Giter Club home page Giter Club logo

create-pwa's Introduction

Create PWA Logo

Travis CI Github Build Codacy Badge Codebeat Badge CodeFactor Badge DeepScan grade Analytics

Create PWA (Create a Progressive Web Application)

Easily create a Progressive Web Application

About

create-pwa is a module for quick scaffolding and producing of progressive web applications.

create-pwa adds the minimum required boilerplate which your app requires in order to become a PWA.

create-pwa can be used with existing applications or can be the first thing one does when starting a new app.

Visitor stats

GitHub stars GitHub forks GitHub watchers GitHub followers

Code stats

GitHub code size in bytes GitHub repo size GitHub language count GitHub top language GitHub last commit

Dependencies

In order to use this module, you must have NodeJS installed and NPM or Yarn available.

You also need a bash shell installed and configured - default on OSX and linux or Git bash on Windows.

Install

# Using NPM:
npm i create-pwa --save-dev

# Using Yarn
yarn add create-pwa --dev

Arguments

  1. icon: Specifies a relative path to the application icon. Should be a .png file.

This path is relative to the folder you are located in. It is recommended that the icon file is at least a 512x512 pixels square.

The icon argument is not required.

If the icon argument is not provided, the default icon is used.

  1. launch: Specifies a relative path to the application launch (splash) screen. Should be a .png file.

This path is relative to the folder you are located in. It is recommended that the launch is at least 3200x3200 pixels square and the actual content (for example brand image) is located in the middle of the image in a square with dimensions up to 500x500 pixels.

The launch argument is not required.

If the launch argument is not provided, the default launch screen is used.

  1. output: Specifies a relative path to the output directory.

This path is relative to the folder you are located in.

The output argument is not required.

If the output argument is not provided, the default value for it is empty string (the root of your project or the location of your package.json file).

Usage

If you want to use if from the command line, you should first install Create PWA globally:

npm i -g create-pwa

# or

yarn global add create-pwa

Then, navigate to your application's folder: Then run the install command (see above)

cd your/app/folder

create-pwa --icon="./icon.png" --launch="./launch.png"

You can also use create-pwa as a package.json script (in this case you don't need to install the package globally):

{
	"scripts": {
		"pwa": "create-pwa --icon=\"path/to/your/icon.png\" --launch=\"path/to/your/launch.png\""
	}
}

The above commands will generate:

  • a manifest.json and a service-worker.js files
  • several (8) png icons in the /icons/ folder in your app's root folder
  • several (19) favicons in the /favicons folder in your app's root folder
  • several (20) launch screen images in the launch-screen folder in your app's root folder
  • a config.xml file in your app's root folder - this file is required in Microsoft's browsers

You can edit the contents of the manifest.json and service-worker.js files.

Their default content is based on industry's best practices and is highly opinionated.

In order to create a customized experience for your users, feel advised to revise and edit the contents of the above files.

When the files(manifest.json and service-worker.js) are ready for production, you need to let the world know about them:

Feel adviced to edit the content of the <TileColor> tag in the config.xml file as it matches the color of your application's status bar on Chrome (found in the <meta name="color" /> tag);

  1. Add the following to the head of your HTML file(s):
<link rel="manifest" href="manifest.json" />

You can read more about the Web App Manifest here.

  1. Add the following snippet to your application's JavaScript bundle or place it in a script tag just before the closing </body> tag in your HTML file(s):
if ('serviceWorker' in navigator) {
	window.addEventListener('load', () => {
		navigator.serviceWorker.register('./service-worker.js').then(
			registration => {
				console.log(`ServiceWorker registration successful with scope: ${registration.scope}`);
			},
			error => {
				console.log(`ServiceWorker registration failed: ${error}`);
			}
		);
	});
}

The code above checks for service worker support and then registers a service worker located in the service-worker.js file in the root of the project.

You can read more about Service Workers here.

After that, add references to all icons which were generated by create-pwa:

  1. Add the following favicons and meta tags in the head of your HTML file(s):

For more info about the favicons and meta tags below see here.

View favicons and meta tags 
<!-- All Apple touch icons for iPad, iPhone, iPod -->
<link rel="apple-touch-icon" sizes="57x57" href="favicons/apple-touch-icon-57x57.png" />
<link rel="apple-touch-icon" sizes="60x60" href="favicons/apple-touch-icon-60x60.png" />
<link rel="apple-touch-icon" sizes="72x72" href="favicons/apple-touch-icon-72x72.png" />
<link rel="apple-touch-icon" sizes="76x76" href="favicons/apple-touch-icon-76x76.png" />
<link rel="apple-touch-icon" sizes="114x114" href="favicons/apple-touch-icon-114x114.png" />
<link rel="apple-touch-icon" sizes="120x120" href="favicons/apple-touch-icon-120x120.png" />
<link rel="apple-touch-icon" sizes="144x144" href="favicons/apple-touch-icon-144x144.png" />
<link rel="apple-touch-icon" sizes="152x152" href="favicons/apple-touch-icon-152x152.png" />

<!-- All favicon sizes - for all devices and browsers -->
<link rel="icon" type="image/png" href="favicons/favicon-196x196.png" sizes="196x196" />
<link rel="icon" type="image/png" href="favicons/favicon-96x96.png" sizes="96x96" />
<link rel="icon" type="image/png" href="favicons/favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicons/favicon-16x16.png" sizes="16x16" />
<link rel="icon" type="image/png" href="favicons/favicon-128x128.png" sizes="128x128" />

<!-- A favicon with four different sizes -->
<link rel="shortcut icon" type="image/x-icon" href="favicons/favicon.ico" />

<!-- Application color for Microsoft Windows app tile and Android status bar -->
<meta name="theme-color" content="#edc22e" />
<meta name="msapplication-TileColor" content="#edc22e" />

<!-- Application name for Microsoft Windows app tile -->
<meta name="application-name" content="Create PWA" />

<!-- Application icons for Microsoft Windows app tile -->
<meta name="msapplication-TileImage" content="favicons/ms-tile-144x144.png" />
<meta name="msapplication-square70x70logo" content="favicons/ms-tile-70x70.png" />
<meta name="msapplication-square150x150logo" content="favicons/ms-tile-150x150.png" />
<meta name="msapplication-wide310x150logo" content="favicons/ms-tile-310x150.png" />
<meta name="msapplication-square310x310logo" content="favicons/ms-tile-310x310.png" />

<!-- Application config file for Microsoft browsers -->
<meta name="msapplication-config" content="config.xml" />
  1. (Optional) Add the following launch screens in the head of your HTML file(s):
View launch screens 
<!-- 12.9" iPad Pro Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2048x2732.png"
	media="(device-width: 2048px) and (device-height: 2732px) and (orientation: portrait)"
/>

<!-- 12.9" iPad Pro Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2732x2048.png"
	media="(device-width: 2732px) and (device-height: 2048px) and (orientation: landscape)"
/>

<!--  11" iPad Pro Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1668x2388.png"
	media="(device-width: 1668px) and (device-height: 2388px) and (orientation: portrait)"
/>

<!--  11" iPad Pro Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2388x1668.png"
	media="(device-width: 2388px) and (device-height: 1668px) and (orientation: landscape)"
/>

<!-- 10.5" iPad Pro Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1668x2224.png"
	media="(device-width: 1668px) and (device-height: 2224px) and (orientation: portrait)"
/>

<!-- 10.5" iPad Pro Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2224x1668.png"
	media="(device-width: 2224px) and (device-height: 1668px) and (orientation: landscape)"
/>

<!--  9.7" iPad Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1536x2048.png"
	media="(device-width: 1536px) and (device-height: 2048px) and (orientation: portrait)"
/>

<!--  9.7" iPad Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2048x1536.png"
	media="(device-width: 2048px) and (device-height: 1536px) and (orientation: landscape)"
/>

<!--7.9" iPad mini 4 Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1536x2048.png"
	media="(device-width: 1536px) and (device-height: 2048px) and (orientation: portrait)"
/>

<!--7.9" iPad mini 4 Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2048x1536.png"
	media="(device-width: 2048px and (device-height: 1536px) and (orientation: landscape)"
/>

<!--  iPhone XS Max Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1242x2688.png"
	media="(device-width: 1242px and (device-height: 2688px) and (orientation: portrait)"
/>

<!--  iPhone XS Max Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2688x1242.png"
	media="(device-width: 2688px) and (device-height: 142px) and (orientation: landscape)"
/>

<!--  iPhone XS Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1125x2436.png"
	media="(device-width: 1125px) and (device-height: 236px) and (orientation: portrait)"
/>

<!--  iPhone XS Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2436x1125.png"
	media="(device-width: 2436px) and (device-height: 1125px) and (orientation: landscape)"
/>

<!--  iPhone XR Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-828x1792.png"
	media="(device-width: 828px) and (device-height: 192px) and (orientation: portrait)"
/>

<!--  iPhone XR Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1792x828.png"
	media="(device-width: 1792px) and (device-height: 28px) and (orientation: landscape)"
/>

<!--  iPhone X Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1125x2436.png"
	media="(device-width: 1125px) and (device-height: 236px) and (orientation: portrait)"
/>

<!--  iPhone X Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2436x1125.png"
	media="(device-width: 2436px and (device-height: 1125px) and (orientation: landscape)"
/>

<!--  iPhone 8 Plus Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1242x2208.png"
	media="(device-width: 1242px and (device-height: 2208px) and (orientation: portrait)"
/>

<!--  iPhone 8 Plus Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2208x1242.png"
	media="(device-width: 2208px) and (device-height: 1242px) and (orientation: landscape)"
/>

<!--  iPhone 8 Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-750x1334.png"
	media="(device-width: 750px) and (device-height: 134px) and (orientation: portrait)"
/>

<!--  iPhone 8 Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1334x750.png"
	media="(device-width: 1334px and (device-height: 750px) and (orientation: landscape)"
/>

<!--  iPhone 7 Plus Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1242x2208.png"
	media="(device-width: 1242px and (device-height: 2208px) and (orientation: portrait)"
/>

<!--  iPhone 7 Plus Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2208x1242.png"
	media="(device-width: 2208px) and (device-height: 1242px) and (orientation: landscape)"
/>

<!--  iPhone 7 Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-750x1334.png"
	media="(device-width: 750px) and (device-height: 134px) and (orientation: portrait)"
/>

<!--  iPhone 7 Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1334x750.png"
	media="(device-width: 1334px and (device-height: 750px) and (orientation: landscape)"
/>

<!--  iPhone 6s Plus Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1242x2208.png"
	media="(device-width: 1242px and (device-height: 2208px) and (orientation: portrait)"
/>

<!--  iPhone 6s Plus Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-2208x1242.png"
	media="(device-width: 2208px) and (device-height: 1242px) and (orientation: landscape)"
/>

<!--  iPhone 6s Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-750x1334.png"
	media="(device-width: 750px) and (device-height: 134px) and (orientation: portrait)"
/>

<!--  iPhone 6s Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1334x750.png"
	media="(device-width: 1334px) and (device-height: 50px) and (orientation: landscape)"
/>

<!--  iPhone SE Portrait -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-640x1136.png"
	media="(device-width: 640px) and (device-height: 136px) and (orientation: portrait)"
/>

<!--  iPhone SE Landscape -->
<link
	rel="apple-touch-startup-image"
	href="./launch-screens/launch-screen-1136x640.png"
	media="(device-width: 1136px) and (device-height: 640px) and (orientation: landscape)"
/>

In order to have the launch screens shown on an iOS device you also need to tell the device it is dealing with a web app:

<meta name="apple-mobile-web-app-capable" content="yes" /> <meta name="mobile-web-app-capable" content="yes" />

The formet works on Safari on all iOS devices. The latter works on Google Chrome on all iOS devices.

Android devices show splash screen based on the data provided in the manifest.json file: icons, name, etc.

  1. (Optional) Add the following attribute to your html tag: manifest="<YOUR_APP_NAME>.appcache". It should look something like this:
<html lang="en" manifest="create-pwa.appcache">
	<!-- More awesome HTML code here -->
</html>

This will enable application cache and will cache all files listed in the .appcache file. Application cache is currently deprecated in most evergreen browsers and will probably be removed soon. This, however, does not mean that you can not use it in older browsers (for example IE 11).

You can read more about Application Cache here

More info

There is a lot information about Progressive Web Applications on the Internet. In order to comply with browser's requirements and pass the audits you need to check out and fulfill the PWA Checklist.

The entries listed in Baseline Progressive Web App Checklist are mandatory and without them your web app will not qualify as a PWA.

If you wish to test your web app's compliance, you can use the Chrome's built-in Lighthouse tool (found under the Audits tab in the Developer tools).

NodeJS API

You can generate each of the components above separately using the Create PWA API in NodeJS:

  1. To create only an appcache file:
const { setAppCache } = require('create-pwa');
const appName = 'Your application name';
const distFolder = 'dist';

setAppCache(appName, distFolder);

The generated appcache file contains references to the application icons and application launch screens. You must have these already generated otherwise you must edit your appcache file and remove them.

  1. To create only the application icons:
const { setIcons } = require('create-pwa');
const appIcon = require('fs').resolve(__dirname, './your_icon.png');
const distFolder = 'dist';

setIcons(appIcon, distFolder);

The generated icons are located in the /icons folder.

  1. To create only the launch screens:
const { setLaunchScreens } = require('create-pwa');
const launchScreen = require('fs').resolve(__dirname, './your_launch_screen.png');
const distFolder = 'dist';

setLaunchScreens(launchScreen, distFolder);

The generated files are located in the /launch-screens folder.

  1. To create only manifest file:
const { setManifest } = require('create-pwa');
const appName = 'Your application name';
const distFolder = 'dist';

setManifest(appName, distFolder);

The generated manifest.json file contains references to the application icons. You must have these already generated otherwise you must edit your manifest.json file and remove them.

  1. To create only favicon files:
const { setFavicons } = require('create-pwa');
const appIcon = require('fs').resolve(__dirname, './your_icon.png');
const distFolder = 'dist';

setFavicons(appIcon, distFolder);

The generated files are located in the /favicons folder.

  1. To create only service worker file:
const { setServiceWorker } = require('create-pwa');
const appName = 'Your application name';
const distFolder = 'dist';

setServiceWorker(appName, distFolder);

The generated service-worker.js file contains references to the application icons and application launch screens. You must have these already generated otherwise you must edit your service-worker.js file and remove them.

LICENSE

MIT

Connect with me:

                     
Support and sponsor my work:

create-pwa's People

Contributors

dependabot[bot] avatar greenkeeper[bot] avatar imgbotapp avatar pkexec avatar renovate-bot avatar renovate[bot] avatar scriptex avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

pkexec lcharleslaing arte-e-software

create-pwa's Issues

WS-2016-0090 (Medium) detected in jquery-1.9.1.js

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/create-pwa/node_modules/tinycolor2/test/index.html

Path to vulnerable library: /create-pwa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/create-pwa/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 4399c30697426b3c53c30963110c43a3a9122ba3

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9521 (Medium) detected in jquery-1.9.1.js

CVE-2015-9521 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/create-pwa/node_modules/tinycolor2/index.html

Path to vulnerable library: /create-pwa/node_modules/tinycolor2/demo/jquery-1.9.1.js,/create-pwa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 53ee91df1258d6ad44b8729260339e5d241d6550

Vulnerability Details

The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.

Publish Date: 2019-10-23

URL: CVE-2015-9521

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-10-23

Fix Resolution: 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44906 (Medium) detected in minimist-1.2.5.tgz

CVE-2021-44906 - Medium Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • png-to-ico-2.1.3.tgz (Root Library)
    • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 16721525f143570fc08a90f6ea0fac3e32523098

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Release Date: 2022-03-17

Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.9.1.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/create-pwa/node_modules/tinycolor2/test/index.html

Path to vulnerable library: /create-pwa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/create-pwa/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 4399c30697426b3c53c30963110c43a3a9122ba3

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: jquery/jquery@753d591

Release Date: 2019-03-25

Fix Resolution: Replace or update the following files: core.js, core.js

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue provides visibility into Renovate updates and their statuses. Learn more

This repository currently has no open or pending branches.

  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2020-8175 (Medium) detected in jpeg-js-0.3.7.tgz

CVE-2020-8175 - Medium Severity Vulnerability

Vulnerable Library - jpeg-js-0.3.7.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.7.tgz

Path to dependency file: /tmp/ws-scm/create-pwa/package.json

Path to vulnerable library: /tmp/ws-scm/create-pwa/node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • png-to-ico-2.1.0.tgz (Root Library)
    • jimp-0.9.8.tgz
      • types-0.9.8.tgz
        • jpeg-0.9.8.tgz
          • jpeg-js-0.3.7.tgz (Vulnerable Library)

Found in HEAD commit: a8f4cac5dad8d0f2fe1db8ddee31976674b97a34

Vulnerability Details

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-21

Fix Resolution: 0.4.0

Step up your Open Source Security Game with WhiteSource here

ERR_INVALID_ARG_TYPE

When i run

create-pwa --icon="./icon.png" --launch="./launch.png"

I get this error:

internal/validators.js:120
    throw new ERR_INVALID_ARG_TYPE(name, 'string', value);
    ^

TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received undefined
    at validateString (internal/validators.js:120:11)
    at resolve (path.js:139:9)
    at getAppName (C:\Users\szsob\AppData\Roaming\npm\node_modules\create-pwa\src\index.js:75:14)
    at create (C:\Users\szsob\AppData\Roaming\npm\node_modules\create-pwa\src\index.js:159:15)
    at Object.<anonymous> (C:\Users\szsob\AppData\Roaming\npm\node_modules\create-pwa\src\index.js:191:1)
    at Module._compile (internal/modules/cjs/loader.js:1147:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1167:10)
    at Module.load (internal/modules/cjs/loader.js:996:32)
    at Function.Module._load (internal/modules/cjs/loader.js:896:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12) {
  code: 'ERR_INVALID_ARG_TYPE'
}

What am i doing wrong? Im executing the command from the readme

CVE-2021-23343 (Medium) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - Medium Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: create-pwa/package.json

Path to vulnerable library: create-pwa/node_modules/path-parse

Dependency Hierarchy:

  • tape-5.2.2.tgz (Root Library)
    • resolve-2.0.0-next.3.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 8e7757a349d7daec628b7b50362096cf5f734c2a

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.9.1.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/create-pwa/node_modules/tinycolor2/index.html

Path to vulnerable library: /create-pwa/node_modules/tinycolor2/demo/jquery-1.9.1.js,/create-pwa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 3e50b007a17f17a6cf482c7156c2bac0c972306e

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

Apple mobile web app 

<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="mobile-web-app-capable" content="yes" />

Also, the documentation needs more love:

  1. Wrong or missing file names
  2. Wrong usage description
  3. Wrong service worker list
  4. Possibly more?

CVE-2020-11023 (Medium) detected in jquery-1.9.1.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/create-pwa/node_modules/tinycolor2/test/index.html

Path to vulnerable library: /create-pwa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/create-pwa/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: a8f4cac5dad8d0f2fe1db8ddee31976674b97a34

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

CVE-2020-0470 (Medium) detected in libaomandroid-11.0.0_r18

CVE-2020-0470 - Medium Severity Vulnerability

Vulnerable Library - libaomandroid-11.0.0_r18

Bug: 139309277

Library home page: https://android.googlesource.com/platform/external/libaom

Found in HEAD commit: 6ff7de1996dee59644e709e1ceda10940d8f3a84

Vulnerable Source Files (1)

create-pwa/node_modules/sharp/vendor/8.10.5/include/aom/aom_integer.h

Vulnerability Details

In extend_frame_highbd of restoration.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-166268541

Publish Date: 2020-12-14

URL: CVE-2020-0470

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Dist folder option

Thanks for this piece of code - very helfpul.

Enhancement:

Would be helpful to specify in the CLI call the dist folder where all files and folders are generated.
Today, they are all created in the main folder.

CVE-2022-0355 (High) detected in simple-get-4.0.0.tgz

CVE-2022-0355 - High Severity Vulnerability

Vulnerable Library - simple-get-4.0.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get/package.json

Dependency Hierarchy:

  • sharp-0.29.3.tgz (Root Library)
    • simple-get-4.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution: simple-get - 4.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-25851 (High) detected in jpeg-js-0.4.2.tgz

CVE-2022-25851 - High Severity Vulnerability

Vulnerable Library - jpeg-js-0.4.2.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • png-to-ico-2.1.4.tgz (Root Library)
    • jimp-0.16.1.tgz
      • types-0.16.1.tgz
        • jpeg-0.16.1.tgz
          • jpeg-js-0.4.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

Publish Date: 2022-06-10

URL: CVE-2022-25851

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution: jpeg-js - 0.4.4

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: create-pwa/package.json

Path to vulnerable library: create-pwa/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • sharp-0.29.1.tgz (Root Library)
    • prebuild-install-6.1.4.tgz
      • npmlog-4.1.2.tgz
        • gauge-2.7.4.tgz
          • wide-align-1.1.3.tgz
            • string-width-2.1.1.tgz
              • strip-ansi-4.0.0.tgz
                • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: create-pwa/package.json

Path to vulnerable library: create-pwa/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • yargs-17.0.1.tgz (Root Library)
    • cliui-7.0.4.tgz
      • strip-ansi-6.0.0.tgz
        • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2fb8aaf3cf7cc30f93c0d45e33fcc4b1b708d3b1

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.9.1.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.9.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.js

Path to dependency file: /tmp/ws-scm/create-pwa/node_modules/tinycolor2/test/index.html

Path to vulnerable library: /create-pwa/node_modules/tinycolor2/test/../demo/jquery-1.9.1.js,/create-pwa/node_modules/tinycolor2/demo/jquery-1.9.1.js

Dependency Hierarchy:

  • jquery-1.9.1.js (Vulnerable Library)

Found in HEAD commit: 4399c30697426b3c53c30963110c43a3a9122ba3

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.