Age | Commit message (Collapse) | Author | |
---|---|---|---|
2019-09-11 | 0.107.16v0.107.16 | Feross Aboukhadijeh | |
2019-09-11 | fix git commit reference | Feross Aboukhadijeh | |
2019-09-11 | 0.107.15v0.107.15 | Feross Aboukhadijeh | |
2019-09-11 | 0.107.14v0.107.14 | Feross Aboukhadijeh | |
2019-09-10 | 0.107.13v0.107.13 | Feross Aboukhadijeh | |
2019-09-10 | simple-sha1@^3.0.1 | Feross Aboukhadijeh | |
2019-09-07 | 0.107.12v0.107.12 | Feross Aboukhadijeh | |
2019-09-07 | 0.107.11v0.107.11 | Feross Aboukhadijeh | |
2019-09-07 | 0.107.10v0.107.10 | Feross Aboukhadijeh | |
2019-09-07 | 0.107.9v0.107.9 | Feross Aboukhadijeh | |
2019-09-06 | 0.107.8v0.107.8 | Feross Aboukhadijeh | |
2019-09-06 | 0.107.7v0.107.7 | Feross Aboukhadijeh | |
2019-09-06 | fix(package): update simple-sha1 to version 3.0.0 | greenkeeper[bot] | |
2019-08-28 | 0.107.6v0.107.6 | Feross Aboukhadijeh | |
2019-08-27 | Fix http server XSS | Feross Aboukhadijeh | |
Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context. The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain. This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own): 1. HTML-escape untrusted torrent metadata (name, path, file names, etc.) 2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied. | |||
2019-08-21 | 0.107.5v0.107.5 | Feross Aboukhadijeh | |
2019-08-18 | 0.107.4v0.107.4 | Feross Aboukhadijeh | |
2019-08-09 | 0.107.3v0.107.3 | Feross Aboukhadijeh | |
2019-08-09 | Merge pull request #1692 from webtorrent/greenkeeper/stream-to-blob-url-3.0.0 | Feross Aboukhadijeh | |
Update stream-to-blob-url to the latest version 🚀 | |||
2019-08-09 | 0.107.2v0.107.2 | Feross Aboukhadijeh | |
2019-08-09 | fixpack | Feross Aboukhadijeh | |
2019-08-09 | scripts: use verbose command flags | Feross Aboukhadijeh | |
2019-08-09 | chromeapp: prevent load-ip-set from inclusion | Feross Aboukhadijeh | |
2019-08-09 | 0.107.1v0.107.1 | Feross Aboukhadijeh | |
2019-08-08 | Force update deps | Feross Aboukhadijeh | |
2019-08-08 | Remove accidental double minification (saves 2kb!) | Feross Aboukhadijeh | |
2019-08-08 | fix(package): update stream-to-blob-url to version 3.0.0 | greenkeeper[bot] | |
2019-08-08 | App "chromeapp" field to `package.json` | Feross Aboukhadijeh | |
I'm attempting to make a defacto standard for specifying Chrome App dependency substitutions using the `"chromeapp"` field in `package.json`. The `"chromeapp"` field is just like the [`"browser"` field in `package.json`](https://github.com/defunctzombie/package-browser-field-spec) except it's intended for Chrome Apps instead of a generic browser environment. Bundler tools like `browserify` or `webpack` can be configured to look for the `"chromeapp"` field instead of the `"browser"` field when doing a build for a Chrome App. In this specific package, since Chrome Apps can use raw sockets we want to replace e.g. `require('net')` with `require('chrome-net')`. | |||
2019-08-07 | 0.107.0v0.107.0 | Feross Aboukhadijeh | |
2019-08-07 | add size-disc script to visualize bundle | Feross Aboukhadijeh | |
2019-08-07 | Use tinyify to compress build | Feross Aboukhadijeh | |
2019-08-07 | remove safe-buffer | Feross Aboukhadijeh | |
2019-08-07 | fs-chunk-store@2 | Feross Aboukhadijeh | |
For: https://github.com/brave/brave-browser/issues/5490 | |||
2019-08-07 | ut_pex@2 | Feross Aboukhadijeh | |
For: https://github.com/brave/brave-browser/issues/5490 | |||
2019-08-07 | multistream@4 | Feross Aboukhadijeh | |
For: https://github.com/brave/brave-browser/issues/5490 | |||
2019-08-06 | Remove unusued devDependencies | Feross Aboukhadijeh | |
Fixes: https://github.com/webtorrent/webtorrent/issues/1585 | |||
2019-08-04 | 0.106.0v0.106.0 | Feross Aboukhadijeh | |
2019-08-04 | BREAKING: drop Node 8 support | Feross Aboukhadijeh | |
For: https://github.com/webtorrent/webtorrent/issues/1681 | |||
2019-08-02 | bitfield@3 | Feross Aboukhadijeh | |
For https://github.com/brave/brave-browser/issues/5490 | |||
2019-08-02 | stream-to-blob@2 | Feross Aboukhadijeh | |
For https://github.com/brave/brave-browser/issues/5490 | |||
2019-08-02 | Merge pull request #1677 from webtorrent/greenkeeper/electron-6.0.0 | Feross Aboukhadijeh | |
Update electron to the latest version 🚀 | |||
2019-08-02 | 0.105.3v0.105.3 | Feross Aboukhadijeh | |
2019-07-30 | 0.105.2v0.105.2 | Feross Aboukhadijeh | |
2019-07-30 | chore(package): update electron to version 6.0.0 | greenkeeper[bot] | |
2019-07-24 | 0.105.1v0.105.1 | Feross Aboukhadijeh | |
2019-07-12 | Update package.json | Feross Aboukhadijeh | |
2019-07-12 | chore(package): update airtap to version 2.0.3 | greenkeeper[bot] | |
2019-07-09 | 0.105.0v0.105.0 | Feross Aboukhadijeh | |
2019-07-06 | fix(package): update parse-torrent to version 7.0.0 | greenkeeper[bot] | |
2019-06-29 | 0.104.0v0.104.0 | Feross Aboukhadijeh | |