[CVE-2019-10744]
Vulnerable versions: < 4.17.12
Patched version: 4.17.12
Ref: https://nvd.nist.gov/vuln/detail/CVE-2019-10744
Severity: critical
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

=======================

[GHSA-p6mc-m468-83gw]
Vulnerable versions: < 4.17.19
Patched version: 4.17.19
Ref: GHSA-p6mc-m468-83gw
Severity: low
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

The GitHub notification service noticed me that there is a vuln in one of our dependencies.

Refer to CVE-2019-8331
https://nvd.nist.gov/vuln/detail/CVE-2019-8331

Vulnerable versions: >= 4.0.0, < 4.3.1
Patched version: 4.3.1

In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute.

For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

I leave the selection of dependencies to you. If you think it shouldn't be a security vuln, then just close this issue.

The users need to edit their profile info such as first_name, last_name, email, and many more including their profile picture.

We have to make the API for this one first before making its view.

I'm not good at frontend designing, so the view looks bad. Therefore I would welcome the pull request from frontend team.
Thanks.

Related files :
https://github.com/TeaInside/Tea-Messenger-Web/blob/master/public/assets/css/chat.css
https://github.com/TeaInside/Tea-Messenger-Web/blob/master/app/Views/user/chat_end.tea.php

If you aren't an expert in backend modification you can use dummy file to prevent inhibit backend development process.
https://github.com/TeaInside/Tea-Messenger-Web/blob/master/public/dummy.html

As we could see here, the form doesn't validate that the inputs are not filled.

Why does it happen?
There are some possibilities as far as I know:

1. The sign in button type is not "submit". (The current button type is "button").
2. A related event listener does not listen to the form. It should be onsubmit event which listened to <form> tag, not an onclick event which listened to <button> tag.

Take a look here
https://github.com/TeaInside/Tea-Messenger-Web/blob/master/src/components/login/login.component.html#L45

CC: @dwzzzl

I want to update our site with the current views (https://messenger.teainside.org)

How can I deploy in production mode?
What command should I use to do it?
Do we need an npm running instance in production server?

I would prefer to static files which served with nginx instead of npm. But, if a running npm instance is needed, I don't have any objection to it, we can use the nginx proxy.

Thanks.

Maybe it's a good idea if we use CSS Preprocessors like Sass (or Less) for styling the user interface

The current views are not responsive on mobile devices. They are only good for the desktop.

Homepage view in /home path.
When the user does log in, the page should be shown first is the homepage.
What are the contents of the homepage? Not discussed yet.

Does frontend side need continuous integration like backend side?

If it does, what is the continuous integration service should we use?