Skip to content

[stable29] Fix npm audit #680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DorraJaouad merged 2 commits into from
Mar 14, 2025
Merged

[stable29] Fix npm audit #680

DorraJaouad merged 2 commits into from
Mar 14, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Oct 27, 2024
edited
Loading

Audit report

This audit fix resolves 16 of the total 23 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dompurify #

  • DOMPurify allows Cross-site Scripting (XSS)
  • Severity: moderate (CVSS 4.5)
  • Reference: GHSA-vhxf-7vqr-mrjg
  • Affected versions: <3.2.4
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Valid ECDSA signatures erroneously rejected in Elliptic
  • Severity: low (CVSS 4.8)
  • Reference: GHSA-fc9h-whq2-v747
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

express #

  • Caused by vulnerable dependency:
  • Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
  • Package usage:
    • node_modules/express

http-proxy-middleware #

  • Denial of service in http-proxy-middleware
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c7qv-q95q-8v27
  • Affected versions: <2.0.7
  • Package usage:
    • node_modules/http-proxy-middleware

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

path-to-regexp #

  • Unpatched path-to-regexp ReDoS in 0.1.x
  • Severity: high
  • Reference: GHSA-rhx6-c78j-4q9w
  • Affected versions: <0.1.12
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from c2d97b8 to 51f1f5d Compare November 10, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 14a31d2 to 2217880 Compare November 24, 2024 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 7c19f04 to 981115a Compare December 8, 2024 03:37
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 3613f31 to 6ced0be Compare December 22, 2024 03:18
@skjnldsv
Copy link
Member

skjnldsv commented Dec 26, 2024

/compile

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 980bd1c to 272fb3c Compare January 5, 2025 03:09
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 933cb2d to 5e2fb65 Compare January 19, 2025 03:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 5e2fb65 to d87d8bd Compare January 26, 2025 03:18
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from d87d8bd to 4718c86 Compare February 2, 2025 03:18
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4718c86 to ea98398 Compare February 9, 2025 03:19
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from ea98398 to 098d656 Compare February 16, 2025 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 99336d3 to 3b1e137 Compare March 2, 2025 03:26
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 3b1e137 to 47e8740 Compare March 9, 2025 03:00
@DorraJaouad DorraJaouad force-pushed the automated/noid/stable29-fix-npm-audit branch from 9794dd2 to 6c3ffd6 Compare March 14, 2025 12:38
@DorraJaouad
deps: fix npm audit
7e591c0 
Signed-off-by: Dorra Jaouad <dorra.jaoued7@gmail.com>
@DorraJaouad DorraJaouad force-pushed the automated/noid/stable29-fix-npm-audit branch from 6c3ffd6 to 7e591c0 Compare March 14, 2025 12:52
@DorraJaouad
Copy link
Collaborator

DorraJaouad commented Mar 14, 2025

/compile /

@nextcloud-command
chore(assets): Recompile assets
7537557 
Signed-off-by: nextcloud-command <nextcloud-command@users.noreply.github.com>
@DorraJaouad DorraJaouad merged commit d86d33c into stable29 Mar 14, 2025
29 checks passed
@DorraJaouad DorraJaouad deleted the automated/noid/stable29-fix-npm-audit branch March 14, 2025 12:58
@Altahrim Altahrim mentioned this pull request Mar 18, 2025
Merged
28 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3. to review dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nextcloud-command @skjnldsv @DorraJaouad