[stable31] Fix npm audit #1174

nextcloud-command · 2025-03-16T03:24:12Z

Audit report

This audit fix resolves 18 of the total 18 vulnerabilities found in your project.

Updated dependencies

@babel/helpers
@babel/runtime
@linusborg/vue-simple-portal
@nextcloud/dialogs
@nextcloud/vue
@nextcloud/vue-select
@nextcloud/webpack-vue-config
@vue/component-compiler-utils
axios
floating-vue
pdfjs-dist
postcss
vue
vue-frag
vue-loader
vue-resize
vue-template-compiler
vue2-datepicker

Fixed vulnerabilities

@babel/helpers #

Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/helpers

@babel/runtime #

Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/runtime

@linusborg/vue-simple-portal #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@linusborg/vue-simple-portal

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: >=4.2.0-beta.1
Package usage:
- node_modules/@nextcloud/dialogs

@nextcloud/vue #

Caused by vulnerable dependency:
Affected versions: <=8.23.1
Package usage:
- node_modules/@nextcloud/vue

@nextcloud/vue-select #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@nextcloud/vue-select

@nextcloud/webpack-vue-config #

Caused by vulnerable dependency:
Affected versions: *
Package usage:
- node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

axios #

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
Severity: high
Reference: GHSA-jr5f-v2jv-69x6
Affected versions: <1.8.2
Package usage:
- node_modules/axios

floating-vue #

Caused by vulnerable dependency:
- vue
- vue-resize
Affected versions: <=1.0.0-beta.19
Package usage:
- node_modules/floating-vue

pdfjs-dist #

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Severity: high (CVSS 8.8)
Reference: GHSA-wgrm-67xf-hhpq
Affected versions: <=4.1.392
Package usage:
- node_modules/pdfjs-dist

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

vue #

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Severity: low (CVSS 3.7)
Reference: GHSA-5j4c-8p2g-v4jx
Affected versions: 2.0.0-alpha.1 - 2.7.16
Package usage:
- node_modules/vue

vue-frag #

Caused by vulnerable dependency:
- vue
Affected versions: >=1.3.1
Package usage:
- node_modules/vue-frag

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler

vue2-datepicker #

Caused by vulnerable dependency:
- vue
Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
Package usage:
- node_modules/vue2-datepicker

Signed-off-by: GitHub <noreply@github.com>

danxuliu

Tested and works 👍

nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Mar 16, 2025

nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from d317468 to a7261bd Compare March 23, 2025 03:31

fix(deps): Fix npm audit

5ddec17

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from a7261bd to 5ddec17 Compare March 30, 2025 03:38

danxuliu approved these changes Apr 2, 2025

View reviewed changes

danxuliu merged commit cce0d79 into stable31 Apr 2, 2025
36 checks passed

danxuliu deleted the automated/noid/stable31-fix-npm-audit branch April 2, 2025 18:09

Altahrim mentioned this pull request Apr 3, 2025

31.0.3 RC1 nextcloud/server#51904

Merged

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[stable31] Fix npm audit #1174

[stable31] Fix npm audit #1174

Uh oh!

nextcloud-command commented Mar 16, 2025

Uh oh!

danxuliu left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

[stable31] Fix npm audit #1174

[stable31] Fix npm audit #1174

Uh oh!

Conversation

nextcloud-command commented Mar 16, 2025

Audit report

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

@babel/runtime #

@linusborg/vue-simple-portal #

@nextcloud/dialogs #

@nextcloud/vue #

@nextcloud/vue-select #

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

axios #

floating-vue #

pdfjs-dist #

postcss #

vue #

vue-frag #

vue-loader #

vue-resize #

vue-template-compiler #

vue2-datepicker #

Uh oh!

danxuliu left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants