Skip to content

Commit e8d9ba8

Browse files
Base STAC Types and utils Typescript migration (#1068)
* feat: convert errors.js to typescript fix: fix issue with ava test runner not identifying the error typescript file and finding temporary workaround during migration. * feat: creating base STAC types fix: updating linter overrides fro typescript * feat: convert geo-utils and logger to typescript feat: use BBox type from geojson lib * feat: typing stac-utils fix: tweaking types based on experience in stac-utils.ts * updating changelog * pr feedback
1 parent 66a8e5a commit e8d9ba8

11 files changed

Lines changed: 609 additions & 43 deletions

File tree

.eslintrc.json

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@
2020
".js",
2121
".ts"
2222
]
23+
},
24+
"typescript": {
25+
"alwaysUseFieldTypeScript": true
2326
}
2427
},
2528
"react": {
@@ -92,7 +95,8 @@
9295
{
9396
"ignore": [
9497
"^ava$",
95-
"\\.js$"
98+
"\\.js$",
99+
"geojson"
96100
]
97101
}
98102
],
@@ -169,6 +173,15 @@
169173
"rules": {
170174
"@typescript-eslint/no-var-requires": 0
171175
}
176+
},
177+
{
178+
"files": [
179+
"*.ts"
180+
],
181+
"rules": {
182+
"no-use-before-define": "off",
183+
"@typescript-eslint/no-use-before-define": "warn" // use the TS-aware version instead
184+
}
172185
}
173186
]
174187
}

.nsprc

Lines changed: 5 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -29,39 +29,14 @@
2929
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
3030
"expiry": "2026-04-25"
3131
},
32-
"1114592": {
33-
"active": true,
34-
"notes": "undici is a transitive dependency of @redocly/cli, used only as a build tool to generate static API documentation. The WebSocket 64-bit length overflow vulnerability is not exploitable as we do not use undici directly or expose it to untrusted WebSocket input.",
35-
"expiry": "2026-05-17"
36-
},
37-
"1114594": {
38-
"active": true,
39-
"notes": "undici is a transitive dependency of @redocly/cli, used only as a build tool to generate static API documentation. HTTP request/response smuggling via undici is not exploitable in our usage context as @redocly/cli is never used to proxy or forward untrusted HTTP traffic.",
40-
"expiry": "2026-05-17"
41-
},
42-
"1114638": {
43-
"active": true,
44-
"notes": "undici is a transitive dependency of @redocly/cli, used only as a build tool to generate static API documentation. The WebSocket permessage-deflate unbounded memory consumption vulnerability is not exploitable as we do not use undici directly or expose it to untrusted WebSocket input.",
45-
"expiry": "2026-05-17"
46-
},
47-
"1114640": {
48-
"active": true,
49-
"notes": "undici is a transitive dependency of @redocly/cli, used only as a build tool to generate static API documentation. The WebSocket invalid server_max_window_bits unhandled exception is not exploitable as we do not use undici directly or expose it to untrusted WebSocket input.",
50-
"expiry": "2026-05-17"
51-
},
52-
"1114642": {
53-
"active": true,
54-
"notes": "undici is a transitive dependency of @redocly/cli, used only as a build tool to generate static API documentation. CRLF injection via the upgrade option is not exploitable as @redocly/cli is never used to make HTTP requests with untrusted input.",
55-
"expiry": "2026-05-17"
56-
},
57-
"1114772": {
58-
"active": true,
59-
"notes": "fast-xml-parser (CVE-2026-33036) is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. The numeric entity expansion DoS vulnerability requires an attacker to supply untrusted XML input directly to fast-xml-parser at runtime. Since @redocly/cli is never run against untrusted input in our CI or production environment, this is not exploitable. Patched in fast-xml-parser v5.5.6 — upgrade openapi-sampler when available.",
60-
"expiry": "2026-06-19"
61-
},
6232
"1114952": {
6333
"active": true,
6434
"notes": "fast-xml-parser (CVE-2026-33349) is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. The entity expansion limit bypass via JavaScript falsy evaluation of zero values requires an attacker to supply untrusted XML to an application explicitly configured with maxEntityCount:0 or maxEntitySize:0. We do not configure fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable. Patched in fast-xml-parser v5.5.7 — upgrade openapi-sampler when available.",
6535
"expiry": "2026-06-19"
36+
},
37+
"1115134": {
38+
"active": true,
39+
"notes": "fast-xml-parser is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. This incomplete fix for CVE-2026-26278 affects only applications that explicitly configure entity expansion limits to zero values. We do not configure fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
40+
"expiry": "2026-06-30"
6641
}
6742
}

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
1414
### Changed
1515

1616
- Adjusting configs to handle both typescript and javascript files for the typescript migraton ([1067](https://github.com/stac-utils/stac-server/pull/1067))
17+
- Generating base STAC types and typing simple utility files as part of an 'outside-in' approach to typescript migration ([1068](https://github.com/stac-utils/stac-server/pull/1068))
1718

1819
## [5.0.0]
1920

0 commit comments

Comments
 (0)