0a10c17c8d
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0 As documented in the Nix expression, I unfortunately had to patch `yarn.lock` manually (the `yarn.nix` result isn't affected by this). By adding a `git+https`-prefix to `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache from `yarn2nix` rather than trying to download a tarball from GitHub. Also, this release contains a fix for CVE-2021-39175 which doesn't seem to be backported to 1.8. To quote NVD[1]: > In versions prior to 1.9.0, an unauthenticated attacker can inject > arbitrary JavaScript into the speaker-notes of the slide-mode feature > by embedding an iframe hosting the malicious code into the slides or by > embedding the HedgeDoc instance into another page. Even though it "only" has a medium rating by NVD (6.1), this seems rather problematic to me (also, GitHub rates this as "High"), so it's actually a candidate for a backport. [1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175 |
||
|---|---|---|
| .. | ||
| default.nix | ||
| package.json | ||
| yarn.lock | ||
| yarn.nix | ||