lchan@launchdarkly.com>
Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants