8a6a3485e9
Critical: - C-4: Add express-rate-limit to login (20 attempts/15min) - C-5: Remove default credentials from LoginForm.js - C-6: Add sandbox attribute to KB document iframe High: - H-2: Hard-fail on startup if SESSION_SECRET env var is missing - H-6: Sanitize filenames in Content-Disposition headers - H-7: Fix KB upload race condition — move file after DB insert succeeds - H-8: Generate random admin password in setup.js instead of hardcoded - H-9: Add rehype-sanitize to ReactMarkdown (requires npm install) Medium: - M-4: Fix loose equality (==) to strict (===) in users.js self-checks - M-5: Add hostname format regex validation in compliance notes - M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js - M-7: Sanitize original filename in compliance temp JSON - M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var New dependencies needed: - backend: express-rate-limit (npm install in root) - frontend: rehype-sanitize (npm install in frontend/)
23 lines
465 B
JSON
23 lines
465 B
JSON
{
|
|
"name": "cve-dashboard",
|
|
"version": "1.0.0",
|
|
"description": "",
|
|
"main": "index.js",
|
|
"scripts": {
|
|
"test": "echo \"Error: no test specified\" && exit 1"
|
|
},
|
|
"keywords": [],
|
|
"author": "",
|
|
"license": "ISC",
|
|
"dependencies": {
|
|
"bcryptjs": "^3.0.3",
|
|
"cookie-parser": "^1.4.7",
|
|
"cors": "^2.8.6",
|
|
"dotenv": "^16.6.1",
|
|
"express": "^5.2.1",
|
|
"express-rate-limit": "^7.5.0",
|
|
"multer": "^2.0.2",
|
|
"sqlite3": "^5.1.7"
|
|
}
|
|
}
|