hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175

ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0

As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.

Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:

> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.

Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175

pkgs/servers/web-apps/hedgedoc/default.nix

@@ -15,34 +15,42 @@ let
   # we need a different version than the one already available in nixpkgs
   esbuild-hedgedoc = buildGoModule rec {
     pname = "esbuild";
-    version = "0.11.20";
+    version = "0.12.27";
 
     src = fetchFromGitHub {
       owner = "evanw";
       repo = "esbuild";
       rev = "v${version}";
-      sha256 = "009f2mfgzkzgxjh3034mzdkcvm5vz17sgy1cs604f0425i22z8qm";
+      sha256 = "sha256-UclUTfm6fxoYEEdEEmO/j+WLZLe8SFzt7+Tej4bR0RU=";
     };
 
-    vendorSha256 = "1n5538yik72x94vzfq31qaqrkpxds5xys1wlibw2gn2am0z5c06q";
+    vendorSha256 = "sha256-QPkBR+FscUc3jOvH7olcGUhM6OW4vxawmNJuRQxPuGs=";
   };
 in
 
 mkYarnPackage rec {
   pname = "hedgedoc";
-  version = "1.8.2";
+  version = "1.9.0";
 
   src = fetchFromGitHub {
     owner  = "hedgedoc";
     repo   = "hedgedoc";
     rev    = version;
-    sha256 = "1h2wyhap264iqm2jh0i05w0hb2j86jsq1plyl7k3an90w7wngyg1";
+    sha256 = "sha256-hSKQGkI1+68Zf05RhgRKZo47buyobzjhURSZ30/h0PA=";
   };
 
   nativeBuildInputs = [ which makeWrapper ];
   extraBuildInputs = [ python2 esbuild-hedgedoc ];
 
   yarnNix = ./yarn.nix;
+
+  # FIXME(@Ma27) on the bump to 1.9.0 I had to patch this file manually:
+  # I replaced `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` with
+  # `midi "git+https://github.com/paulrosen/MIDI.js.git#abcjs"` on all occurrences.
+  #
+  # Without this change `yarn` attempted to download the code directly from GitHub, with
+  # the `git+`-prefix it actually uses the `midi.js` version from the offline cache
+  # created by `yarn2nix`. On future bumps this may be necessary as well!
   yarnLock = ./yarn.lock;
   packageJSON = ./package.json;
 

pkgs/servers/web-apps/hedgedoc/package.json

@@ -1,6 +1,6 @@
 {
   "name": "HedgeDoc",
-  "version": "1.8.2",
+  "version": "1.9.0",
   "description": "The best platform to write and share markdown.",
   "main": "app.js",
   "license": "AGPL-3.0",
@@ -21,7 +21,7 @@
     "Idle.Js": "git+https://github.com/shawnmclean/Idle.js",
     "archiver": "^5.0.2",
     "async": "^3.0.0",
-    "aws-sdk": "^2.888.0",
+    "aws-sdk": "^2.987.0",
     "azure-storage": "^2.7.0",
     "base64url": "^3.0.0",
     "body-parser": "^1.15.2",
@@ -29,7 +29,7 @@
     "cheerio": "^0.22.0",
     "compression": "^1.6.2",
     "connect-flash": "^0.1.1",
-    "connect-session-sequelize": "^7.0.0",
+    "connect-session-sequelize": "^7.1.2",
     "cookie": "^0.4.0",
     "cookie-parser": "^1.4.3",
     "deep-freeze": "^0.0.1",
@@ -40,7 +40,6 @@
     "file-type": "^16.1.0",
     "formidable": "^1.0.17",
     "graceful-fs": "^4.1.11",
-    "handlebars": "^4.5.2",
     "helmet": "^4.5.0",
     "i18n": "^0.13.0",
     "is-svg": "^4.3.1",
@@ -66,7 +65,7 @@
     "meta-marked": "git+https://github.com/hedgedoc/meta-marked",
     "method-override": "^3.0.0",
     "minimist": "^1.2.0",
-    "minio": "^7.0.0",
+    "minio": "^7.0.19",
     "moment": "^2.17.1",
     "morgan": "^1.7.0",
     "mysql2": "^2.0.0",
@@ -80,7 +79,7 @@
     "passport-ldapauth": "^3.0.0",
     "passport-local": "^1.0.0",
     "passport-oauth2": "^1.4.0",
-    "passport-saml": "^2.0.0",
+    "passport-saml": "^3.1.2",
     "passport-twitter": "^1.0.4",
     "passport.socketio": "^3.7.0",
     "pdfobject": "^2.0.201604172",
@@ -98,13 +97,11 @@
     "sqlite3": "^5.0.0",
     "store": "^2.0.12",
     "string": "^3.3.3",
-    "tedious": "^6.6.0",
     "toobusy-js": "^0.5.1",
     "umzug": "^2.3.0",
     "uuid": "^8.0.0",
     "validator": "^13.0.0",
     "winston": "^3.1.0",
-    "ws": "^7.4.4",
     "xss": "^1.0.3"
   },
   "resolutions": {
@@ -133,7 +130,7 @@
       "url": "https://shivering-isles.com"
     },
     {
-      "name":"David Mehren",
+      "name": "David Mehren",
       "email": "hedgedoc@herrmehren.de"
     }
   ],
@@ -142,6 +139,7 @@
     "url": "https://github.com/hedgedoc/hedgedoc.git"
   },
   "devDependencies": {
+    "abcjs": "5.12.0",
     "babel-cli": "6.26.0",
     "babel-core": "6.26.3",
     "babel-loader": "7.1.5",
@@ -153,30 +151,31 @@
     "bootstrap-validator": "0.11.9",
     "codemirror": "git+https://github.com/hedgedoc/CodeMirror.git",
     "copy-webpack-plugin": "6.4.1",
-    "css-loader": "5.2.4",
+    "css-loader": "5.2.7",
     "emojify.js": "1.1.0",
-    "esbuild-loader": "2.13.0",
+    "esbuild-loader": "2.15.1",
     "escape-html": "1.0.3",
-    "eslint": "7.26.0",
-    "eslint-config-standard": "16.0.2",
-    "eslint-plugin-import": "2.22.1",
+    "eslint": "7.32.0",
+    "eslint-config-standard": "16.0.3",
+    "eslint-plugin-import": "2.24.2",
     "eslint-plugin-node": "11.1.0",
     "eslint-plugin-promise": "5.1.0",
     "eslint-plugin-standard": "4.1.0",
+    "exports-loader": "1.1.1",
     "expose-loader": "1.0.3",
     "file-loader": "6.2.0",
     "file-saver": "2.0.5",
     "flowchart.js": "1.15.0",
-    "fork-awesome": "1.1.7",
+    "fork-awesome": "1.2.0",
     "gist-embed": "2.6.0",
-    "highlight.js": "10.7.2",
+    "highlight.js": "10.7.3",
     "html-webpack-plugin": "4.5.2",
     "imports-loader": "1.2.0",
     "ionicons": "2.0.1",
     "jquery": "3.6.0",
     "jquery-mousewheel": "3.1.13",
     "jquery-ui": "1.12.1",
-    "js-cookie": "2.2.1",
+    "js-cookie": "3.0.1",
     "js-sequence-diagrams": "git+https://github.com/hedgedoc/js-sequence-diagrams.git",
     "js-yaml": "3.14.1",
     "jsonlint": "1.6.3",
@@ -185,29 +184,28 @@
     "less-loader": "7.3.0",
     "list.js": "2.3.1",
     "mathjax": "2.7.9",
-    "mermaid": "8.10.1",
-    "mini-css-extract-plugin": "1.6.0",
-    "mocha": "8.4.0",
+    "mermaid": "8.12.1",
+    "mini-css-extract-plugin": "1.6.2",
+    "mocha": "9.1.1",
     "mock-require": "3.0.3",
-    "optimize-css-assets-webpack-plugin": "5.0.4",
-    "prismjs": "1.23.0",
+    "optimize-css-assets-webpack-plugin": "6.0.1",
+    "prismjs": "1.24.1",
     "raphael": "2.3.0",
-    "remark-cli": "9.0.0",
-    "remark-preset-lint-markdown-style-guide": "4.0.0",
+    "remark-cli": "10.0.0",
+    "remark-preset-lint-markdown-style-guide": "5.0.1",
     "reveal.js": "3.9.2",
-    "script-loader": "0.7.2",
     "select2": "3.5.2-browserify",
     "socket.io-client": "2.4.0",
-    "spin.js": "4.1.0",
+    "spin.js": "4.1.1",
     "string-loader": "0.0.1",
-    "turndown": "7.0.0",
+    "turndown": "7.1.1",
     "url-loader": "4.1.1",
     "velocity-animate": "1.5.2",
     "visibilityjs": "2.0.2",
     "viz.js": "1.8.2",
     "webpack": "4.46.0",
-    "webpack-cli": "4.7.0",
-    "webpack-merge": "5.7.3",
+    "webpack-cli": "4.8.0",
+    "webpack-merge": "5.8.0",
     "wurl": "2.5.4"
   },
   "optionalDependencies": {