Publish a new release with send >= 0.19.0; CVE-2024-43799

[sdavids]

$ mkdir /tmp/test && cd "$_"
$ npm i --save-dev browser-sync@3.0.2
$ npm audit
# npm audit report

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install browser-sync@2.26.2, which is a breaking change
node_modules/send
  browser-sync  >=2.12.1
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/browser-sync
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[max-holland]

+1

[yokoishioka]

I just submitted a PR for this and to resolve the one for sever-static as well: #2087

[rmch91]

+1

[shakyShane]

I'll sort this later today, thanks :)

[rmch91]

Hello, any updates on this?

[shakyShane]

#2088

[shakyShane]

browser-sync@3.0.3

[sdavids]

Not mentioned here:

https://github.com/BrowserSync/browser-sync/releases

nor here:

https://github.com/BrowserSync/browser-sync/blob/master/CHANGELOG.md

[sdavids]

If the CHANGELOG is obsolete then it should be mentioned in the file's header.

[sdavids]

On a side note:

Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco.

[shakyShane]

https://github.com/BrowserSync/browser-sync/releases/tag/v3.0.3

• changelog deleted

Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco.

Can you explain your concern a little further? In terms of publishing this package to npm - I still do it manually to this day exactly so I can be sure what goes into each - but perhaps you're talking about some other angle?

[sdavids]

I guess

browser-sync/packages/browser-sync/package.json

Line 71 in 1359821

"generate-changelog": "^1.7.0",

could be deleted as well then.

[sdavids]

What I mentioned was:

There is a new version published to NPM and one cannot find any release notes/change log.

Reading the release notes should be the minimum one does before upgrading.

But some people do not care or use non-pinned versions 🤷

---

Maybe you might want to use provenance in the future:

https://docs.npmjs.com/searching-for-and-choosing-packages-to-download#package-provenance

https://docs.npmjs.com/generating-provenance-statements

https://jsr.io/docs/trust

[sdavids]

$ npm audit signatures

is useless in a way though.

Unless you use ignore-scripts with npm i, ideally in your global .npmrc:

ignore-scripts=true