6.5.1

* Update LTS status in README (Miroslav Bajtoš)
 * Cursor is made pointer of the add token button (Siraj Alam)

.github/ISSUE_TEMPLATE.md

@@ -1,37 +0,0 @@
-<!--
-Questions:
-  https://groups.google.com/forum/#!forum/loopbackjs
-  https://gitter.im/strongloop/loopback
-Immediate support:
-  https://strongloop.com/api-connect-faqs/
-  https://strongloop.com/node-js/subscription-plans/
--->
-
-# Description/Steps to reproduce
-
-<!--
-If feature: A description of the feature
-If bug: Steps to reproduce
--->
-
-# Link to reproduction sandbox
-
-<!--
-Link to an app sandbox for reproduction
-
-Note: Failure to provide a sandbox application for reproduction purposes will result in the issue being closed.
--->
-
-# Expected result
-
-<!--
-Also include actual results if bug
--->
-
-# Additional information
-
-<!--
-Copy+paste the output of these two commands:
-  node -e 'console.log(process.platform, process.arch, process.versions.node)'
-  npm ls --prod --depth 0 | grep loopback
--->

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -0,0 +1,50 @@
+---
+name: Bug report
+about: Create a report to help us improve
+labels: bug
+
+---
+
+<!-- 🚨 STOP 🚨 STOP 🚨 STOP 🚨
+
+HELP US HELP YOU, PLEASE
+- Do a quick search to avoid duplicate issues
+- Provide as much information as possible (reproduction sandbox, use case for features, etc.)
+- Consider using a more suitable venue for questions such as Stack Overflow, Gitter, etc.
+
+Please fill in the *entire* template below.
+
+-->
+
+## Steps to reproduce
+
+<!-- Describe how to reproduce the issue -->
+
+## Current Behavior
+
+<!-- Describe the observed result -->
+
+## Expected Behavior
+
+<!-- Describe what did you expect instead, what is the desired outcome? -->
+
+## Link to reproduction sandbox
+
+<!--
+See https://loopback.io/doc/en/contrib/Reporting-issues.html#loopback-3x-bugs
+Note: Failure to provide a sandbox application for reproduction purposes will result in the issue being closed.
+-->
+
+## Additional information
+
+<!--
+Copy+paste the output of these two commands:
+  node -e 'console.log(process.platform, process.arch, process.versions.node)'
+  npm ls --prod --depth 0 | grep loopback
+-->
+
+## Related Issues
+
+<!-- Did you find other bugs that looked similar? -->
+
+_See [Reporting Issues](http://loopback.io/doc/en/contrib/Reporting-issues.html) for more tips on writing good issues_

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+labels: feature
+
+---
+
+## Suggestion
+
+<!-- A summary of what you'd like to see added or changed -->
+
+## Use Cases
+
+<!--
+What do you want to use this for?
+What shortcomings exist with current approaches?
+-->
+
+## Examples
+
+<!-- Show how this would be used and what the behavior would be -->
+
+## Acceptance criteria
+
+TBD - will be filled by the team.

.github/ISSUE_TEMPLATE/Question.md

@@ -0,0 +1,27 @@
+---
+name: Question
+about: The issue tracker is not for questions. Please use Stack Overflow or other resources for help.
+labels: question
+
+---
+
+<!-- 🚨 STOP 🚨 STOP 🚨 STOP 🚨
+
+THE ISSUE TRACKER IS NOT FOR QUESTIONS.
+
+DO NOT CREATE A NEW ISSUE TO ASK A QUESTION.
+
+Please use one of the following resources for help:
+
+**Questions**
+
+- https://stackoverflow.com/tags/loopbackjs
+- https://groups.google.com/forum/#!forum/loopbackjs
+- https://gitter.im/strongloop/loopback
+
+**Immediate support**
+
+- https://strongloop.com/api-connect-faqs/
+- https://strongloop.com/node-js/subscription-plans/
+
+-->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Report a security vulnerability
+    url: https://loopback.io/doc/en/contrib/Reporting-issues.html#security-issues
+    about: Do not report security vulnerabilities using GitHub issues. Please send an email to `reachsl@us.ibm.com` instead.
+  - name: Get help on StackOverflow
+    url: https://stackoverflow.com/tags/loopbackjs
+    about: Please ask and answer questions on StackOverflow.
+  - name: Join our mailing list
+    url: https://groups.google.com/forum/#!forum/loopbackjs
+    about: You can also post your question to our mailing list.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,25 +1,18 @@
-### Description
-
-
-#### Related issues
-
 <!--
-Please use the following link syntaxes:
+Please provide a high-level description of the changes made by your pull request.
 
-- connect to #49 (to reference issues in the current repository)
-- connect to strongloop/loopback#49 (to reference issues in another repository)
+Include references to all related GitHub issues and other pull requests, for example:
+
+Fixes #123
+Implements #254
+See also #23
 -->
 
-- connect to <link_to_referenced_issue>
+## Checklist
 
-### Checklist
-
-<!--
-- Please mark your choice with an "x" (i.e. [x], see
-https://github.com/blog/1375-task-lists-in-gfm-issues-pulls-comments)
-- PR's without test coverage will be closed.
--->
+👉 [Read and sign the CLA (Contributor License Agreement)](https://cla.strongloop.com/agreements/strongloop/loopback-component-explorer) 👈
 
+- [ ] `npm test` passes on your machine
 - [ ] New tests added or existing tests modified to cover all changes
-- [ ] Code conforms with the [style
-  guide](http://loopback.io/doc/en/contrib/style-guide.html)
+- [ ] Code conforms with the [style guide](https://loopback.io/doc/en/contrib/style-guide-es6.html)
+- [ ] Commit messages are following our [guidelines](https://loopback.io/doc/en/contrib/git-commit-messages.html)

.travis.yml

@@ -1,6 +1,6 @@
 sudo: false
 language: node_js
 node_js:
-  - "6"
   - "8"
   - "10"
+  - "12"

CHANGES.md

@@ -1,4 +1,30 @@
-2019-05-10, Version 6.4.0
+2020-03-06, Version 6.5.1
+=========================
+
+ * Update LTS status in README (Miroslav Bajtoš)
+
+ * Cursor is made pointer of the add token button (Siraj Alam)
+
+
+2019-11-28, Version 6.5.0
+=========================
+
+ * docs: describe GitHub advisory CVE-2019-17495 (Miroslav Bajtoš)
+
+ * chore: improve README formatting (Miroslav Bajtoš)
+
+ * Update README on swagger-ui (Diana Lau)
+
+ * chore: improve issue and PR templates (Nora)
+
+ * chore: add Node.js 12 to travis ci (Nora)
+
+ * chore: drop support for Node.js 6 (Nora)
+
+ * update LTS (Diana Lau)
+
+
+2019-05-09, Version 6.4.0
 =========================
 
  * chore: update copyrights years (Agnes Lin)

README.md

@@ -1,14 +1,15 @@
 # loopback-component-explorer
 
-**This module is in Active LTS mode, new features are no longer accepted.**
-<br/>(See [Module Long Term Support Policy](#module-long-term-support-policy)
-below.)
+**⚠️ LoopBack 3 is in Maintenance LTS mode, only critical bugs and critical
+security fixes will be provided. (See
+[Module Long Term Support Policy](#module-long-term-support-policy) below.)**
 
-LoopBack 3 users looking for new features are encouraged to upgrade
-to LoopBack 4. Refer to
-[loopback-next#1849](https://github.com/strongloop/loopback-next/issues/1849)
+We urge all LoopBack 3 users to migrate their applications to LoopBack 4 as
+soon as possible. Refer to our
+[Migration Guide](https://loopback.io/doc/en/lb4/migration-overview.html)
 for more information on how to upgrade.
 
+
 ## Overview
 
 Browse and test your LoopBack app's APIs.
@@ -39,6 +40,77 @@ console.log("Explorer mounted at localhost:" + port + "/explorer");
 app.listen(port);
 ```
 
+## A note on swagger-ui vulnerabilities
+
+API Explorer for LoopBack 3 is built on top of `swagger-ui` version 2.x which
+is no longer maintained. While there are known security vulnerabilities in
+`swagger-ui`, we believe they don't affect LoopBack users.
+
+We would love to upgrade our (LB3) API Explorer to v3 of swagger-ui, but
+unfortunately such upgrade requires too much effort and more importantly
+addition of new features to LB3 runtime, which would break our LTS guarantees.
+For more details, see discussion in
+[loopback-component-explorer#263](https://github.com/strongloop/loopback-component-explorer/issues/263).
+
+### npm advisory 985
+
+Link: https://www.npmjs.com/advisories/985
+
+> Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting
+> (XSS). The package fails to sanitize YAML files imported from URLs or
+> copied-pasted. This may allow attackers to execute arbitrary JavaScript.
+
+LoopBack's API Explorer does not allow clients to import swagger spec from YAML
+URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED**
+by this vulnerability.
+
+### npm advisory 975
+
+Link: https://www.npmjs.com/advisories/975
+
+> Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping.
+> The package uses `target='_blank'` in anchor tags, allowing attackers to
+> access `window.opener` for the original page. This is commonly used for
+> phishing attacks.
+
+This vulnerability affects anchor tags created from metadata provided by the
+Swagger spec, for example `info.termsOfServiceUrl`. LoopBack's API Explorer
+does not allow clients to provide custom swagger spec, URLs like
+`info.termsOfServiceUrl` are fully in control of the LoopBack application
+developer. That means loopback-component-explorer **IS NOT AFFECTED** by this
+vulnerability.
+
+### npm advisory 976
+
+Link: https://www.npmjs.com/advisories/976
+
+> Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting
+> (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which
+> may allow attackers to execute arbitrary JavaScript.
+
+LoopBack 3 API Explorer does not support OAuth auth flow, that means
+loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
+
+### GitHub advisory CVE-2019-17495
+
+Link: https://github.com/advisories/GHSA-c427-hjc3-wrfw
+> A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before
+> 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique
+> to perform CSS-based input field value exfiltration, such as exfiltration of
+> a CSRF token value.
+
+Quoting from the
+[disclosure](https://github.com/tarantula-team/CSS-injection-in-Swagger-UI/tree/15edeaaa5806aa8e83ee55d883f956a3c3573ac9):
+
+> We’ve observed that the `?url=` parameter in SwaggerUI allows an attacker to
+> override an otherwise hard-coded schema file.  We realize that Swagger UI
+> allows users to embed untrusted Json format from remote servers This means we
+> can inject json content via the GET parameter to victim Swagger UI.  etc.
+
+LoopBack 3 API Explorer does not suport `?url=` parameter, it always loads the
+Swagger spec file from the LoopBack server serving the Explorer UI. That means
+loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
+
 ## Upgrading from v1.x
 
 To upgrade your application using loopback-explorer version 1.x, just replace
@@ -195,8 +267,7 @@ Module Long Term Support (LTS)](http://github.com/CloudNativeJS/ModuleLTS) polic
 
 | Version | Status          | Published | EOL      |
 | ------- | --------------- | --------- | -------- |
-| 6.x     | Active LTS      | Apr 2018  | Dec 2019 |
-| 5.x     | Maintenance LTS | Sep 2017  | Dec 2019 |
-| 4.x     | End-of-Life     | Dec 2016  | Apr 2019 |
+| 6.x     | Maintenance LTS | Apr 2018  | Dec 2020 |
+| 5.x     | End-of-Life     | Sep 2017  | Dec 2019 |
 
 Learn more about our LTS plan in [docs](https://loopback.io/doc/en/contrib/Long-term-support.html).

package.json

@@ -1,9 +1,9 @@
 {
   "name": "loopback-component-explorer",
-  "version": "6.4.0",
+  "version": "6.5.1",
   "description": "Browse and test your LoopBack app's APIs",
   "engines": {
-    "node": ">=6"
+    "node": ">=8.9"
   },
   "main": "index.js",
   "scripts": {

public/css/loopbackStyles.css

@@ -34,6 +34,7 @@ body #header a#logo {
 
 body #header form#api_selector .input a#explore {
   background-color: #7dbd33 !important;
+  cursor: pointer;
 }