chore(deps): update dependency serve to v10 [security] #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-serve-vulnerability

Contributor

renovate bot commented Aug 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
serve	`6.5.5` → `10.1.2`

GitHub Vulnerability Alerts

CVE-2018-3809

Versions of serve before 7.0.0 are vulnerable to information exposure, bypassing the ignore security control, but only on case insensitive file systems.

Recommendation

Update to version 7.0.0 or later.

CVE-2019-5417

Versions of serve before 7.1.3 are vulnerable to Directory Traversal. File paths are not sanitized leading to unauthorized access of system files.

Recommendation

Upgrade to version 7.1.3 or later

GHSA-xw79-hhv6-578c

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package does not encode output, allowing attackers to execute arbitrary JavaScript in the victim's browser if user-supplied input is rendered.

Recommendation

Upgrade to version 10.0.2 or later.

GHSA-48gc-5j93-5cfq

Versions of serve prior to 10.1.2 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through relative paths, which allows attackers to access hidden folders and files.

Recommendation

Upgrade to version 10.1.2 or later.

GHSA-cpgr-wmr9-qxv4

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

Upgrade to version 10.0.2 or later.

Release Notes

vercel/serve (serve)

`v10.1.2`

Patches

Use os.networkInterfaces() to detect network address: #492
Bumped serve-handler to latest version: #505

Credits

Huge thanks to @saintwinkle for helping!

`v10.1.1`

Patches

Properly encode redirect responses: #491

`v10.1.0`

Minor Changes

Added support for compression: #487
Added NO_UPDATE_CHECK environment flag: #457
Brought back support for ephemeral port switching: #490

Patches

Bumped serve-handler to the latest version: #488
Deprecate support for now.json and package.json: #489

Credits

Huge thanks to @leeyeh for helping!

`v10.0.2`

Patches

Bumped serve-handler to the latest version: #480

`v10.0.1`

Patches

Bumped @zeit/schemas to the latest version: #475

`v10.0.0`

Major Changes

Bumped dependencies to the latest version: #468

`v9.6.0`

Minor Changes

Added support for range requests: #465

`v9.4.2`

Patches

Point directly to Spectrum community: #462

`v9.4.1`

Patches

Updated link to Spectrum: #461

`v9.4.0`

Minor Changes

Handle ETag and If-None-Match: #456

`v9.3.0`

Minor Changes

Support for absolute paths: #445

Patches

Add badge to display install size: #450
Bumped dependencies to the latest version: #452

Credits

Huge thanks to @az0uz and @styfle for helping!

`v9.2.0`

Minor Changes

Allow custom headers to be set for default error responses: #443

`v9.1.2`

Patches

Properly handle requests with malformed URIs: #442

`v9.1.1`

Patches

Handle DNS lookup failures: #439

Credits

Huge thanks to @just-boris for helping!

`v9.1.0`

Minor Changes

Read port from environment variable PORT: #434

Credits

Huge thanks to @compulim for helping!

`v9.0.0`

Major Changes

Reverted default port back to 5000: #427

Minor Changes

Brought back old message for serving: #429
Added support for IPv6: #430

Patches

Allow dots in value of public option: #428

`v8.2.0`

Minor Changes

Add --config for custom paths to serve.json: #418
Added error templates: #419

Credits

Huge thanks to @tohjustin for helping!

`v8.1.4`

Patches

Fixed requests to /index being redirected wrong: #416

`v8.1.3`

Patches

Adding -p as an alias to -l: #412
Document usage with Now and update handler: #415

Credits

Huge thanks to @wawhal for helping!

`v8.1.2`

Patches

Correctly apply host: #410

`v8.1.1`

Patches

Show server listen address properly: #407

Credits

Huge thanks to @iczero for helping!

`v8.1.0`

Minor Changes

Support for renderSingle and reduced stat calls: #406

`v8.0.0`

Major Changes

Make cleanUrls stop stripping .htm extension: #403

`v7.2.0`

Minor Changes

Added default Content-Disposition header: #397

`v7.1.6`

Patches

Replace logo for repository: ad821be

`v7.1.5`

Patches

Added charset to Content-Type header: #394

`v7.1.4`

Patches

Ensured that everything in README.md is correct: #392

`v7.1.3`

Patches

Bumped middleware to the latest version: #391

`v7.1.2`

Patches

Bumped our dependencies to the latest version: #388

`v7.1.1`

Patches

Added example of using the middleware: #385

`v7.1.0`

Minor Changes

Re-added --single and made --listen support ports: #384

Patches

Fixed "URL is not defined" error: #381
Bumped serve-handler to the latest version: #383

Credits

Huge thanks to @jaeseok-park for helping!

`v7.0.1`

Patches

Removed useless dependencies: #377

`v7.0.0`

This release marks a completely fresh start for this project.

Over the years, the core of the package has gotten bigger and bigger, eventually containing features that should not be part of it at all. This led to serve becoming rather slow in certain situations. But not just in terms of serving requests, but also when installing (because of the dependency count).

As of today, the package is going into a completely new direction and we're re-evaluating any feature suggestions we're encoutering on the repository.

If you want to continue using the old serve, please lock it like this in your dependencies:

{
  "serve": "6.5.8"
}

Notice that the version number is not prefixed with ^.

However, for those of you who would like to upgrade, there are plenty amazing things awaiting you:

The core is now very lean, therefore fast to install and serving requests faster.
The package is now powered by serve-handler, which means you can finally customize the entire behavior of all the routes of your static project.
Later today, static deployments running on Now will work with the same configuration as serve – right out of the box: Use serve for development and Now in production.

If you have any suggestions, let us know in the issue list or create a pull request to fix something! 🙏

Thank you all for using serve and have a great day!

Leo – @notquiteleo

`v6.5.8`

Patches

Bumped dependencies to the latest version: #371

`v6.5.7`

Patches

Updated update-check package to the latest version: #362
Fixed chrome warning and removed unused variable: #364
Ensure serve starts even when update check fails: #360
Adjusted engines field to match readme: #366

Credits

Huge thanks to @MiniGod, @sreeramjayan and @n0v1 for helping!

`v6.5.6`

Patches

Added our linting setup and updated dependencies: #354
Added Circle CI and adjust readme to feature Yarn: #355

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency serve to v10 [security]

472e9b8

renovate bot force-pushed the renovate/npm-serve-vulnerability branch from 52370f2 to 472e9b8 Compare

August 10, 2025 13:51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet