* Update readme to reflect the state of this project
* Update README.md
Co-Authored-By: MiniDigger <admin@minidigger.me>
* Merge in suggestion and fix typos
Co-authored-by: Nick Krecklow <hello@github.nklow.com>
* Fix XSS by parsing player counts as raw data (instead of parsing it)
* Ensure the returned favicon is a data URI
* Force server favicon size to 64px
* Increase specificity of data URI validation
The previous commit would happily accept any domain (or subdomain) that started with "data"
I added caret version ranges to big packages because there are no breaking changes in a patch update. Taken from npm: Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X. [More](https://docs.npmjs.com/misc/semver#caret-ranges-123-025-004)
Minetrack currently has a 11 vulnerable dependency paths, introducing 6 different types of known vulnerabilities.
This PR fixes vulnerable dependencies, [ReDOS vulnerability](https://snyk.io/vuln/npm:tough-cookie:20160722) in the `tough-cookie` dependency, [remote memory exposure ](https://snyk.io/vuln/npm:request:20160119) vulnerability in the `request` dependency.
You can see [Snyk test report](https://snyk.io/test/github/Cryptkeeper/Minetrack) of this project for details.
This PR changes `Package.json` to upgrade `request` to the newer 2.74.0 version, and will fix all the vulnerabilities listed above.
You can get alerts and fix PRs for future vulnerabilities for free by [watching this repo with Snyk](https://snyk.io/add).
Note this PR fixes all the vulnerabilities introduced trough `request` dependency, in order to be vulnerability free you will need to upgrade others dependencies as well.
Full disclosure: I'm a part of the Snyk team, just looking to spread some security goodness and awareness ;)