Matrix-Mirrors/mjolnir
1
0
Fork 0
mirror of https://github.com/matrix-org/mjolnir.git synced 2024-10-01 01:36:06 -04:00
Code Issues Packages Projects Releases Wiki Activity
451 Commits 150 Branches 38 Tags 5.8 MiB
9781b6e982
Commit Graph

55 Commits

Author SHA1 Message Date
gnuxie
9781b6e982 idk why we had nedb in there for matrix-appservice-bridge 2022-11-15 17:05:30 +00:00
gnuxie
b075beed1a bleh yarn lock broke after rebase 2022-11-15 17:05:30 +00:00
jesopo
da006d74c5 use body-parser, bind api handlers 2022-11-15 17:05:30 +00:00
gnuxie
b943a02cda update deps 2022-11-15 17:05:30 +00:00
gnuxie
94040b00d6 AppService start 2022-11-15 17:05:30 +00:00
gnuxie
58e36d4e23 Factor out protected rooms config management from Mjolnir. 
The combination of `resyncJoinedRooms`, `unprotectedWatchedListRooms`,
`explicitlyProtectedRoomIds`, `protectedJoinedRoomIds` was incomprehensible.
https://github.com/matrix-org/mjolnir/issues/370

Separating out the management of `explicitlyProtectedRoomIds`, then
making sure all policy lists have to be explicitly protected
(in either setting of `config.protectAllJoinedRooms`) will make
this code much much simpler.
We will later change the `status` command to explicitly show
which lists are watched and which are watched and protected.
 2022-10-19 15:21:51 +01:00
Gnuxie
f5a1a39861
audit yarn.lock (#356) 
### Auditing the lock file

```
npm install --package-lock-only
npm audit fix
rm yarn.lock
yarn import
```

```
npm audit

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/nanoid
node_modules/postcss/node_modules/nanoid
  mocha  8.2.0 - 9.1.4
  Depends on vulnerable versions of nanoid
  node_modules/mocha

5 vulnerabilities (2 moderate, 3 critical)

To address all issues, run:
  npm audit fix
```

### minimist

minimist@1.2.5
used by mocha, tslint and matrix-bot-sdk@0.5.19

via
```
MatrixClient::replyHtmlText
MatrixClient::replyHtmlNotice
MatrixClient::sendHtmlNotice
MatrixClient::sendHtmlTex
```

none of which we use.

### nanoid

As for nanoid this is used by mocha.
It's also used by postcss vis the bot sdk

```
├─┬ matrix-bot-sdk@0.5.19
│ └─┬ sanitize-html@2.7.1
│   └─┬ postcss@8.4.16
│     ├── nanoid@3.3.4

```
though unless i'm missing something nanoid@3.3.4 doesn't fit into the vulnerable versions  `3.0.0 - 3.1.30`


### json-schema

As for json-schema, it is used by jsprim@1.4.2 within 'validateJsonObjectJS'.
fortunately we depend on jsprim via the http-signatures@1.2.0 package which only use jsprim for rfc1123.
(which request depends upon in the matrix-bot-sdk).

```
├─┬ matrix-bot-sdk@0.5.19
│ ├─┬ request@2.88.2
│ │ ├─┬ http-signature@1.2.0
│ │ │ ├─┬ jsprim@1.4.2
│ │ │ │ ├── json-schema@0.4.0
 2022-08-16 18:49:33 +01:00
Jess Porter
4376679b99
load config yaml manually, remove more references to static config (#347) 2022-08-16 15:51:18 +01:00
David Teller
cb34af02c6
Revert "Fix: roomMemberTest off-by-one error (#319)" (#323) 
This reverts commit d8aac434f1.
 2022-07-05 15:29:01 +02:00
David Teller
d8aac434f1
Fix: roomMemberTest off-by-one error (#319) 2022-07-05 14:38:53 +02:00
Jonathan de Jong
cc9f393ed7
fix CI (#282) 
ts-mocha has also been updated to make running locally possible (else it gives a confusing error that tsconfig.json is not "json" or the likes)
 2022-05-03 11:20:40 +01:00
dependabot[bot]
31ef9065da
Bump minimist from 1.2.5 to 1.2.6 (#260) 
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-25 10:05:23 +00:00
David Teller
e05616b327
New command !mjolnir since <date or duration> <kick | ban | show> <limit> [reason] [...rooms] (#238) 
A new command `since` to affect all users who have joined a protected room since a given date.
 2022-03-21 10:39:15 +01:00
David Teller
26ae55cd24
A command to show when users in a given room have joined (#225) 2022-03-07 11:34:25 +01:00
David Teller
82a2e63d23
A room Protection designed to measure lag in a room (#217) 2022-02-24 13:43:31 +01:00
gnuxie
9e96d399c0 Remove axios from the test suite, it is unnecessary. 
It's probably also got problems.
 2022-01-25 18:22:34 +00:00
dependabot[bot]
4490f9ba82 Bump follow-redirects from 1.14.4 to 1.14.7 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.4 to 1.14.7.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.14.4...v1.14.7)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-17 12:22:15 +01:00
David Teller
a21415a04c
Give the ability to moderators to react quickly to /report abuse reports. (#137) 2021-11-09 13:15:49 +01:00
David Teller
06e5f00b2d
Intercept /report and display human-readable abuse reports in the moderation room - Resolves #38 (#135) 
* Intercept /report and display human-readable abuse reports in the moderation room - Resolves #38
 2021-10-07 14:42:08 +02:00
gnuxie
ac075fd22e Remove dependencies from old test harness 2021-09-27 15:33:15 +01:00
gnuxie
b0ee846534 Update package.json and yarn.lock to include harness dependencies. 2021-09-24 18:25:27 +01:00
Travis Ralston
7ca0b2d39b Clean up lockfile 2021-08-17 09:26:47 -06:00
Travis Ralston
37031764ac
Merge pull request #117 from matrix-org/yoric/delete-rooms-api 
Replace shutdown_room API with DELETE /_synapse/admin/v1/rooms/<room_…
 2021-08-17 09:23:55 -06:00
David Teller
62b30b19d9 Replace shutdown_room API with DELETE /_synapse/admin/v1/rooms/<room_id> - Resolves #76, closes #96 
As per https://github.com/matrix-org/synapse/issues/9052, shutdown_room is going away, to be replaced with DELETE /_synapse/admin/v1/rooms/<room_id>.
 2021-08-17 12:54:24 +02:00
dependabot[bot]
4401cd9637
Bump path-parse from 1.0.6 to 1.0.7 
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-11 12:33:46 +00:00
Travis Ralston
ff4cbc018f Update matrix-bot-sdk and use request cleaning function 2021-07-01 15:11:27 -06:00
Travis Ralston
d7bacad85c Update packages 2021-07-01 13:45:28 -06:00
Neil Middleton
793c9304e0
Merge branch 'nm/jun21-dependency-update' into dependabot/npm_and_yarn/y18n-4.0.3 2021-06-24 16:40:50 +01:00
Neil Middleton
c85b922343
Merge pull request #2 from neilmiddleton/dependabot/npm_and_yarn/postcss-7.0.36 
Bump postcss from 7.0.18 to 7.0.36
 2021-06-24 16:40:12 +01:00
Neil Middleton
265045a835
Merge pull request #3 from neilmiddleton/dependabot/npm_and_yarn/lodash-4.17.21 
Bump lodash from 4.17.19 to 4.17.21
 2021-06-24 16:39:51 +01:00
dependabot[bot]
0dba1ea709
Bump glob-parent from 5.1.1 to 5.1.2 
Bumps [glob-parent](https://github.com/gulpjs/glob-parent) from 5.1.1 to 5.1.2.
- [Release notes](https://github.com/gulpjs/glob-parent/releases)
- [Changelog](https://github.com/gulpjs/glob-parent/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gulpjs/glob-parent/compare/v5.1.1...v5.1.2)

---
updated-dependencies:
- dependency-name: glob-parent
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-24 15:36:43 +00:00
dependabot[bot]
104ae039a5
Bump postcss from 7.0.18 to 7.0.36 
Bumps [postcss](https://github.com/postcss/postcss) from 7.0.18 to 7.0.36.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/7.0.18...7.0.36)

---
updated-dependencies:
- dependency-name: postcss
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-24 15:36:40 +00:00
dependabot[bot]
8f4fd808a7
Bump lodash from 4.17.19 to 4.17.21 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21)

---
updated-dependencies:
- dependency-name: lodash
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-24 15:36:40 +00:00
dependabot[bot]
d5f3003c71
Bump y18n from 4.0.0 to 4.0.3 
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.3.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/y18n-v4.0.3/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/compare/v4.0.0...y18n-v4.0.3)

---
updated-dependencies:
- dependency-name: y18n
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-06-24 15:36:38 +00:00
David Teller
5c4cee8780 Bumping dependency y18n 
There's a high severity CVE for y18n < 4.0.1.
 2021-04-14 11:06:52 +02:00
dependabot[bot]
339475fcc9
Bump yargs-parser from 13.1.1 to 13.1.2 
Bumps [yargs-parser](https://github.com/yargs/yargs-parser) from 13.1.1 to 13.1.2.
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/master/docs/CHANGELOG-full.md)
- [Commits](https://github.com/yargs/yargs-parser/commits)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-09-11 22:55:29 +00:00
dependabot[bot]
7d1fc1fe4d
Bump lodash from 4.17.15 to 4.17.19 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-07-18 09:14:24 +00:00
Travis Ralston
47dfdf5b33 Upgrade packages 2020-05-11 21:38:20 -06:00
Travis Ralston
46bc6a1a0f Bump bot-sdk version to handle published aliases better 2020-05-11 21:31:47 -06:00
Travis Ralston
f897f8eb47 Update packages 2020-04-14 16:17:05 -06:00
Travis Ralston
790d1f2ff0 Update matrix-bot-sdk 2020-02-13 14:23:10 -07:00
Travis Ralston
60083b49f4 Update matrix-bot-sdk package 2020-02-12 15:05:52 -07:00
Travis Ralston
c0365416fa Add an option to protect all joined rooms 2020-01-21 15:19:03 -07:00
Travis Ralston
4f8b55c45f Update matrix-bot-sdk 2019-12-04 18:46:00 -07:00
Travis Ralston
66a5775136 Make the [un]ban command smarter 
Fixes https://github.com/matrix-org/mjolnir/issues/11
 2019-11-13 21:38:19 -07:00
Travis Ralston
863f7025ee Update bot-sdk to beta 14 2019-11-07 11:00:29 -07:00
Travis Ralston
8d1111b056 Upgrade to bot-sdk beta 13 for dependency problem 2019-11-06 19:29:17 -07:00
Travis Ralston
05aedcafb7 Upgrade to beta.12 of the bot-sdk 2019-11-06 15:37:43 -07:00
Travis Ralston
2dcce018d0 Upgrade to bot-sdk beta 11 2019-10-31 10:55:55 -06:00
Travis Ralston
644c19694e Update matrix-bot-sdk to v0.4.0-beta.10 2019-10-31 10:15:52 -06:00