Merge branch 'master' into support/use-jotai

apps/app/package.json

@@ -248,7 +248,7 @@
     "url-join": "^4.0.0",
     "usehooks-ts": "^2.6.0",
     "uuid": "^11.0.3",
-    "validator": "^13.7.0",
+    "validator": "^13.15.20",
     "ws": "^8.17.1",
     "xss": "^1.0.15",
     "y-mongodb-provider": "^0.2.0",

apps/app/src/server/models/user.js

@@ -125,8 +125,8 @@ const factory = (crowi) => {
     const len = 12;
 
     for (let i = 0; i < len; i++) {
-      const randomPoz = Math.floor(Math.random() * chars.length);
-      password += chars.substring(randomPoz, randomPoz + 1);
+      const randomIndex = crypto.randomInt(0, chars.length);
+      password += chars[randomIndex];
     }
 
     return password;
@@ -567,8 +567,8 @@ const factory = (crowi) => {
     const newUser = new User();
 
     /* eslint-disable newline-per-chained-call */
-    const tmpUsername = `temp_${Math.random().toString(36).slice(-16)}`;
-    const password = Math.random().toString(36).slice(-16);
+    const tmpUsername = `temp_${crypto.randomBytes(8).toString('hex')}`;
+    const password = crypto.randomBytes(12).toString('hex');
     /* eslint-enable newline-per-chained-call */
 
     newUser.username = tmpUsername;

apps/app/src/server/routes/login-passport.js

@@ -78,7 +78,7 @@ module.exports = function(crowi, app) {
     const redirectTo = redirectToForUnauthenticated ?? res.locals.redirectTo ?? '/';
 
     if (isExternalAccount) {
-      return res.redirect(redirectTo);
+      return res.safeRedirect(redirectTo);
     }
 
     return res.apiv3({ redirectTo });

package.json

@@ -100,7 +100,7 @@
     "turbo": "^2.1.3",
     "typescript": "~5.0.0",
     "typescript-transform-paths": "^3.4.7",
-    "vite": "^5.4.20",
+    "vite": "^5.4.21",
     "vite-plugin-dts": "^3.9.1",
     "vite-tsconfig-paths": "^5.0.1",
     "vitest": "^2.1.1",

pnpm-lock.yaml

@@ -72,7 +72,7 @@ importers:
         version: 5.59.7(eslint@8.41.0)(typescript@5.0.4)
       '@vitejs/plugin-react':
         specifier: ^4.3.1
-        version: 4.3.1(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
+        version: 4.3.1(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
       '@vitest/coverage-v8':
         specifier: ^2.1.1
         version: 2.1.1(vitest@2.1.1)
@@ -188,14 +188,14 @@ importers:
         specifier: ^3.4.7
         version: 3.4.7(typescript@5.0.4)
       vite:
-        specifier: ^5.4.20
-        version: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+        specifier: ^5.4.21
+        version: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
       vite-plugin-dts:
         specifier: ^3.9.1
-        version: 3.9.1(@types/node@20.19.17)(rollup@4.39.0)(typescript@5.0.4)(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
+        version: 3.9.1(@types/node@20.19.17)(rollup@4.39.0)(typescript@5.0.4)(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
       vite-tsconfig-paths:
         specifier: ^5.0.1
-        version: 5.0.1(typescript@5.0.4)(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
+        version: 5.0.1(typescript@5.0.4)(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
       vitest:
         specifier: ^2.1.1
         version: 2.1.1(@types/node@20.19.17)(@vitest/ui@2.1.1)(happy-dom@15.7.4)(jsdom@26.1.0)(sass@1.77.6)(terser@5.43.1)
@@ -767,8 +767,8 @@ importers:
         specifier: ^11.0.3
         version: 11.1.0
       validator:
-        specifier: ^13.7.0
-        version: 13.12.0
+        specifier: ^13.15.20
+        version: 13.15.20
       ws:
         specifier: ^8.17.1
         version: 8.18.0
@@ -10553,6 +10553,7 @@ packages:
     resolution: {integrity: sha512-Quz3MvAwHxVYNXsOByL7xI5EB2WYOeFswqaHIA3qOK3isRWTxiplBEocmmru6XmxDB2L7jDNYtYA4FyimoAFEw==}
     engines: {node: '>=8.17.0'}
     hasBin: true
+    bundledDependencies: []
 
   jsonfile@3.0.1:
     resolution: {integrity: sha512-oBko6ZHlubVB5mRFkur5vgYR1UyqX+S6Y/oCfLhqNdcc2fYFlDpIoNc7AfKS1KOGcnNAkvsr0grLck9ANM815w==}
@@ -14926,8 +14927,8 @@ packages:
     resolution: {integrity: sha512-OljLrQ9SQdOUqTaQxqL5dEfZWrXExyyWsozYlAWFawPVNuD83igl7uJD2RTkNMbniIYgt8l81eCJGIdQF7avLQ==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
 
-  validator@13.12.0:
-    resolution: {integrity: sha512-c1Q0mCiPlgdTVVVIJIrBuxNicYE+t/7oKeI9MWLj3fh/uq2Pxh/3eeWbVZ4OcGW1TUf53At0njHw5SMdA3tmMg==}
+  validator@13.15.20:
+    resolution: {integrity: sha512-KxPOq3V2LmfQPP4eqf3Mq/zrT0Dqp2Vmx2Bn285LwVahLc+CsxOM0crBHczm8ijlcjZ0Q5Xd6LW3z3odTPnlrw==}
     engines: {node: '>= 0.10'}
 
   vary@1.1.2:
@@ -14984,8 +14985,8 @@ packages:
       vite:
         optional: true
 
-  vite@5.4.20:
-    resolution: {integrity: sha512-j3lYzGC3P+B5Yfy/pfKNgVEg4+UtcIJcVRt2cDjIOmhLourAqPqf8P7acgxeiSgUB7E3p2P8/3gNIgDLpwzs4g==}
+  vite@5.4.21:
+    resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==}
     engines: {node: ^18.0.0 || >=20.0.0}
     hasBin: true
     peerDependencies:
@@ -17754,7 +17755,7 @@ snapshots:
       loglevel: 1.9.2
       loglevel-plugin-prefix: 0.8.4
       minimatch: 6.2.0
-      validator: 13.12.0
+      validator: 13.15.20
     transitivePeerDependencies:
       - encoding
 
@@ -21831,14 +21832,14 @@ snapshots:
 
   '@unts/get-tsconfig@4.1.1': {}
 
-  '@vitejs/plugin-react@4.3.1(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))':
+  '@vitejs/plugin-react@4.3.1(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))':
     dependencies:
       '@babel/core': 7.24.6
       '@babel/plugin-transform-react-jsx-self': 7.24.6(@babel/core@7.24.6)
       '@babel/plugin-transform-react-jsx-source': 7.24.6(@babel/core@7.24.6)
       '@types/babel__core': 7.20.5
       react-refresh: 0.14.2
-      vite: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+      vite: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
     transitivePeerDependencies:
       - supports-color
 
@@ -21867,13 +21868,13 @@ snapshots:
       chai: 5.1.1
       tinyrainbow: 1.2.0
 
-  '@vitest/mocker@2.1.1(@vitest/spy@2.1.1)(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))':
+  '@vitest/mocker@2.1.1(@vitest/spy@2.1.1)(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))':
     dependencies:
       '@vitest/spy': 2.1.1
       estree-walker: 3.0.3
       magic-string: 0.30.11
     optionalDependencies:
-      vite: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+      vite: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
 
   '@vitest/pretty-format@2.1.1':
     dependencies:
@@ -24920,7 +24921,7 @@ snapshots:
   express-validator@6.15.0:
     dependencies:
       lodash: 4.17.21
-      validator: 13.12.0
+      validator: 13.15.20
 
   express@4.21.0:
     dependencies:
@@ -28251,7 +28252,7 @@ snapshots:
       '@lykmapipo/phone': 0.7.16
       lodash: 4.17.21
       mongoose: 6.13.8(@aws-sdk/client-sso-oidc@3.600.0)
-      validator: 13.12.0
+      validator: 13.15.20
 
   mongoose@6.13.8(@aws-sdk/client-sso-oidc@3.600.0):
     dependencies:
@@ -32200,7 +32201,7 @@ snapshots:
 
   validate-npm-package-name@5.0.1: {}
 
-  validator@13.12.0: {}
+  validator@13.15.20: {}
 
   vary@1.1.2: {}
 
@@ -32252,7 +32253,7 @@ snapshots:
       cac: 6.7.14
       debug: 4.4.1(supports-color@5.5.0)
       pathe: 1.1.2
-      vite: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+      vite: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
     transitivePeerDependencies:
       - '@types/node'
       - less
@@ -32264,7 +32265,7 @@ snapshots:
       - supports-color
       - terser
 
-  vite-plugin-dts@3.9.1(@types/node@20.19.17)(rollup@4.39.0)(typescript@5.0.4)(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)):
+  vite-plugin-dts@3.9.1(@types/node@20.19.17)(rollup@4.39.0)(typescript@5.0.4)(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)):
     dependencies:
       '@microsoft/api-extractor': 7.43.0(@types/node@20.19.17)
       '@rollup/pluginutils': 5.2.0(rollup@4.39.0)
@@ -32275,24 +32276,24 @@ snapshots:
       typescript: 5.0.4
       vue-tsc: 1.8.27(typescript@5.0.4)
     optionalDependencies:
-      vite: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+      vite: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
     transitivePeerDependencies:
       - '@types/node'
       - rollup
       - supports-color
 
-  vite-tsconfig-paths@5.0.1(typescript@5.0.4)(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)):
+  vite-tsconfig-paths@5.0.1(typescript@5.0.4)(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)):
     dependencies:
       debug: 4.4.1(supports-color@5.5.0)
       globrex: 0.1.2
       tsconfck: 3.0.3(typescript@5.0.4)
     optionalDependencies:
-      vite: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+      vite: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
     transitivePeerDependencies:
       - supports-color
       - typescript
 
-  vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1):
+  vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1):
     dependencies:
       esbuild: 0.21.5
       postcss: 8.5.3
@@ -32312,7 +32313,7 @@ snapshots:
   vitest@2.1.1(@types/node@20.19.17)(@vitest/ui@2.1.1)(happy-dom@15.7.4)(jsdom@26.1.0)(sass@1.77.6)(terser@5.43.1):
     dependencies:
       '@vitest/expect': 2.1.1
-      '@vitest/mocker': 2.1.1(@vitest/spy@2.1.1)(vite@5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
+      '@vitest/mocker': 2.1.1(@vitest/spy@2.1.1)(vite@5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1))
       '@vitest/pretty-format': 2.1.1
       '@vitest/runner': 2.1.1
       '@vitest/snapshot': 2.1.1
@@ -32327,7 +32328,7 @@ snapshots:
       tinyexec: 0.3.0
       tinypool: 1.0.1
       tinyrainbow: 1.2.0
-      vite: 5.4.20(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
+      vite: 5.4.21(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
       vite-node: 2.1.1(@types/node@20.19.17)(sass@1.77.6)(terser@5.43.1)
       why-is-node-running: 2.3.0
     optionalDependencies:
@@ -32823,7 +32824,7 @@ snapshots:
     dependencies:
       lodash.get: 4.4.2
       lodash.isequal: 4.5.0
-      validator: 13.12.0
+      validator: 13.15.20
     optionalDependencies:
       commander: 10.0.1