npmpackage.info

Gathering detailed insights and metrics for @isomorphic-git/cors-proxy

Other packages similar to @isomorphic-git/cors-proxy

@rhildred/cors-proxy2

1.0.9

cors proxy to expose in a cloudflare pages function

Gathering detailed insights and metrics for @isomorphic-git/cors-proxy

@isomorphic-git/cors-proxy

Proxy clone and push requests for the browser

2.7.1

MIT

JavaScript

157.52 kB

321,172 1.7

Installations

npm install @isomorphic-git/cors-proxy

Developer Guide

BETA

Typescript

No

Module System

CommonJS

Node Version

10.24.1

NPM Version

6.14.5 Score

Supply Chain

96.7

Quality

78.4

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

1

Total

15

Closed

2

Merged

12

Issues

Open

5

Total

6

Closed

1

Releases

v2.7.1

Updated on Jan 07, 2022

v2.7.0

Updated on Jun 28, 2020

v2.6.1

Updated on Nov 22, 2019

v2.6.0

Updated on Nov 17, 2019

v2.5.0

Updated on May 29, 2019

v2.4.0

Updated on May 28, 2019

View All 12 releases

Contributors

Unable to fetch Contributors

View All 6 Contributors

Languages

JavaScript

Dockerfile

JavaScript (98.45%)

Dockerfile (1.55%)

Love this project? Help keep it running — sponsor us today! 🚀

Developer

isomorphic-git

Download Statistics

Total Downloads

321,172

Last Day

Last Week

418

Last Month

1,664

Last Year

55,311

GitHub Statistics

MIT License

92 Stars

55 Commits

38 Forks

5 Watchers

2 Branches

6 Contributors

Updated on Dec 24, 2024

Bundle Size

278.91 kB

Minified

157.52 kB

Minified + Gzipped

Bundlephobia

Maintainers

Package Meta Information

Latest Version

2.7.1

Package Id

@isomorphic-git/cors-proxy@2.7.1

Unpacked Size

15.20 kB

Size

6.06 kB

File Count

NPM Version

6.14.5

Node Version

10.24.1

Total Downloads

Cumulative downloads

Total Downloads

321,172

Last Day

-21.4%

Compared to previous day

Last Week

21.9%

418

Compared to previous week

Last Month

13.9%

1,664

Compared to previous month

Last Year

-32.1%

55,311

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

cross-env daemonize-process micro micro-cors minimisted node-fetch tree-kill

Dev Dependencies

micro-dev semantic-release

@isomorphic-git/cors-proxy

This is the software running on https://cors.isomorphic-git.org/ - a free service (generously sponsored by Clever Cloud) for users of isomorphic-git that enables cloning and pushing repos in the browser.

It is derived from https://github.com/wmhilton/cors-buster with added restrictions to reduce the opportunity to abuse the proxy. Namely, it blocks requests that don't look like valid git requests.

Installation

1npm install @isomorphic-git/cors-proxy

CLI usage

Start proxy on default port 9999:

1cors-proxy start

Start proxy on a custom port:

1cors-proxy start -p 9889

Start proxy in daemon mode. It will write the PID of the daemon process to $PWD/cors-proxy.pid:

1cors-proxy start -d

Kill the process with the PID specified in $PWD/cors-proxy.pid:

1cors-proxy stop

CLI configuration

Environment variables:

PORT the port to listen to (if run with npm start)
ALLOW_ORIGIN the value for the 'Access-Control-Allow-Origin' CORS header
INSECURE_HTTP_ORIGINS comma separated list of origins for which HTTP should be used instead of HTTPS (added to make developing against locally running git servers easier)

Middleware usage

You can also use the cors-proxy as a middleware in your own server.

1const express = require('express')
2const corsProxy = require('@isomorphic-git/cors-proxy/middleware.js')
3
4const app = express()
5const options = {}
6
7app.use(corsProxy(options))
8

Middleware configuration

The middleware doesn't use the environment variables. The options object supports the following properties:

origin: string. The value for the 'Access-Control-Allow-Origin' CORS header
insecure_origins: string[]. Array of origins for which HTTP should be used instead of HTTPS (added to make developing against locally running git servers easier)
authorization: (req, res, next) => void. A middleware function you can use to handle custom authorization. Is run after filtering for git-like requests and handling CORS but before the request is proxied.

Example:

1app.use(
2  corsProxy({
3    authorization: (req: Request, res: Response, next: NextFunction) => {
4      // proxied git HTTP requests already use the Authorization header for git credentials,
5      // so their [Company] credentials are inserted in the X-Authorization header instead.
6      if (getAuthorizedUser(req, 'X-Authorization')) {
7        return next();
8      } else {
9        return res.status(401).send("Unable to authenticate you with [Company]'s git proxy");
10      }
11    },
12  })
13);
14
15// Only requests with a valid JSON Web Token will be proxied
16function getAuthorizedUser(req: Request, header: string = 'Authorization') {
17  const Authorization = req.get(header);
18
19  if (Authorization) {
20    const token = Authorization.replace('Bearer ', '');
21    try {
22      const verifiedToken = verify(token, env.APP_SECRET) as IToken;
23      if (verifiedToken) {
24        return {
25          id: verifiedToken.userId,
26        };
27      }
28    } catch (e) {
29      // noop
30    }
31  }
32}

License

This work is released under The MIT License

Stable Version

2.7.1

High

8.6/10

Summary

Server side request forgery in @isomorphic-git/cors-proxy

Affected Versions

< 2.7.1

Patched Versions

2.7.1

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

1

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

0

Security-Policy

Determines if the project has published a security policy.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

66 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-c6rq-rjc2-86v2
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-p28h-cc7q-c4fg
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-hr2v-3952-633q
Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
Warn: Project is vulnerable to: MAL-2023-462
Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj
Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf
Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-fhjf-83wg-r2j9
Warn: Project is vulnerable to: GHSA-w7rc-rwvf-8q5r
Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
Warn: Project is vulnerable to: GHSA-px4h-xg32-q955
Warn: Project is vulnerable to: GHSA-93f3-23rq-pjfp
Warn: Project is vulnerable to: GHSA-jmqm-f2gx-4fjv
Warn: Project is vulnerable to: GHSA-pw54-mh39-w3hc
Warn: Project is vulnerable to: GHSA-xgh6-85xh-479p
Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-r2j6-p67h-q639
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx
Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch
Warn: Project is vulnerable to: GHSA-4g88-fppr-53pp
Warn: Project is vulnerable to: GHSA-4jqc-8m5r-9rpr
Warn: Project is vulnerable to: GHSA-vx3p-948g-6vhq
Warn: Project is vulnerable to: GHSA-j44m-qm6p-hp7m
Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-884p-74jh-xrg2
Warn: Project is vulnerable to: GHSA-j7fq-p9q7-5wfv
Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7
Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp

Score

1.7

/10

Last Scanned on 2025-02-10

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More