[next] Fix npm audit

[nextcloud-command]

Audit report

This audit fix resolves 40 of the total 46 vulnerabilities found in your project.

Updated dependencies

• @playwright/experimental-ct-core
• @playwright/experimental-ct-vue
• @vitejs/plugin-vue
• anymatch
• bonjour
• braces
• chokidar
• copy-webpack-plugin
• css-loader
• dns-packet
• elliptic
• esbuild
• http-proxy-middleware
• icss-utils
• ip
• markdown-to-jsx
• micromatch
• multicast-dns
• node-forge
• postcss
• postcss-modules-extract-imports
• postcss-modules-local-by-default
• postcss-modules-scope
• postcss-modules-values
• react-styleguidist
• readdirp
• selfsigned
• serialize-javascript
• terser-webpack-plugin
• vite
• vite-plugin-css-injected-by-js
• vite-plugin-node-polyfills
• vue-inbrowser-compiler
• vue-inbrowser-compiler-demi
• vue-inbrowser-compiler-utils
• vue-inbrowser-prismjs-highlighter
• vue-styleguidist
• vue-template-compiler
• webpack-dev-middleware
• webpack-dev-server

Fixed vulnerabilities

@playwright/experimental-ct-core #

• Caused by vulnerable dependency:
  • vite
• Affected versions: *
• Package usage:
  • node_modules/@playwright/experimental-ct-core

@playwright/experimental-ct-vue #

• Caused by vulnerable dependency:
  • @playwright/experimental-ct-core
  • @vitejs/plugin-vue
• Affected versions: >=0.0.6
• Package usage:
  • node_modules/@playwright/experimental-ct-vue

@vitejs/plugin-vue #

• Caused by vulnerable dependency:
  • vite
• Affected versions: >=1.8.0
• Package usage:
  • node_modules/@vitejs/plugin-vue

anymatch #

• Caused by vulnerable dependency:
  • micromatch
• Affected versions: 1.2.0 - 2.0.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/anymatch

bonjour #

• Caused by vulnerable dependency:
  • multicast-dns
• Affected versions: >=3.3.1
• Package usage:
  • node_modules/bonjour

braces #

• Uncontrolled resource consumption in braces
• Severity: high (CVSS 7.5)
• Reference: GHSA-grv7-fg5c-xmjg
• Affected versions: <3.0.3
• Package usage:
  • node_modules/vue-styleguidist/node_modules/braces

chokidar #

• Caused by vulnerable dependency:
  • anymatch
  • braces
  • readdirp
• Affected versions: 1.3.0 - 2.1.8
• Package usage:
  • node_modules/vue-styleguidist/node_modules/chokidar

copy-webpack-plugin #

• Caused by vulnerable dependency:
  • serialize-javascript
• Affected versions: 4.3.0 - 9.0.0
• Package usage:
  • node_modules/copy-webpack-plugin
  • node_modules/vue-styleguidist/node_modules/react-styleguidist/node_modules/copy-webpack-plugin

css-loader #

• Caused by vulnerable dependency:
  • icss-utils
  • postcss
  • postcss-modules-extract-imports
  • postcss-modules-local-by-default
  • postcss-modules-scope
  • postcss-modules-values
• Affected versions: 0.15.0 - 4.3.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/css-loader

dns-packet #

• Caused by vulnerable dependency:
  • ip
• Affected versions: <=5.2.4
• Package usage:
  • node_modules/bonjour/node_modules/dns-packet

elliptic #

• Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
• Severity: critical 🚨
• Reference: GHSA-vjh7-7g9h-fjfh
• Affected versions: <=6.6.0
• Package usage:
  • node_modules/elliptic

esbuild #

• esbuild enables any website to send any requests to the development server and read the response
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-67mh-4wv8-2f99
• Affected versions: <=0.24.2
• Package usage:
  • node_modules/@playwright/experimental-ct-core/node_modules/esbuild
  • node_modules/esbuild

http-proxy-middleware #

• Denial of service in http-proxy-middleware
• Severity: high (CVSS 7.5)
• Reference: GHSA-c7qv-q95q-8v27
• Affected versions: <=2.0.7-beta.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/http-proxy-middleware

icss-utils #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=4.1.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/icss-utils

ip #

• ip SSRF improper categorization in isPublic
• Severity: high (CVSS 8.1)
• Reference: GHSA-2p57-rm9w-gvfp
• Affected versions: *
• Package usage:
  • node_modules/ip

markdown-to-jsx #

• Cross site scripting in markdown-to-jsx
• Severity: moderate (CVSS 6.1)
• Reference: GHSA-4wx3-54gh-9fr9
• Affected versions: <7.4.0
• Package usage:
  • node_modules/markdown-to-jsx

micromatch #

• Regular Expression Denial of Service (ReDoS) in micromatch
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-952p-6rrq-rcjv
• Affected versions: <=4.0.7
• Package usage:
  • node_modules/vue-styleguidist/node_modules/micromatch

multicast-dns #

• Caused by vulnerable dependency:
  • dns-packet
• Affected versions: 6.0.0 - 7.2.2
• Package usage:
  • node_modules/bonjour/node_modules/multicast-dns

node-forge #

• Prototype Pollution in node-forge debug API.
• Severity: low
• Reference: GHSA-5rrq-pxf6-6jx5
• Affected versions: <=1.2.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/node-forge

postcss #

• PostCSS line return parsing error
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-7fh5-64p2-3v2j
• Affected versions: <8.4.31
• Package usage:
  • node_modules/vue-styleguidist/node_modules/postcss

postcss-modules-extract-imports #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=2.0.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/postcss-modules-extract-imports

postcss-modules-local-by-default #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=3.0.3
• Package usage:
  • node_modules/vue-styleguidist/node_modules/postcss-modules-local-by-default

postcss-modules-scope #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=2.2.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/postcss-modules-scope

postcss-modules-values #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=3.0.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/postcss-modules-values

react-styleguidist #

• Caused by vulnerable dependency:
  • copy-webpack-plugin
  • markdown-to-jsx
  • terser-webpack-plugin
  • webpack-dev-server
• Affected versions: >=5.0.0-beta.9
• Package usage:
  • node_modules/vue-styleguidist/node_modules/react-styleguidist

readdirp #

• Caused by vulnerable dependency:
  • micromatch
• Affected versions: 2.2.0 - 2.2.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/readdirp

selfsigned #

• Caused by vulnerable dependency:
  • node-forge
• Affected versions: 1.1.1 - 1.10.14
• Package usage:
  • node_modules/vue-styleguidist/node_modules/selfsigned

serialize-javascript #

• Cross-site Scripting (XSS) in serialize-javascript
• Severity: moderate (CVSS 5.4)
• Reference: GHSA-76p7-773f-r4q5
• Affected versions: <6.0.2
• Package usage:
  • node_modules/serialize-javascript
  • node_modules/terser-webpack-plugin/node_modules/serialize-javascript
  • node_modules/vue-styleguidist/node_modules/serialize-javascript

terser-webpack-plugin #

• Caused by vulnerable dependency:
  • serialize-javascript
• Affected versions: <=5.1.3
• Package usage:
  • node_modules/terser-webpack-plugin

vite #

• Caused by vulnerable dependency:
  • esbuild
• Affected versions: 0.11.0 - 6.1.1
• Package usage:
  • node_modules/@playwright/experimental-ct-core/node_modules/vite
  • node_modules/vite

vite-plugin-css-injected-by-js #

• Caused by vulnerable dependency:
  • vite
• Affected versions: *
• Package usage:
  • node_modules/vite-plugin-css-injected-by-js

vite-plugin-node-polyfills #

• Caused by vulnerable dependency:
  • vite
• Affected versions: >=0.3.2
• Package usage:
  • node_modules/vite-plugin-node-polyfills

vue-inbrowser-compiler #

• Caused by vulnerable dependency:
  • vue-inbrowser-compiler-utils
• Affected versions: >=4.50.0
• Package usage:
  • node_modules/vue-inbrowser-compiler

vue-inbrowser-compiler-demi #

• Caused by vulnerable dependency:
  • vue-template-compiler
• Affected versions: >=4.50.0
• Package usage:
  • node_modules/vue-inbrowser-compiler-demi

vue-inbrowser-compiler-utils #

• Caused by vulnerable dependency:
  • vue-inbrowser-compiler-demi
• Affected versions: >=4.50.0
• Package usage:
  • node_modules/vue-inbrowser-compiler-utils

vue-inbrowser-prismjs-highlighter #

• Caused by vulnerable dependency:
  • vue-inbrowser-compiler-utils
• Affected versions: *
• Package usage:
  • node_modules/vue-inbrowser-prismjs-highlighter

vue-styleguidist #

• Caused by vulnerable dependency:
  • copy-webpack-plugin
  • css-loader
  • react-styleguidist
  • terser-webpack-plugin
  • vue-inbrowser-compiler
  • vue-inbrowser-compiler-utils
  • vue-inbrowser-prismjs-highlighter
  • vue-template-compiler
  • webpack-dev-server
• Affected versions: *
• Package usage:
  • node_modules/vue-styleguidist

vue-template-compiler #

• vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
• Severity: moderate (CVSS 4.2)
• Reference: GHSA-g3ch-rx76-35fx
• Affected versions: >=2.0.0
• Package usage:
  • node_modules/vue-template-compiler

webpack-dev-middleware #

• Path traversal in webpack-dev-middleware
• Severity: high (CVSS 7.4)
• Reference: GHSA-wr3j-pwj9-hqq6
• Affected versions: <=5.3.3
• Package usage:
  • node_modules/vue-styleguidist/node_modules/webpack-dev-middleware

webpack-dev-server #

• Caused by vulnerable dependency:
  • bonjour
  • chokidar
  • http-proxy-middleware
  • ip
  • selfsigned
  • webpack-dev-middleware
• Affected versions: <=4.7.4
• Package usage:
  • node_modules/vue-styleguidist/node_modules/webpack-dev-server