PrivateCoffee/tldraw
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
No description
3078 commits 1 branch 0 tags 150 MiB
TypeScript 94.3%
MDX 2.1%
CSS 1.9%
JavaScript 1.5%
Find a file
dependabot[bot] d75df039bd
build(deps): bump ws from 8.16.0 to 8.17.1 in the npm_and_yarn group across 1 directory (#3984) 
Bumps the npm_and_yarn group with 1 update in the / directory:
[ws](https://github.com/websockets/ws).

Updates `ws` from 8.16.0 to 8.17.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/websockets/ws/releases">ws's
releases</a>.</em></p>
<blockquote>
<h2>8.17.1</h2>
<h1>Bug fixes</h1>
<ul>
<li>Fixed a DoS vulnerability (<a
href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>).</li>
</ul>
<p>A request with a number of headers exceeding
the[<code>server.maxHeadersCount</code>][]
threshold could be used to crash a ws server.</p>
<pre lang="js"><code>const http = require('http');
const WebSocket = require('ws');
<p>const wss = new WebSocket.Server({ port: 0 }, function () {
const chars =
&quot;!#$%&amp;'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~&quot;.split('');
const headers = {};
let count = 0;</p>
<p>for (let i = 0; i &lt; chars.length; i++) {
if (count === 2000) break;</p>
<pre><code>for (let j = 0; j &amp;lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

  if (++count === 2000) break;
}
</code></pre>
<p>}</p>
<p>headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';</p>
<p>const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});</p>
<p>request.end();
});
</code></pre></p>
<p>The vulnerability was reported by <a
href="https://github.com/rrlapointe">Ryan LaPointe</a> in <a
href="https://redirect.github.com/websockets/ws/issues/2230">websockets/ws#2230</a>.</p>
<p>In vulnerable versions of ws, the issue can be mitigated in the
following ways:</p>
<ol>
<li>Reduce the maximum allowed length of the request headers using the
[<code>--max-http-header-size=size</code>][] and/or the
[<code>maxHeaderSize</code>][] options so
that no more headers than the <code>server.maxHeadersCount</code> limit
can be sent.</li>
</ol>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3c56601092"><code>3c56601</code></a>
[dist] 8.17.1</li>
<li><a
href="e55e5106f1"><code>e55e510</code></a>
[security] Fix crash when the Upgrade header cannot be read (<a
href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>)</li>
<li><a
href="6a00029edd"><code>6a00029</code></a>
[test] Increase code coverage</li>
<li><a
href="ddfe4a804d"><code>ddfe4a8</code></a>
[perf] Reduce the amount of <code>crypto.randomFillSync()</code>
calls</li>
<li><a
href="b73b11828d"><code>b73b118</code></a>
[dist] 8.17.0</li>
<li><a
href="29694a5905"><code>29694a5</code></a>
[test] Use the <code>highWaterMark</code> variable</li>
<li><a
href="934c9d6b93"><code>934c9d6</code></a>
[ci] Test on node 22</li>
<li><a
href="1817bac06e"><code>1817bac</code></a>
[ci] Do not test on node 21</li>
<li><a
href="96c9b3dedd"><code>96c9b3d</code></a>
[major] Flip the default value of <code>allowSynchronousEvents</code>
(<a
href="https://redirect.github.com/websockets/ws/issues/2221">#2221</a>)</li>
<li><a
href="e5f32c7e1e"><code>e5f32c7</code></a>
[fix] Emit at most one event per event loop iteration (<a
href="https://redirect.github.com/websockets/ws/issues/2218">#2218</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/websockets/ws/compare/8.16.0...8.17.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ws&package-manager=npm_and_yarn&previous-version=8.16.0&new-version=8.17.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/tldraw/tldraw/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-20 13:05:55 +00:00
.github Add a new environment for publishing (#3981) 2024-06-18 18:01:41 +00:00
.husky Don't check api.json files into git (#3565) 2024-04-24 15:58:26 +00:00
.yarn/patches Fix markdown list rendering on docs site (#3813) 2024-05-23 13:00:22 +00:00
apps lod: dont transform SVGs (#3972) 2024-06-18 12:57:44 +00:00
assets theme: rename color scheme to theme (#3991) 2024-06-20 10:04:47 +00:00
config Generated docs cleanup (#3935) 2024-06-13 16:04:12 +00:00
packages theme: rename color scheme to theme (#3991) 2024-06-20 10:04:47 +00:00
scripts Fix vs code publishing (#3976) 2024-06-18 14:29:35 +00:00
templates Bump the npm_and_yarn group across 3 directories with 4 updates (#3920) 2024-06-11 13:33:44 +00:00
.dockerignore unbrivate, dot com in (#2475) 2024-01-16 14:38:05 +00:00
.eslintignore use native structuredClone on node, cloudflare workers, and in tests (#3166) 2024-03-18 17:16:09 +00:00
.eslintplugin.js transfer-out: transfer out 2023-04-25 12:01:25 +01:00
.eslintrc.js Better generated docs for react components (#3930) 2024-06-13 13:09:27 +00:00
.gitignore Don't check api.json files into git (#3565) 2024-04-24 15:58:26 +00:00
.ignore [dx] Allow vscode to search inside md files by default (#3105) 2024-03-11 14:08:04 +00:00
.prettierignore tooling: prettier ignore pr template (#3210) 2024-03-20 09:56:38 +00:00
.prettierrc Unbiome (#2776) 2024-02-07 16:02:22 +00:00
.yarnrc.yml [dx] Allow vscode to search inside md files by default (#3105) 2024-03-11 14:08:04 +00:00
CHANGELOG.md Update CHANGELOG.md [skip ci] 2024-06-11 12:53:15 +00:00
CLA.md Change licenses to tldraw (#2167) 2023-12-19 10:41:01 +00:00
CODE_OF_CONDUCT.md transfer-out: transfer out 2023-04-25 12:01:25 +01:00
CONTRIBUTING.md dev: swap yarn test and test-dev for better dx (#2773) 2024-02-14 16:05:59 +00:00
lazy.config.ts Don't check api.json files into git (#3565) 2024-04-24 15:58:26 +00:00
lerna.json Better generated docs for react components (#3930) 2024-06-13 13:09:27 +00:00
LICENSE.md Change licenses to tldraw (#2167) 2023-12-19 10:41:01 +00:00
package.json Move from unpkg to our own cdn. (#3923) 2024-06-17 13:13:46 +00:00
README.md Update README.md (#3818) 2024-05-23 09:27:40 +00:00
RELEASES.md css more shapes that need transparent behavior (#3497) 2024-04-16 15:19:30 +00:00
TRADEMARKS.md Change licenses to tldraw (#2167) 2023-12-19 10:41:01 +00:00
tsdoc.json Better generated docs for react components (#3930) 2024-06-13 13:09:27 +00:00
yarn.config.cjs Bump Yarn to 4.0.2 and add version constraints (#2481) 2024-01-18 11:09:17 +00:00
yarn.lock build(deps): bump ws from 8.16.0 to 8.17.1 in the npm_and_yarn group across 1 directory (#3984) 2024-06-20 13:05:55 +00:00

README.md

tldraw

Welcome to the public monorepo for tldraw. tldraw is a library for creating infinite canvas experiences in React. It's the software behind the digital whiteboard tldraw.com.

🤵 Interested in purchasing a commercial license for the tldraw SDK? Fill out this form.

Installation

npm i tldraw

Usage

import { Tldraw } from 'tldraw'
import 'tldraw/tldraw.css'

export default function App() {
	return (
		<div style={{ position: 'fixed', inset: 0 }}>
			<Tldraw />
		</div>
	)
}

Learn more at tldraw.dev.

Local development

The local development server will run our examples app. The basic example will show any changes you've made to the codebase.

To run the local development server, first clone this repo.

Enable corepack to make sure you have the right version of yarn:

corepack enable

Install dependencies:

yarn

Start the local development server:

yarn dev

Open the example project at localhost:5420.

License

The tldraw source code and its distributions are provided under the tldraw license. This license does not permit commercial use. To purchase a commercial license or learn more, please fill out this form.

Trademarks

Copyright (c) 2023-present tldraw Inc. The tldraw name and logo are trademarks of tldraw. Please see our trademark guidelines for info on acceptable usage.

Contact

Find us on Twitter/X at @tldraw.

Community

Have questions, comments or feedback? Join our discord or start a discussion. For the latest news and release notes, check out our Substack.

Contribution

Please see our contributing guide. Found a bug? Please submit an issue.

Contributors

Star History

Star History Chart