Update to 1.23.16

[1.23.X] Update dependencies (#5455 )
Merge commit from fork
2025-09-11 22:06:59 +08:00 · 2024-12-20 15:15:52 +08:00 · 2024-12-20 15:11:24 +08:00 · 2024-12-20 15:02:22 +08:00 · 2024-09-30 05:44:32 +08:00 · 2024-09-30 05:41:31 +08:00
3 changed files with 4934 additions and 4861 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
    "name": "uptime-kuma",
-    "version": "1.23.13",
+    "version": "1.23.16",
    "license": "MIT",
    "repository": {
        "type": "git",
@@ -24,7 +24,7 @@
        "start-frontend-devcontainer": "cross-env NODE_ENV=development DEVCONTAINER=1 vite --host --config ./config/vite.config.js",
        "start": "npm run start-server",
        "start-server": "node server/server.js",
-        "start-server-dev": "cross-env NODE_ENV=development node server/server.js",
+        "start-server-dev": "cross-env NODE_ENV=development node server/server.js --data-dir=./data/v1/",
        "build": "vite build --config ./config/vite.config.js",
        "test": "node test/prepare-test-server.js && npm run jest-backend",
        "test-with-build": "npm run build && npm test",
@@ -42,7 +42,7 @@
        "build-docker-nightly-amd64": "docker buildx build -f docker/dockerfile --platform linux/amd64 -t louislam/uptime-kuma:nightly-amd64 --target nightly . --push --progress plain",
        "build-docker-pr-test": "docker buildx build -f docker/dockerfile --platform linux/amd64,linux/arm64 -t louislam/uptime-kuma:pr-test --target pr-test . --push",
        "upload-artifacts": "docker buildx build -f docker/dockerfile --platform linux/amd64 -t louislam/uptime-kuma:upload-artifact --build-arg VERSION --build-arg GITHUB_TOKEN --target upload-artifact . --progress plain",
-        "setup": "git checkout 1.23.13 && npm ci --production && npm run download-dist",
+        "setup": "git checkout 1.23.16 && npm ci --production && npm run download-dist",
        "download-dist": "node extra/download-dist.js",
        "mark-as-nightly": "node extra/mark-as-nightly.js",
        "reset-password": "node extra/reset-password.js",
@@ -78,7 +78,7 @@
        "start-server-node14-win": "private\\node14\\node.exe server/server.js"
    },
    "dependencies": {
-        "@grpc/grpc-js": "~1.7.3",
+        "@grpc/grpc-js": "~1.8.22",
        "@louislam/ping": "~0.4.4-mod.1",
        "@louislam/sqlite3": "15.1.6",
        "args-parser": "~1.3.0",
@@ -89,7 +89,7 @@
        "cacheable-lookup": "~6.0.4",
        "chardet": "~1.4.0",
        "check-password-strength": "^2.0.5",
-        "cheerio": "~1.0.0-rc.12",
+        "cheerio": "1.0.0-rc.12",
        "chroma-js": "~2.4.2",
        "command-exists": "~1.2.9",
        "compare-versions": "~3.6.0",
@@ -97,7 +97,7 @@
        "croner": "~6.0.5",
        "dayjs": "~1.11.5",
        "dotenv": "~16.0.3",
-        "express": "~4.19.2",
+        "express": "~4.21.0",
        "express-basic-auth": "~1.2.1",
        "express-static-gzip": "~2.1.7",
        "form-data": "~4.0.0",
@@ -138,8 +138,8 @@
        "redbean-node": "~0.3.0",
        "redis": "~4.5.1",
        "semver": "~7.5.4",
-        "socket.io": "~4.6.1",
-        "socket.io-client": "~4.6.1",
+        "socket.io": "~4.8.0",
+        "socket.io-client": "~4.8.0",
        "socks-proxy-agent": "6.1.1",
        "tar": "~6.2.1",
        "tcp-ping": "~0.1.1",
@@ -171,7 +171,7 @@
        "cypress": "^13.2.0",
        "delay": "^5.0.0",
        "dns2": "~2.0.1",
-        "dompurify": "~3.0.11",
+        "dompurify": "~3.1.7",
        "eslint": "~8.14.0",
        "eslint-plugin-vue": "~8.7.1",
        "favico.js": "~0.3.10",
--- a/server/monitor-types/real-browser-monitor-type.js
+++ b/server/monitor-types/real-browser-monitor-type.js
@@ -193,6 +193,14 @@ class RealBrowserMonitorType extends MonitorType {
        const context = await browser.newContext();
        const page = await context.newPage();

+        // Prevent Local File Inclusion
+        // Accept only http:// and https://
+        // https://github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h
+        let url = new URL(monitor.url);
+        if (url.protocol !== "http:" && url.protocol !== "https:") {
+            throw new Error("Invalid url protocol, only http and https are allowed.");
+        }
+
        const res = await page.goto(monitor.url, {
            waitUntil: "networkidle",
            timeout: monitor.interval * 1000 * 0.8,
Author	SHA1	Message	Date
Louis Lam	5bb329fa0e	Update to 1.23.16	2024-12-20 15:15:52 +08:00
Louis Lam	09dedc07fb	[1.23.X] Update dependencies (#5455 )	2024-12-20 15:11:24 +08:00
Louis Lam	6cfae01a0d	Merge commit from fork * [V1 Only] Change dev server's data path to ./data/v1 * Fix GHSA-2qgm-m29m-cj2h	2024-12-20 15:02:22 +08:00
Louis Lam	32dc76a085	Update to 1.23.15	2024-09-30 05:44:32 +08:00
Louis Lam	c6d6061a9f	Pin cheerio to avoid the breaking change of undici (#5142 )	2024-09-30 05:41:31 +08:00
Louis Lam	243726b03c	Update to 1.23.14	2024-09-29 21:46:19 +08:00
Louis Lam	936665aac3	[1.23.X] Update dependencies (#5132 )	2024-09-28 03:43:54 +08:00