From 7fd6aa9dca8ccceff2bcca842f46acbf4502b6d0 Mon Sep 17 00:00:00 2001
From: Yann Danthu <yann@danthu.com>
Date: Tue, 18 Jun 2024 13:46:56 -0400
Subject: [PATCH] Bump @koa/cors to v5

- avoid a npm vulnerability using oidc-provider
---
 lib/shared/cors.js |  8 +++++++-
 package-lock.json  | 18 +++++++++---------
 package.json       |  4 ++--
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/lib/shared/cors.js b/lib/shared/cors.js
index 6d7db3e98..1bd6c71bf 100644
--- a/lib/shared/cors.js
+++ b/lib/shared/cors.js
@@ -20,7 +20,13 @@ function checkClientCORS(ctx, client) {
 }
 
 module.exports = ({ clientBased = false, ...options }) => {
-  const builtin = cors({ keepHeadersOnError: false, ...options });
+  const builtin = cors({
+    keepHeadersOnError: false,
+    origin(ctx) {
+      return ctx.get('Origin') || '*';
+    },
+    ...options,
+  });
 
   return async (ctx, next) => {
     const headers = Object.keys(ctx.response.headers);
diff --git a/package-lock.json b/package-lock.json
index dbe75deb1..229edf19b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,10 +9,10 @@
       "version": "7.14.3",
       "license": "MIT",
       "dependencies": {
-        "@koa/cors": "^3.3.0",
+        "@koa/cors": "^5.0.0",
         "cacheable-lookup": "^6.0.4",
         "debug": "^4.3.4",
-        "ejs": "^3.1.8",
+        "ejs": "^3.1.10",
         "got": "^11.8.5",
         "jose": "^4.10.3",
         "jsesc": "^3.0.2",
@@ -725,14 +725,14 @@
       }
     },
     "node_modules/@koa/cors": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/@koa/cors/-/cors-3.4.3.tgz",
-      "integrity": "sha512-WPXQUaAeAMVaLTEFpoq3T2O1C+FstkjJnDQqy95Ck1UdILajsRhu6mhJ8H2f4NFPRBoCNN+qywTJfq/gGki5mw==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/@koa/cors/-/cors-5.0.0.tgz",
+      "integrity": "sha512-x/iUDjcS90W69PryLDIMgFyV21YLTnG9zOpPXS7Bkt2b8AsY3zZsIpOLBkYr9fBcF3HbkKaER5hOBZLfpLgYNw==",
       "dependencies": {
         "vary": "^1.1.2"
       },
       "engines": {
-        "node": ">= 8.0.0"
+        "node": ">= 14.0.0"
       }
     },
     "node_modules/@koa/ejs": {
@@ -1799,9 +1799,9 @@
       "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="
     },
     "node_modules/ejs": {
-      "version": "3.1.8",
-      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.8.tgz",
-      "integrity": "sha512-/sXZeMlhS0ArkfX2Aw780gJzXSMPnKjtspYZv+f3NiKLlubezAHDU5+9xz6gd3/NhG3txQCo6xlglmTS+oTGEQ==",
+      "version": "3.1.10",
+      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz",
+      "integrity": "sha512-UeJmFfOrAQS8OJWPZ4qtgHyWExa088/MtK5UEyoJGFH67cDEXkZSviOiKRCZ4Xij0zxI3JECgYs3oKx+AizQBA==",
       "dependencies": {
         "jake": "^10.8.5"
       },
diff --git a/package.json b/package.json
index ea4e4672a..1c6418f08 100644
--- a/package.json
+++ b/package.json
@@ -55,10 +55,10 @@
     "test": "node ./test/run"
   },
   "dependencies": {
-    "@koa/cors": "^3.3.0",
+    "@koa/cors": "^5.0.0",
     "cacheable-lookup": "^6.0.4",
     "debug": "^4.3.4",
-    "ejs": "^3.1.8",
+    "ejs": "^3.1.10",
     "got": "^11.8.5",
     "jose": "^4.10.3",
     "jsesc": "^3.0.2",