5.0.4

* chore: lock file maintenance (renovate[bot])
 * fix(cve-2023-29827): replace EJS with Handlebars to resolve security warning (KalleV)
 * ci: align CI configuration (Rifa Achrinza)
 * chore: update dependency @types/express to ^4.17.21 (renovate[bot])
 * chore: update dependency eslint to ^8.53.0 (renovate[bot])
 * chore: update dependency @commitlint/config-conventional to ^18.1.0 (renovate[bot])
 * chore: update dependency @commitlint/config-conventional to v18 (renovate[bot])
 * chore: update dependency eslint to ^8.52.0 (renovate[bot])
 * chore: update dependency @commitlint/config-conventional to ^17.8.1 (renovate[bot])
 * chore: update dependency @types/express to ^4.17.20 (renovate[bot])
 * chore: update dependency http-status to ^1.7.3 (renovate[bot])

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: CodeQL
+name: "CodeQL"
 
 on:
   push:
@@ -9,37 +9,20 @@ on:
   schedule:
     - cron: '0 13 * * 6'
 
-permissions: {}
-
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      actions: read
 
     steps:
-    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
-      with:
-        disable-sudo: true
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          github.com:443
-          objects.githubusercontent.com:443
-
     - name: Checkout repository
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
-      with:
-        persist-credentials: false
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+      uses: github/codeql-action/init@v2
       with:
-        languages: javascript-typescript
+        languages: 'javascript'
-        config-file: .github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+      uses: github/codeql-action/analyze@v2
-

.github/workflows/continuous-integration.yml

@@ -31,7 +31,7 @@ jobs:
       fail-fast: false
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
           disable-sudo: true
@@ -41,11 +41,11 @@ jobs:
             github.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
@@ -59,7 +59,7 @@ jobs:
     name: Code Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -68,11 +68,11 @@ jobs:
             github.com:443
             nodejs.org:443
             registry.npmjs.org:443
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
       - name: Use Node.js 20
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: 20
           cache: 'npm'
@@ -89,19 +89,19 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request }}
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             github.com:443
             registry.npmjs.org:443
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: Use Node.js 20
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: 20
           cache: npm
@@ -125,18 +125,18 @@ jobs:
     name: Lockfile Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             github.com:443
             registry.npmjs.org:443
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
       - name: Use Node.js 20
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: 20
           cache: npm

.github/workflows/scorecards.yml

@@ -16,6 +16,8 @@ on:
     - cron: '30 6 * * 5'
   push:
     branches: [master]
+  # Added for testing the workflow, as PR triggers are currently not supported by the OSSF Scorecard Action.
+  workflow_dispatch: {}
 
 # Declare default permissions as read only.
 # permissions: read-all
@@ -32,26 +34,16 @@ jobs:
       id-token: write
 
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: audit
-          allowed-endpoints: >
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-            api.github.com:443
-            api.osv.dev:443
-            api.securityscorecards.dev:443
-            fulcio.sigstore.dev:443
-            github.com:443
-            oss-fuzz-build-logs.storage.googleapis.com:443
-            rekor.sigstore.dev:443
-            tuf-repo-cdn.sigstore.dev:443
-            www.bestpractices.dev:443
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+      - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -66,13 +58,13 @@ jobs:
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: OSSF Scorecard SARIF file
           path: results.sarif
           retention-days: 90
 
       # Upload the results to GitHub's code scanning dashboard.
-      - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+      - uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           sarif_file: results.sarif

CHANGES.md

@@ -1,72 +1,10 @@
-2024-02-12, Version 5.0.7
+
+
+2023-11-13, Version 5.0.3
 =========================
 
  * chore: lock file maintenance (renovate[bot])
 
- * chore: update dependency lockfile-lint to ^4.13.1 (renovate[bot])
-
- * chore: update dependency lockfile-lint to ^4.13.0 (renovate[bot])
-
- * chore: update dependency mocha to ^10.3.0 (renovate[bot])
-
- * chore: update actions/setup-node action to v4.0.2 (renovate[bot])
-
- * chore: update step-security/harden-runner action to v2.7.0 (renovate[bot])
-
- * chore: update github/codeql-action action to v3.24.0 (renovate[bot])
-
- * chore: update github/codeql-action action to v3.23.2 (renovate[bot])
-
- * chore: update commitlint monorepo to ^18.6.0 (renovate[bot])
-
- * chore: update github/codeql-action action to v3.23.1 (renovate[bot])
-
- * chore: update dependency supertest to ^6.3.4 (renovate[bot])
-
- * chore: update dependency chai to ^4.4.1 (renovate[bot])
-
- * chore: update github/codeql-action action to v3 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.23.0 (renovate[bot])
-
- * chore: update dependency chai to ^4.4.0 (renovate[bot])
-
- * chore: update commitlint monorepo to ^18.4.4 (renovate[bot])
-
- * chore: update dependency eslint to ^8.56.0 (renovate[bot])
-
- * chore: update actions/setup-node action to v4.0.1 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.22.12 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.22.10 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.22.9 (renovate[bot])
-
- * chore: update step-security/harden-runner action to v2.6.1 (renovate[bot])
-
- * chore: add badges (Rifa Achrinza)
-
- * ci: further harden workflows (Rifa Achrinza)
-
- * ci: fix Scorecard issues (Rifa Achrinza)
-
- * chore: update dependency eslint to ^8.55.0 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.22.8 (renovate[bot])
-
- * chore: update commitlint monorepo to ^18.4.3 (renovate[bot])
-
- * chore: update dependency eslint to ^8.54.0 (renovate[bot])
-
- * chore: update commitlint monorepo to ^18.4.2 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.22.7 (renovate[bot])
-
- * chore: update github/codeql-action action to v2.22.6 (renovate[bot])
-
- * chore: update commitlint monorepo (renovate[bot])
-
  * fix(cve-2023-29827): replace EJS with Handlebars to resolve security warning (KalleV)
 
  * ci: align CI configuration (Rifa Achrinza)

README.md

@@ -1,10 +1,5 @@
 # strong-error-handler
 
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8058/badge)](https://www.bestpractices.dev/projects/8058)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/loopbackio/strong-error-handler/badge)](https://securityscorecards.dev/viewer/?uri=github.com/loopbackio/strong-error-handler)
-[![Continuous Integration](https://github.com/loopbackio/strong-error-handler/actions/workflows/continuous-integration.yml/badge.svg)](https://github.com/loopbackio/strong-error-handler/actions/workflows/continuous-integration.yml)
-[![CodeQL](https://github.com/loopbackio/strong-error-handler/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/loopbackio/strong-error-handler/actions/workflows/codeql-analysis.yml)
-
 This package is an error handler for use in both development (debug) and production environments.
 
 In production mode, `strong-error-handler` omits details from error responses to prevent leaking sensitive information:

package.json

@@ -2,7 +2,7 @@
   "name": "strong-error-handler",
   "description": "Error handler for use in development and production environments.",
   "license": "MIT",
-  "version": "5.0.7",
+  "version": "5.0.4",
   "engines": {
     "node": ">=16"
   },
@@ -21,21 +21,21 @@
     "debug": "^4.3.4",
     "fast-safe-stringify": "^2.1.1",
     "handlebars": "^4.7.8",
-    "http-status": "^1.7.4",
+    "http-status": "^1.7.3",
     "js2xmlparser": "^5.0.0",
     "strong-globalize": "^6.0.6"
   },
   "devDependencies": {
-    "@commitlint/cli": "^19.3.0",
+    "@commitlint/cli": "^18.2.0",
-    "@commitlint/config-conventional": "^19.2.2",
+    "@commitlint/config-conventional": "^18.1.0",
     "@types/express": "^4.17.21",
-    "chai": "^5.1.1",
+    "chai": "^4.3.10",
-    "eslint": "^8.57.0",
+    "eslint": "^8.53.0",
     "eslint-config-loopback": "^13.1.0",
-    "express": "^4.19.2",
+    "express": "^4.18.2",
-    "lockfile-lint": "^4.13.2",
+    "lockfile-lint": "^4.12.1",
-    "mocha": "^10.4.0",
+    "mocha": "^10.2.0",
-    "supertest": "^7.0.0"
+    "supertest": "^6.3.3"
   },
   "browser": {
     "strong-error-handler": false

test/handler.test.js

@@ -5,15 +5,13 @@
 
 'use strict';
 
-import cloneAllProperties from '../lib/clone.js';
+const cloneAllProperties = require('../lib/clone.js');
-import debugFactory from 'debug';
+const debug = require('debug')('test');
-import express from 'express';
+const expect = require('chai').expect;
-import strongErrorHandler from '../lib/handler.js';
+const express = require('express');
-import supertest from 'supertest';
+const strongErrorHandler = require('..');
-import util from 'node:util';
+const supertest = require('supertest');
-import {expect} from 'chai';
+const util = require('util');
-
-const debug = debugFactory('test');
 
 describe('strong-error-handler', function() {
   before(setupHttpServerAndClient);
@@ -139,7 +137,8 @@ describe('strong-error-handler', function() {
         // the error name & message
         expect(msg).to.contain('TypeError: ERROR-NAME');
         // the stack
-        expect(msg).to.contain(import.meta.url);
+        expect(msg).to.contain(__filename);
+
         done();
       });
     });
@@ -162,7 +161,7 @@ describe('strong-error-handler', function() {
         expect(msg).to.contain('TypeError: ERR1');
         expect(msg).to.contain('Error: ERR2');
         // verify that stacks are included too
-        expect(msg).to.contain(import.meta.url);
+        expect(msg).to.contain(__filename);
 
         done();
       });