Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: csurf package is deprecated and should be replaced #858

Open
pano9000 opened this issue Dec 28, 2024 · 0 comments · May be fixed by #864
Open

deps: csurf package is deprecated and should be replaced #858

pano9000 opened this issue Dec 28, 2024 · 0 comments · May be fixed by #864
Assignees
@pano9000
Labels
refactor

Comments

@pano9000
Copy link
Contributor

Description

Hi,

currently the csurf package is used to implement some CSRF protection – unfortunately the package seems to have a couple of issues and got marked as "deprecated":
https://www.npmjs.com/package/csurf

Some additional reading about it:
https://dev-academy.com/csurf-vulnerability/

A viable solution could be to use the following package as replacement:
https://github.com/Psifi-Solutions/csrf-csrf

It is not a 1:1 drop-in replacement (e.g. it seems to need some slightly different configurations), but it should work similarly enough afterwards, from what I saw

TriliumNext Version

git

What operating system are you using?

Other Linux

What is your setup?

Local + server sync

Operating System Version

git

Error logs

No response
@pano9000 pano9000 self-assigned this Dec 28, 2024
@pano9000 pano9000 linked a pull request Dec 30, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pano9000 pano9000

Labels
refactor
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: replace csurf with csrf-csrf pano9000/TriliumNextNotes
2 participants
@eliandoran @pano9000