diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index dd3e5e00d6c..953f2719d3f 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -89,4 +89,7 @@ jobs:
run: npm run coverage
- name: Test coverage
- uses: coverallsapp/github-action@v2
\ No newline at end of file
+ uses: coverallsapp/github-action@v2
+
+ - name: Security Scan
+ run: npm run security-scan
\ No newline at end of file
diff --git a/.retireignore b/.retireignore
new file mode 100644
index 00000000000..40b878db5b1
--- /dev/null
+++ b/.retireignore
@@ -0,0 +1 @@
+node_modules/
\ No newline at end of file
diff --git a/UserGuide.md b/UserGuide.md
index 9b6b21594cf..859556a5a03 100644
--- a/UserGuide.md
+++ b/UserGuide.md
@@ -363,8 +363,6 @@ Filter with no inputs to see if that causes issues.
**Why you believe the tests are sufficient**
I believe that the tests are sufficient, as knowing that bad inputs won’t cause issues through testing with NodeBB, we can focus on making sure that the functionality of the date filtering is good. These tests check to see if the backend function is getting the topics correctly by date and not getting ones unrelated, which is the primary function of the date filter button. These tests also account for new categories to make sure that each category comes with a functioning date filtering button.
----
-
## Deployed Application
-Access the live deployment at: [`http://17313-team21.s3d.cmu.edu:4567/`](http://17313-team21.s3d.cmu.edu:4567/)
\ No newline at end of file
+Access the live deployment at: [`http://17313-team21.s3d.cmu.edu:4567/`](http://17313-team21.s3d.cmu.edu:4567/)
diff --git a/install/package.json b/install/package.json
index aa946a45995..4725393dce5 100644
--- a/install/package.json
+++ b/install/package.json
@@ -14,7 +14,8 @@
"lint": "eslint --cache ./nodebb .",
"test": "nyc --reporter=html --reporter=text-summary mocha",
"coverage": "nyc report --reporter=text-lcov > ./coverage/lcov.info",
- "coveralls": "nyc report --reporter=text-lcov | coveralls && rm -r coverage"
+ "coveralls": "nyc report --reporter=text-lcov | coveralls && rm -r coverage",
+ "security-scan": "retire --path . --outputformat json"
},
"nyc": {
"exclude": [
@@ -173,6 +174,7 @@
"mocha-lcov-reporter": "1.3.0",
"mockdate": "3.0.5",
"nyc": "17.1.0",
+ "retire": "^5.3.0",
"smtp-server": "3.13.6"
},
"optionalDependencies": {
diff --git a/package.json b/package.json
index 9b7d4959d51..fe63fba3d87 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,8 @@
"lint": "eslint --cache ./nodebb .",
"test": "nyc --reporter=html --reporter=text-summary mocha",
"coverage": "nyc report --reporter=text-lcov > ./coverage/lcov.info",
- "coveralls": "nyc report --reporter=text-lcov | coveralls && rm -r coverage"
+ "coveralls": "nyc report --reporter=text-lcov | coveralls && rm -r coverage",
+ "security-scan": "retire --path . --outputformat json"
},
"nyc": {
"exclude": [
@@ -174,6 +175,7 @@
"mocha-lcov-reporter": "1.3.0",
"mockdate": "3.0.5",
"nyc": "17.1.0",
+ "retire": "^5.3.0",
"smtp-server": "3.13.6"
},
"optionalDependencies": {
diff --git a/retirejs-output.txt b/retirejs-output.txt
new file mode 100644
index 00000000000..66a47adf4f3
--- /dev/null
+++ b/retirejs-output.txt
@@ -0,0 +1,293 @@
+
+> nodebb@4.4.6 security-scan
+> retire --path . --outputformat json | jq
+
+{
+ "version": "5.3.0",
+ "start": "2025-10-24T02:37:56.857Z",
+ "data": [
+ {
+ "file": "/workspaces/nodebb-fall-2025-null-terminators/node_modules/gaze/lib/helper.js",
+ "results": [
+ {
+ "version": "1.0.1",
+ "component": "lodash",
+ "detection": "filecontent",
+ "vulnerabilities": [
+ {
+ "info": [
+ "https://github.com/advisories/GHSA-fvqr-27wr-82fm",
+ "https://nvd.nist.gov/vuln/detail/CVE-2018-3721",
+ "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
+ "https://hackerone.com/reports/310443",
+ "https://github.com/advisories/GHSA-fvqr-27wr-82fm",
+ "https://security.netapp.com/advisory/ntap-20190919-0004/",
+ "https://www.npmjs.com/advisories/577"
+ ],
+ "below": "4.17.5",
+ "severity": "medium",
+ "identifiers": {
+ "summary": "Prototype Pollution in lodash",
+ "CVE": [
+ "CVE-2018-3721"
+ ],
+ "githubID": "GHSA-fvqr-27wr-82fm"
+ },
+ "cwe": [
+ "CWE-471",
+ "CWE-1321"
+ ]
+ },
+ {
+ "info": [
+ "https://github.com/advisories/GHSA-4xc9-xhrj-v574",
+ "https://nvd.nist.gov/vuln/detail/CVE-2018-16487",
+ "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad",
+ "https://hackerone.com/reports/380873",
+ "https://github.com/advisories/GHSA-4xc9-xhrj-v574",
+ "https://security.netapp.com/advisory/ntap-20190919-0004/",
+ "https://www.npmjs.com/advisories/782"
+ ],
+ "below": "4.17.11",
+ "severity": "high",
+ "identifiers": {
+ "summary": "Prototype Pollution in lodash",
+ "CVE": [
+ "CVE-2018-16487"
+ ],
+ "githubID": "GHSA-4xc9-xhrj-v574"
+ },
+ "cwe": [
+ "CWE-400"
+ ]
+ },
+ {
+ "info": [
+ "https://github.com/advisories/GHSA-jf85-cpcp-j695",
+ "https://nvd.nist.gov/vuln/detail/CVE-2019-10744",
+ "https://github.com/lodash/lodash/pull/4336",
+ "https://access.redhat.com/errata/RHSA-2019:3024",
+ "https://security.netapp.com/advisory/ntap-20191004-0005/",
+ "https://snyk.io/vuln/SNYK-JS-LODASH-450202",
+ "https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS",
+ "https://www.npmjs.com/advisories/1065",
+ "https://www.oracle.com/security-alerts/cpujan2021.html",
+ "https://www.oracle.com/security-alerts/cpuoct2020.html"
+ ],
+ "below": "4.17.12",
+ "severity": "high",
+ "identifiers": {
+ "summary": "Prototype Pollution in lodash",
+ "CVE": [
+ "CVE-2019-10744"
+ ],
+ "githubID": "GHSA-jf85-cpcp-j695"
+ },
+ "cwe": [
+ "CWE-1321",
+ "CWE-20"
+ ]
+ },
+ {
+ "info": [
+ "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
+ "https://nvd.nist.gov/vuln/detail/CVE-2021-23337",
+ "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
+ "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
+ "https://github.com/lodash/lodash",
+ "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851",
+ "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851",
+ "https://security.netapp.com/advisory/ntap-20210312-0006/",
+ "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",
+ "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",
+ "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",
+ "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",
+ "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",
+ "https://snyk.io/vuln/SNYK-JS-LODASH-1040724",
+ "https://www.oracle.com//security-alerts/cpujul2021.html",
+ "https://www.oracle.com/security-alerts/cpujan2022.html",
+ "https://www.oracle.com/security-alerts/cpujul2022.html",
+ "https://www.oracle.com/security-alerts/cpuoct2021.html"
+ ],
+ "below": "4.17.21",
+ "severity": "high",
+ "identifiers": {
+ "summary": "Command Injection in lodash",
+ "CVE": [
+ "CVE-2021-23337"
+ ],
+ "githubID": "GHSA-35jh-r3h4-6jhm"
+ },
+ "cwe": [
+ "CWE-77",
+ "CWE-94"
+ ]
+ }
+ ],
+ "licenses": [
+ "MIT"
+ ]
+ }
+ ]
+ },
+ {
+ "file": "/workspaces/nodebb-fall-2025-null-terminators/node_modules/mousetrap/tests/libs/jquery-1.7.2.min.js",
+ "results": [
+ {
+ "version": "1.7.2",
+ "component": "jquery",
+ "npmname": "jquery",
+ "detection": "filename",
+ "vulnerabilities": [
+ {
+ "info": [
+ "http://bugs.jquery.com/ticket/11290",
+ "http://research.insecurelabs.org/jquery/test/",
+ "https://nvd.nist.gov/vuln/detail/CVE-2012-6708"
+ ],
+ "below": "1.9.0b1",
+ "severity": "medium",
+ "identifiers": {
+ "summary": "Selector interpreted as HTML",
+ "CVE": [
+ "CVE-2012-6708"
+ ],
+ "bug": "11290",
+ "githubID": "GHSA-2pqj-h3vj-pqgw"
+ },
+ "cwe": [
+ "CWE-64",
+ "CWE-79"
+ ]
+ },
+ {
+ "info": [
+ "https://github.com/advisories/GHSA-q4m3-2j7h-f7xw",
+ "https://nvd.nist.gov/vuln/detail/CVE-2020-7656",
+ "https://research.insecurelabs.org/jquery/test/"
+ ],
+ "below": "1.9.0",
+ "atOrAbove": "1.2.1",
+ "severity": "medium",
+ "identifiers": {
+ "summary": "Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove \"\", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.\n\n\n## Recommendation\n\nUpgrade to version 1.9.0 or later.",
+ "CVE": [
+ "CVE-2020-7656"
+ ],
+ "githubID": "GHSA-q4m3-2j7h-f7xw"
+ },
+ "cwe": [
+ "CWE-79"
+ ]
+ },
+ {
+ "info": [
+ "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
+ "http://research.insecurelabs.org/jquery/test/",
+ "https://bugs.jquery.com/ticket/11974",
+ "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
+ "https://github.com/jquery/jquery/issues/2432",
+ "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
+ ],
+ "below": "1.12.0",
+ "atOrAbove": "1.4.0",
+ "severity": "medium",
+ "identifiers": {
+ "summary": "3rd party CORS request may execute",
+ "issue": "2432",
+ "CVE": [
+ "CVE-2015-9251"
+ ],
+ "githubID": "GHSA-rmxg-73gg-4p98"
+ },
+ "cwe": [
+ "CWE-79"
+ ]
+ },
+ {
+ "info": [
+ "https://github.com/jquery/jquery.com/issues/162"
+ ],
+ "below": "2.999.999",
+ "severity": "low",
+ "identifiers": {
+ "summary": "jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates",
+ "retid": "73",
+ "issue": "162"
+ },
+ "cwe": [
+ "CWE-1104"
+ ]
+ },
+ {
+ "info": [
+ "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
+ "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
+ "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
+ ],
+ "below": "3.4.0",
+ "atOrAbove": "1.1.4",
+ "severity": "medium",
+ "identifiers": {
+ "summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution",
+ "CVE": [
+ "CVE-2019-11358"
+ ],
+ "PR": "4333",
+ "githubID": "GHSA-6c3j-c64m-qhgq"
+ },
+ "cwe": [
+ "CWE-1321",
+ "CWE-79"
+ ]
+ },
+ {
+ "info": [
+ "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
+ ],
+ "below": "3.5.0",
+ "atOrAbove": "1.0.3",
+ "severity": "medium",
+ "identifiers": {
+ "summary": "passing HTML containing