pump.io

Another day, another DOMPurify security release.

DOMPurify - which pump.io uses to protect against cross-site scripting vulnerabilities - today released version 2.0.16, which per the release notes fixes "an mXSS-based bypass caused by nested forms inside MathML" in Chrome. So as we usually do, the pump.io project is publishing a release that makes 2.0.16 the minimum required DOMPurify version, to make sure everyone running pump.io gets this patch.

Per our security support policy, we're making patches available for both the current and previous stable releases:

1. pump.io 5.1.3 has been updated to pump.io 5.1.4
2. pump.io 5.0.3 has been updated to pump.io 5.0.4

All administrators should upgrade as soon as possible since these are security releases. The risk that something will break from the upgrade is extremely low since both 5.1.4 and 5.0.3 are drop-in replacements for their predecessors. If you installed pump.io 5.1 using npm - our recommended configuration - you can upgrade with:

$ npm install -g pump.io@5

If you're still running pump.io 5.0, we recommend that you take this opportunity to upgrade to pump.io 5.1 by using the above command - it's a drop-in replacement, and will require no intervention on your part. However, if you want to stick with 5.0 for now, you can install a patched version with:

$ npm install -g pump.io@5.0

On the other hand, if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do. This will depend on how exactly you installed pump.io in the first place.

If you need help, or if you have questions about these security releases, the community is always happy to help.

Recently the cross-site-scripting sanitization library that pump.io uses, DOMPurify, published several security advisories for mXSS vulnerabilities affecting browsers based on the Blink rendering engine - you can find the latest one, for example, here. As we've done in the past, the pump.io project is publishing security releases to ensure that everyone is using the latest version of DOMPurify. Per our security support policy, we are providing patches for the current stable release and the previous stable release:

1. pump.io 5.1.2 has been updated to pump.io 5.1.3
2. pump.io 5.0.2 has been updated to pump.io 5.0.3

As these are security releases we encourage administrators to upgrade as soon as possible. Both 5.1.3 and 5.0.3 are drop-in replacements for their predecessors. If you have pump.io 5.1 installed via npm - our recommended configuration - you can upgrade with:

$ npm install -g pump.io@5

If you're on pump.io 5.0, we recommend that you also run the above command to upgrade to 5.1 - it's a drop-in replacement for 5.0. However, if you want to stick with 5.0 for the time being, you can install a patched version with:

$ npm install -g pump.io@5.0

Note that if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do - this will depend on how exactly you have pump.io set up.

If you need help, or if you have questions about these security releases, get in touch with the community.

Recently some denial-of-service vulnerabilities were discovered in various modules that we indirectly depend on. I've bumped Express and send to pull in patched versions, and I've updated our fork of connect-auth to require a patched version of Connect, too. The remaining vulnerabilities I've confirmed don't affect us.

Because of these version bumps, I've just put out security releases which all administrators are encouraged to upgrade to as soon as possible. A semver-major release (5.0.0) was released within the past 6 months so per our security support policy this means there are three new releases:

1. pump.io 5.0.2 replaces 5.0.0 and is available now on npm
2. pump.io 4.1.3 replaces 4.1.2 and is available now on npm
3. pump.io 4.0.2 will replace 4.0.1 and is currently undergoing automated testing (it'll be on npm shortly) Update: pump.io 4.0.2 is now on npm

As these are security releases we encourage admins to upgrade as soon as possible. If you're on 5.0.0 installed via npm - our recommended configuration - you can upgrade by issuing:

$ npm install -g pump.io@5

If you're on 4.1.3, you can upgrade by issuing:

$ npm install -g pump.io@4

And when 4.0.2 is out, if you're on 4.0.1 you can upgrade by issuing:

$ npm install -g pump.io@4.0

Note though that 4.1.3 is a drop-in replacement for 4.0.2, so you should consider just upgrading to that instead. Or even better, upgrade to 5.x!

If you don't have an npm-based install, you'll have to upgrade however you normally do. How to do this will depend on your particular setup.

As always, if you need help, you should get in touch with the community. I'd also like to specifically thank Jason Self, who generously deployed a 24-hour private beta of these fixes on Datamost. One of the version bumps was ever-so-slightly risky, and being able to test things in production before rolling out patches for the entire network was invaluable. I wouldn't be as confident as I am in these releases without his help. So thanks, Jason - I really appreciate it!

Well, apparently I forgot to make a blog post announcing that pump.io 4.0.0 stable is out. Surprise! Besides the version number it's the same as 4.0 beta 5 anyway.

What is not the same as 4.0 beta 5, however, is the security releases I've just published. A semver-major release went out within the past 6 months, so per our security support policy, we've released security patches for the past three stable releases:

1. pump.io 4.0.0 has been updated to pump.io 4.0.1
2. pump.io 3.0.2 has been updated to pump.io 3.0.3
3. pump.io 2.1.1 has been updated to pump.io 2.1.2

So what exactly required these releases? Well, the library we use to prevent cross-site scripting, DOMPurify, released some security patches recently. While we could conceivably just tell pump.io users to rerun npm install -g to get the updated library, it seemed safer to issue patch releases that bumped the minimum version for DOMPurify and have people upgrade to those. This gives a 100% guarantee that pump.io users will be protected with the absolute latest DOMPurify version.

As with any security release, we encourage admins to upgrade ASAP. If you've already installed the 4.0 release via npm, that's great! That's our recommended configuration, and you'll be able to upgrade by issuing:

$ npm install -g pump.io@4

If you're still on the 3.x release series, you really should upgrade to 4.x, which contains significant work impacting security which was too big to go into a patch release (specifically, the upgrade to Express 4.x). But in the meantime, you can fix your XSS problems by running:

$ npm install -g pump.io@3

And something similar if you're on 2.1.x:

$ npm install -g pump.io@2

Though in this case it's even more urgent that you upgrade to 4.x.

Note that the above comands also assume you have an npm-based install, which we strongly recommend. If you have a source-based install, you will need to upgrade however you usually do - this will depend on how exactly you have pump.io set up.

As always, if you need help, get in touch with the community.