chore: update dependencies (#1393)

* chore: update sqlite3

* chore: update nextjs

* chore: update semver

* chore: update email-templates

* chore: update express and express-openapi-validator

* chore: override cross-spawn as the packages using it didnt update it

* chore: update undici

* feat: use csrf-csrf instead of deprecated csurf

* chore: override cookie

* chore: remove the overrides

* chore: update lockfile

* chore: revert cypress update

* chore: revert revert cypress update

* chore: update cypress

* ci(cypress): upload video artifacts for debugging

* chore(cypress): generate videos

* ci(cypress): remove unnecessary matrix.browser in the artifact name

* chore: update to es2021

---------

Co-authored-by: Gauthier <mail@gauthierth.fr>

.github/workflows/cypress.yml

@@ -36,3 +36,10 @@ jobs:
           # Fix test titles in cypress dashboard
           COMMIT_INFO_MESSAGE: ${{github.event.pull_request.title}}
           COMMIT_INFO_SHA: ${{github.event.pull_request.head.sha}}
+      - name: Upload video files
+        uses: actions/upload-artifact@v4
+        with:
+          name: cypress-videos
+          path: |
+            cypress/videos
+            cypress/screenshots

cypress.config.ts

@@ -4,6 +4,7 @@ export default defineConfig({
   projectId: 'xkm1b4',
   e2e: {
     baseUrl: 'http://localhost:5055',
+    video: true,
     experimentalSessionAndOrigin: true,
   },
   env: {

next-env.d.ts

@@ -2,4 +2,4 @@
 /// <reference types="next/image-types/global" />
 
 // NOTE: This file should not be edited
-// see https://nextjs.org/docs/basic-features/typescript for more information.
+// see https://nextjs.org/docs/pages/building-your-application/configuring/typescript for more information.

package.json

@@ -47,16 +47,16 @@
     "bcrypt": "5.1.0",
     "bowser": "2.11.0",
     "connect-typeorm": "1.1.4",
-    "cookie-parser": "1.4.6",
+    "cookie-parser": "1.4.7",
     "copy-to-clipboard": "3.3.3",
     "country-flag-icons": "1.5.5",
     "cronstrue": "2.23.0",
-    "csurf": "1.11.0",
+    "csrf-csrf": "^3.1.0",
     "date-fns": "2.29.3",
     "dayjs": "1.11.7",
-    "email-templates": "9.0.0",
+    "email-templates": "12.0.1",
     "email-validator": "2.0.4",
-    "express": "4.18.2",
+    "express": "4.21.2",
     "express-openapi-validator": "4.13.8",
     "express-rate-limit": "6.7.0",
     "express-session": "1.17.3",
@@ -64,15 +64,15 @@
     "gravatar-url": "3.1.0",
     "lodash": "4.17.21",
     "mime": "3",
-    "next": "^14.2.4",
+    "next": "^14.2.24",
     "node-cache": "5.1.2",
     "node-gyp": "9.3.1",
     "node-schedule": "2.1.1",
-    "nodemailer": "6.9.1",
-    "openpgp": "5.7.0",
+    "nodemailer": "6.10.0",
+    "openpgp": "5.11.2",
     "pg": "8.11.0",
     "plex-api": "5.3.2",
-    "pug": "3.0.2",
+    "pug": "3.0.3",
     "react": "^18.3.1",
     "react-ace": "10.1.0",
     "react-animate-height": "2.1.2",
@@ -91,14 +91,14 @@
     "react-use-clipboard": "1.0.9",
     "reflect-metadata": "0.1.13",
     "secure-random-password": "0.2.3",
-    "semver": "7.3.8",
+    "semver": "7.7.1",
     "sharp": "^0.33.4",
-    "sqlite3": "5.1.4",
+    "sqlite3": "5.1.7",
     "swagger-ui-express": "4.6.2",
     "swr": "2.2.5",
     "tailwind-merge": "^2.6.0",
     "typeorm": "0.3.11",
-    "undici": "^6.20.1",
+    "undici": "^7.3.0",
     "web-push": "3.5.0",
     "wink-jaro-distance": "^2.0.0",
     "winston": "3.8.2",
@@ -106,7 +106,7 @@
     "xml2js": "0.4.23",
     "yamljs": "0.3.0",
     "yup": "0.32.11",
-    "zod": "3.20.6"
+    "zod": "3.24.2"
   },
   "devDependencies": {
     "@commitlint/cli": "17.4.4",
@@ -116,8 +116,8 @@
     "@semantic-release/exec": "6.0.3",
     "@semantic-release/git": "10.0.1",
     "@tailwindcss/aspect-ratio": "0.4.2",
-    "@tailwindcss/forms": "0.5.3",
-    "@tailwindcss/typography": "0.5.9",
+    "@tailwindcss/forms": "0.5.10",
+    "@tailwindcss/typography": "0.5.16",
     "@types/bcrypt": "5.0.0",
     "@types/cookie-parser": "1.4.3",
     "@types/country-flag-icons": "1.2.0",
@@ -146,7 +146,7 @@
     "commitizen": "4.3.0",
     "copyfiles": "2.4.1",
     "cy-mobile-commands": "0.3.0",
-    "cypress": "12.7.0",
+    "cypress": "14.1.0",
     "cz-conventional-changelog": "3.3.0",
     "eslint": "8.35.0",
     "eslint-config-next": "^14.2.4",
@@ -159,8 +159,8 @@
     "eslint-plugin-react-hooks": "4.6.0",
     "husky": "8.0.3",
     "lint-staged": "13.1.2",
-    "nodemon": "2.0.20",
-    "postcss": "8.4.21",
+    "nodemon": "3.1.9",
+    "postcss": "8.4.31",
     "prettier": "2.8.4",
     "prettier-plugin-organize-imports": "3.2.2",
     "prettier-plugin-tailwindcss": "0.2.3",

server/index.ts

@@ -28,7 +28,7 @@ import restartFlag from '@server/utils/restartFlag';
 import { getClientIp } from '@supercharge/request-ip';
 import { TypeormStore } from 'connect-typeorm/out';
 import cookieParser from 'cookie-parser';
-import csurf from 'csurf';
+import { doubleCsrf } from 'csrf-csrf';
 import type { NextFunction, Request, Response } from 'express';
 import express from 'express';
 import * as OpenApiValidator from 'express-openapi-validator';
@@ -162,18 +162,23 @@ app
       }
     });
     if (settings.network.csrfProtection) {
-      server.use(
-        csurf({
-          cookie: {
-            httpOnly: true,
-            sameSite: true,
-            secure: !dev,
-          },
-        })
-      );
+      const { doubleCsrfProtection, generateToken } = doubleCsrf({
+        getSecret: () => settings.clientId,
+        cookieName: 'XSRF-TOKEN',
+        cookieOptions: {
+          httpOnly: true,
+          sameSite: 'strict',
+          secure: !dev,
+        },
+        size: 64,
+        ignoredMethods: ['GET', 'HEAD', 'OPTIONS'],
+      });
+
+      server.use(doubleCsrfProtection);
+
       server.use((req, res, next) => {
-        res.cookie('XSRF-TOKEN', req.csrfToken(), {
-          sameSite: true,
+        res.cookie('XSRF-TOKEN', generateToken(req, res), {
+          sameSite: 'strict',
           secure: !dev,
         });
         next();

server/lib/email/index.ts

@@ -50,6 +50,7 @@ class PreparedEmail extends Email {
       },
       send: true,
       transport: transport,
+      preview: false,
     });
   }
 }

src/utils/fetchOverride.ts

@@ -31,7 +31,7 @@ if (typeof window !== 'undefined') {
 
     const headers = {
       ...(init?.headers || {}),
-      ...(csrfToken ? { 'XSRF-TOKEN': csrfToken } : {}),
+      ...(csrfToken ? { 'X-CSRF-TOKEN': csrfToken } : {}),
     };
 
     const newInit: RequestInit = {

tsconfig.json

@@ -1,6 +1,6 @@
 {
   "compilerOptions": {
-    "target": "es5",
+    "target": "ES2021",
     "lib": ["dom", "dom.iterable", "esnext"],
     "allowJs": true,
     "skipLibCheck": true,