Juice Shop Versions Save

🐛 Bugfixes

• #1918: Updated file upload library to fix vulnerability against CVE-2022-24434 (kudos to @JanStorm)
• #1909: Fixed occassional application server crash when working on Kill Chatbot challenge

🌐 I18N

• Extended 🇸🇪 translation

🎯 Challenges

• Added Mass Dispel challenge to teach the use of closing multiple "Challenge solved"-notifications in one go
• #1891: Correctly distinguish XXE Data Access challenge success conditions for Windows, Linux and MacOS systems (kudos to @StephanPillhofer)

🐛 Bugfixes

• #1892: Fixed race condition between initializations of SQLite DB and Prometheus metrics (kudos to @matt-moses)
• #1868: Extended hint with recommendation to use older browser version for CSRF challenge
• #1885: Add safeguard against null pointer while checking Database Schema solution

🌐 I18N

• Extended 🇩🇪 and 🇨🇳 translations

🔥 Hotfixes

#1876: Bypass isGitpod() check to prevent unintended disabling of dangerous challenges in any environment (workaround until https://github.com/dword-design/is-gitpod/issues/94 is resolved)

🏃‍♂️Runtime

• #1849: Added Gitpod installation instructions (kudos to @knut-erik)

🎯 Challenges

• Timespan for CAPTCHA Bypass challenge has been increased from 10sec to 20sec
• Reduced requirements for XXE Data Access challenge success check on Windows and Linux

🐳 Docker

• #1850: latest-arm, snapshot-arm and vX.Y.Z-arm images are no longer built for linux/arm64 (⚠️)

🌐 I18N

• Extended 🇯🇵, 🇨🇳, 🇩🇪 and 🇮🇱 translations

🐳 Docker

• Docker images for linux/arm are now also built under Node 16.x as vX.Y.Z tags

🎨 Frontend

• Migrated frontend to Angular 14 and Angular Material 14

🎭 Theming

• Added application.securityTxt.hiring property as hiring field in security.txt and as X-Recruiting HTTP header

🐳 Docker

• #1810: Switched from alpine to distroless runtime image
• #1810: Reduced size of compressed image from 276.02 MiB → 175.59 MiB (uncompressed: 762MB → 509MiB)

🐛 Bugfixes

• #1755: Now waiting for all entity models to be defined before attempting to create database tables
• #1755: Now safeguarding against race condition leading to missing tables inside Prometheus metrics update loop

🧪 Testing

• Introduced Cypress end-to-end test framework as future full replacement for (end-of-life) Protractor
• Partially replaced Protractor-based e2e tests with Cypress tests

🔥 Hotfix

• #1815: Fixed path to a core-js subcomponent in polyfills.ts

This release brings technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

• Added support for Node.js 18.x
• Removed support for Node.js 12.x and 17.x and no longer provide packaged distributions for these versions (⚠️)
• Removed inofficial support for Node.js 13.x

🎭 Customization

• 89fd86b: Playback speed of tutorial hints can be adjusted by setting hackingInstructor.hintPlaybackSpeed property to faster/slower (±50%), fast/slow (±25%) or leaving it normal

👨‍🏫 Hacking Instructor

• #1785: Skippable hints will now by skipped on double-click instead of single-click to avoid accidental skipping
• Skippable hints will now show a tooltip "Double-click to skip" when hovered over

⚙️ DevOps Automation

• Split CI/CD job test into test (for unit tests), api-test (for Frisby.js) and coverage-report (for Codeclimate merge and upload)

🧹 Technical Debt Reduction

• #1757: All sequelize ORM models have been migrated to TypeScript (kudos to @ShubhamPalriwala)
• b7a2edb: Cache of Refactoring Safety Net (RSN) is now stored in pretty-printed format
• #1798: Converted insecurity.js into TypeScript (kudos to @ShubhamPalriwala)

🐛 Bugfixes

• #1793: Fixed base path to video from frontend/src/ to frontend/dist/frontend/ as the source folder should never be referenced
• #1786: Errors from tampering with Deluxe Membership payment are now more gracefully handled
• #1797: Preventing likes of non-existing product reviews which previously caused a server crash
• #1801: Vagrant box now exposes application under http://192.168.56.110 to avoid issues on MacOS and Linux with IPs not in 192.168.56.0/21 network (⚠️)

🌐 I18N

• Extended 🇫🇷 and 🇷🇺 translations

🐛 Bugfixes

• #1764: Introduced proper exception handling when setting username through chat bot
• Fixed Google OAuth login for localhost:3000, localhost:4200, 127.0.0.1:3000,127.0.0.1:4200, 192.168.99.100:3000, juice-shop.wtf and penguin.termina.linux.test:3000 by proxying via a subdomain of https://owasp-juice.shop with HTTPS
• juice-shop/pwning-juice-shop#93: Changed password of support team in KeePass file to the actually used one
• Configurations 7ms, addo, mozilla and oss now explicitly set expected EXIF meta data for "Retrieve Blueprint" challenge to null

🌐 Internationalization

• Added support for 🇺🇦 translation
• Extended 🇩🇰, 🇨🇭, 🇧🇷 and 🇷🇺 translations

🔥 Hotfix

• Pinned fontawesome-svg-core to version 1.2.x to avoid build errors from incompatible changes in 1.3.x