chore: update step-security/harden-runner action to v2.8.0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -9,20 +9,37 @@ on:
   schedule:
     - cron: '0 13 * * 6'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
 
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+
     - name: Checkout repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
       with:
-        languages: 'javascript'
+        languages: javascript-typescript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: .github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+

.github/workflows/continuous-integration.yml

@@ -9,34 +9,49 @@ on:
   schedule:
     - cron: '0 2 * * 1' # At 02:00 on Monday
 
-env:
+permissions: {}
-  NODE_OPTIONS: --max-old-space-size=4096
 
 jobs:
   test:
     name: Test
-    timeout-minutes: 15
+    timeout-minutes: 5
     strategy:
       matrix:
         os: [ubuntu-latest]
-        node-version: [16, 18]
+        node-version:
+          - 16
+          - 18
+          - 20
+          - 21
         include:
           - os: macos-latest
-            node-version: 16 # LTS
+            node-version: 20 # LTS
+          - os: windows-latest
+            node-version: 20 # LTS
       fail-fast: false
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
-          fetch-depth: 0
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
+          cache: npm
       - name: Bootstrap project
-        run: |
+        run: npm ci --ignore-scripts --prefer-offline
-          npm ci --ignore-scripts
+      - uses: Yuri6037/Action-FakeTTY@1abc69c7d530815855caedcd73842bae5687c1a6 # v1.1
-      - uses: Yuri6037/Action-FakeTTY@v1.1
       - name: Run tests
         run: faketty npm test --ignore-scripts
 
@@ -44,31 +59,102 @@ jobs:
     name: Code Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
         with:
-          node-version: 16
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          persist-credentials: false
+      - name: Use Node.js 20
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 20
+          cache: 'npm'
       - name: Bootstrap project
         run: |
-          npm ci --ignore-scripts
+          npm ci \
+            --ignore-scripts \
+            --prefer-offline
       - name: Verify code linting
-        run: npm run lint
+        run: npm run lint --ignore-scripts
 
   commit-lint:
     name: Commit Lint
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request }}
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
-      - name: Use Node.js 16
+          persist-credentials: false
-        uses: actions/setup-node@v3
+      - name: Use Node.js 20
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: 16
+          node-version: 20
+          cache: npm
       - name: Bootstrap project
         run: |
-          npm ci --ignore-scripts
+          npm ci \
+            --ignore-scripts \
+            --prefer-offline
       - name: Verify commit linting
-        run: npx commitlint --from origin/master --to HEAD --verbose
+        run: |
+          npm exec \
+            --no-install \
+            --package=@commitlint/cli \
+            -- \
+            commitlint \
+              --from=origin/master \
+              --to=HEAD \
+              --verbose
+
+  lockfile-lint:
+    name: Lockfile Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          persist-credentials: false
+      - name: Use Node.js 20
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 20
+          cache: npm
+      - name: Bootstrap project
+        run: |
+          npm ci \
+            --ignore-scripts \
+            --prefer-offline
+      - name: Verify commit linting
+        run: |
+          npm exec \
+            --no-install \
+            --package=lockfile-lint \
+            -- \
+            lockfile-lint \
+              --path=package-lock.json \
+              --allowed-hosts=npm \
+              --validate-https \
+              --validate-integrity \
+              --validate-package-names
+

.github/workflows/scorecards.yml

@@ -0,0 +1,78 @@
+# Based on `scorecard.yml` Github Actions starter workflow:
+# https://github.com/actions/starter-workflows/blob/b1df8a546ed4d0f27d46aaf2f8ac1118bc522638/code-scanning/scorecard.yml
+
+# This is separate from the CI workflow due to certain restrictions imposed by the GitHub Action action:
+# https://github.com/ossf/scorecard-action/tree/99cc02c8ee27bab5f5f41e79066e0de91d313dec#workflow-restrictions
+# For consistency, we should keep it a separate workflow across all our Github repositories, regardless if it's actually needed.
+
+name: OSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule: {}
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '30 6 * * 5'
+  push:
+    branches: [master]
+
+# Declare default permissions as read only.
+# permissions: read-all
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          persist-credentials: false
+
+      - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: OSSF Scorecard SARIF file
+          path: results.sarif
+          retention-days: 90
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+        with:
+          sarif_file: results.sarif

CHANGES.md

@@ -1,3 +1,93 @@
+2024-02-12, Version 5.0.7
+=========================
+
+ * chore: lock file maintenance (renovate[bot])
+
+ * chore: update dependency lockfile-lint to ^4.13.1 (renovate[bot])
+
+ * chore: update dependency lockfile-lint to ^4.13.0 (renovate[bot])
+
+ * chore: update dependency mocha to ^10.3.0 (renovate[bot])
+
+ * chore: update actions/setup-node action to v4.0.2 (renovate[bot])
+
+ * chore: update step-security/harden-runner action to v2.7.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3.24.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3.23.2 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.6.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3.23.1 (renovate[bot])
+
+ * chore: update dependency supertest to ^6.3.4 (renovate[bot])
+
+ * chore: update dependency chai to ^4.4.1 (renovate[bot])
+
+ * chore: update github/codeql-action action to v3 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.23.0 (renovate[bot])
+
+ * chore: update dependency chai to ^4.4.0 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.4.4 (renovate[bot])
+
+ * chore: update dependency eslint to ^8.56.0 (renovate[bot])
+
+ * chore: update actions/setup-node action to v4.0.1 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.12 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.10 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.9 (renovate[bot])
+
+ * chore: update step-security/harden-runner action to v2.6.1 (renovate[bot])
+
+ * chore: add badges (Rifa Achrinza)
+
+ * ci: further harden workflows (Rifa Achrinza)
+
+ * ci: fix Scorecard issues (Rifa Achrinza)
+
+ * chore: update dependency eslint to ^8.55.0 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.8 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.4.3 (renovate[bot])
+
+ * chore: update dependency eslint to ^8.54.0 (renovate[bot])
+
+ * chore: update commitlint monorepo to ^18.4.2 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.7 (renovate[bot])
+
+ * chore: update github/codeql-action action to v2.22.6 (renovate[bot])
+
+ * chore: update commitlint monorepo (renovate[bot])
+
+ * fix(cve-2023-29827): replace EJS with Handlebars to resolve security warning (KalleV)
+
+ * ci: align CI configuration (Rifa Achrinza)
+
+ * chore: update dependency @types/express to ^4.17.21 (renovate[bot])
+
+ * chore: update dependency eslint to ^8.53.0 (renovate[bot])
+
+ * chore: update dependency @commitlint/config-conventional to ^18.1.0 (renovate[bot])
+
+ * chore: update dependency @commitlint/config-conventional to v18 (renovate[bot])
+
+ * chore: update dependency eslint to ^8.52.0 (renovate[bot])
+
+ * chore: update dependency @commitlint/config-conventional to ^17.8.1 (renovate[bot])
+
+ * chore: update dependency @types/express to ^4.17.20 (renovate[bot])
+
+ * chore: update dependency http-status to ^1.7.3 (renovate[bot])
+
+
 2023-10-16, Version 5.0.2
 =========================
 

README.md

@@ -1,5 +1,10 @@
 # strong-error-handler
 
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8058/badge)](https://www.bestpractices.dev/projects/8058)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/loopbackio/strong-error-handler/badge)](https://securityscorecards.dev/viewer/?uri=github.com/loopbackio/strong-error-handler)
+[![Continuous Integration](https://github.com/loopbackio/strong-error-handler/actions/workflows/continuous-integration.yml/badge.svg)](https://github.com/loopbackio/strong-error-handler/actions/workflows/continuous-integration.yml)
+[![CodeQL](https://github.com/loopbackio/strong-error-handler/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/loopbackio/strong-error-handler/actions/workflows/codeql-analysis.yml)
+
 This package is an error handler for use in both development (debug) and production environments.
 
 In production mode, `strong-error-handler` omits details from error responses to prevent leaking sensitive information:

lib/send-html.js

@@ -4,7 +4,7 @@
 // License text available at https://opensource.org/licenses/MIT
 
 'use strict';
-const ejs = require('ejs');
+const handlebars = require('handlebars');
 const fs = require('fs');
 const path = require('path');
 
@@ -16,6 +16,13 @@ const compiledTemplates = {
 
 module.exports = sendHtml;
 
+/**
+ * Sends HTML response to the client.
+ *
+ * @param {Object} res - The response object.
+ * @param {Object} data - The data object to be rendered in the HTML.
+ * @param {Object} options - The options object.
+ */
 function sendHtml(res, data, options) {
   const toRender = {options, data};
   // TODO: ability to call non-default template functions from options
@@ -23,6 +30,35 @@ function sendHtml(res, data, options) {
   sendResponse(res, body);
 }
 
+/**
+ * Returns the content of a Handlebars partial file as a string.
+ * @param {string} name - The name of the Handlebars partial file.
+ * @returns {string} The content of the Handlebars partial file as a string.
+ */
+function partial(name) {
+  const partialPath = path.resolve(assetDir, `${name}.hbs`);
+  const partialContent = fs.readFileSync(partialPath, 'utf8');
+  return partialContent;
+}
+
+handlebars.registerHelper('partial', partial);
+
+/**
+ * Checks if the given property is a standard property.
+ * @param {string} prop - The property to check.
+ * @param {Object} options - The Handlebars options object.
+ * @returns {string} - The result of the Handlebars template.
+ */
+function standardProps(prop, options) {
+  const standardProps = ['name', 'statusCode', 'message', 'stack'];
+  if (standardProps.indexOf(prop) === -1) {
+    return options.fn(this);
+  }
+  return options.inverse(this);
+}
+
+handlebars.registerHelper('standardProps', standardProps);
+
 /**
  * Compile and cache the file with the `filename` key in options
  *
@@ -32,15 +68,23 @@ function sendHtml(res, data, options) {
 function compileTemplate(filepath) {
   const options = {cache: true, filename: filepath};
   const fileContent = fs.readFileSync(filepath, 'utf8');
-  return ejs.compile(fileContent, options);
+  return handlebars.compile(fileContent, options);
 }
 
-// loads and cache default error templates
+/**
+ * Loads the default error handlebars template from the asset directory and compiles it.
+ * @returns {Function} The compiled handlebars template function.
+ */
 function loadDefaultTemplates() {
-  const defaultTemplate = path.resolve(assetDir, 'default-error.ejs');
+  const defaultTemplate = path.resolve(assetDir, 'default-error.hbs');
   return compileTemplate(defaultTemplate);
 }
 
+/**
+ * Sends an HTML response with the given body to the provided response object.
+ * @param {Object} res - The response object to send the HTML response to.
+ * @param {string} body - The HTML body to send in the response.
+ */
 function sendResponse(res, body) {
   res.setHeader('Content-Type', 'text/html; charset=utf-8');
   res.end(body);

package.json

@@ -2,7 +2,7 @@
   "name": "strong-error-handler",
   "description": "Error handler for use in development and production environments.",
   "license": "MIT",
-  "version": "5.0.2",
+  "version": "5.0.7",
   "engines": {
     "node": ">=16"
   },
@@ -19,21 +19,23 @@
   "dependencies": {
     "accepts": "^1.3.8",
     "debug": "^4.3.4",
-    "ejs": "^3.1.9",
     "fast-safe-stringify": "^2.1.1",
-    "http-status": "^1.7.0",
+    "handlebars": "^4.7.8",
+    "http-status": "^1.7.4",
     "js2xmlparser": "^5.0.0",
     "strong-globalize": "^6.0.6"
   },
   "devDependencies": {
-    "@commitlint/config-conventional": "^17.8.0",
+    "@commitlint/cli": "^19.3.0",
-    "@types/express": "^4.17.19",
+    "@commitlint/config-conventional": "^19.2.2",
-    "chai": "^4.3.10",
+    "@types/express": "^4.17.21",
-    "eslint": "^8.51.0",
+    "chai": "^5.1.1",
+    "eslint": "^8.57.0",
     "eslint-config-loopback": "^13.1.0",
-    "express": "^4.18.2",
+    "express": "^4.19.2",
-    "mocha": "^10.2.0",
+    "lockfile-lint": "^4.13.2",
-    "supertest": "^6.3.3"
+    "mocha": "^10.4.0",
+    "supertest": "^7.0.0"
   },
   "browser": {
     "strong-error-handler": false

test/handler.test.mjs

@@ -5,13 +5,15 @@
 
 'use strict';
 
-const cloneAllProperties = require('../lib/clone.js');
+import cloneAllProperties from '../lib/clone.js';
-const debug = require('debug')('test');
+import debugFactory from 'debug';
-const expect = require('chai').expect;
+import express from 'express';
-const express = require('express');
+import strongErrorHandler from '../lib/handler.js';
-const strongErrorHandler = require('..');
+import supertest from 'supertest';
-const supertest = require('supertest');
+import util from 'node:util';
-const util = require('util');
+import {expect} from 'chai';
+
+const debug = debugFactory('test');
 
 describe('strong-error-handler', function() {
   before(setupHttpServerAndClient);
@@ -137,8 +139,7 @@ describe('strong-error-handler', function() {
         // the error name & message
         expect(msg).to.contain('TypeError: ERROR-NAME');
         // the stack
-        expect(msg).to.contain(__filename);
+        expect(msg).to.contain(import.meta.url);
-
         done();
       });
     });
@@ -161,7 +162,7 @@ describe('strong-error-handler', function() {
         expect(msg).to.contain('TypeError: ERR1');
         expect(msg).to.contain('Error: ERR2');
         // verify that stacks are included too
-        expect(msg).to.contain(__filename);
+        expect(msg).to.contain(import.meta.url);
 
         done();
       });
@@ -607,10 +608,12 @@ describe('strong-error-handler', function() {
             expect(res.statusCode).to.eql(404);
             const body = res.error.text;
             expect(body).to.match(
-              /<title>Error&lt;img onerror=alert\(1\) src=a&gt;<\/title>/,
+              // eslint-disable-next-line max-len
+              /<title>Error&lt;img onerror&#x3D;alert\(1\) src&#x3D;a&gt;<\/title>/,
             );
             expect(body).to.match(
-              /with id &lt;img onerror=alert\(1\) src=a&gt; found for Model/,
+              // eslint-disable-next-line max-len
+              /with id &lt;img onerror&#x3D;alert\(1\) src&#x3D;a&gt; found for Model/,
             );
             done();
           });
@@ -627,7 +630,8 @@ describe('strong-error-handler', function() {
           .expect(500)
           .expect(/<title>ErrorWithProps<\/title>/)
           .expect(
-            /500(.*?)a test error message&lt;img onerror=alert\(1\) src=a&gt;/,
+            // eslint-disable-next-line max-len
+            /500(.*?)a test error message&lt;img onerror&#x3D;alert\(1\) src&#x3D;a&gt;/,
             done,
           );
       });

views/default-error.ejs

@@ -1,25 +0,0 @@
-<html>
-  <head>
-    <meta charset='utf-8'>
-    <title><%= data.name || data.message %></title>
-    <style><%- include('style.css') %></style>
-  </head>
-  <body>
-    <div id="wrapper">
-      <h1><%= data.name %></h1>
-      <h2><em><%= data.statusCode %></em> <%= data.message %></h2>
-      <%
-        // display all the non-standard properties
-        var standardProps = ['name', 'statusCode', 'message', 'stack'];
-        for (var prop in data) {
-          if (standardProps.indexOf(prop) == -1 && data[prop]) { %>
-            <div><b><%= prop %></b>: <%= data[prop] %></div>
-          <% }
-        }
-        if (data.stack) { %>
-          <pre id="stacktrace"><%- data.stack %></pre>
-        <% }
-      %>
-    </div>
-  </body>
-</html>

views/default-error.hbs

@@ -0,0 +1,25 @@
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>{{ data.name }}{{#unless data.name}}{{ data.message }}{{/unless}}</title>
+    <style>
+      {{partial 'style'}}
+    </style>
+  </head>
+  <body>
+    <div id="wrapper">
+      <h1>{{ data.name }}</h1>
+      <h2>
+        <em>{{ data.statusCode }}</em> {{ data.message }}
+      </h2>
+      {{#each data}}
+        {{#standardProps @key}}
+          <div><b>{{@key}}</b>: {{this}}</div>
+        {{/standardProps}}
+      {{/each}}
+      {{#if data.stack}}
+        <pre id="stacktrace">{{{data.stack}}}</pre>
+      {{/if}}
+    </div>
+  </body>
+</html>