[stable31] Fix npm audit

[nextcloud-command]

Audit report

This audit fix resolves 16 of the total 16 vulnerabilities found in your project.

Updated dependencies

• @linusborg/vue-simple-portal
• @nextcloud/dialogs
• @nextcloud/vue
• @nextcloud/vue-select
• @nextcloud/webpack-vue-config
• @vue/component-compiler-utils
• floating-vue
• http-proxy-middleware
• pdfjs-dist
• postcss
• vue
• vue-frag
• vue-loader
• vue-resize
• vue-template-compiler
• vue2-datepicker

Fixed vulnerabilities

@linusborg/vue-simple-portal #

• Caused by vulnerable dependency:
  • vue
• Affected versions: *
• Package usage:
  • node_modules/@linusborg/vue-simple-portal

@nextcloud/dialogs #

• Caused by vulnerable dependency:
  • @nextcloud/vue
  • vue
  • vue-frag
• Affected versions: >=4.2.0-beta.1
• Package usage:
  • node_modules/@nextcloud/dialogs

@nextcloud/vue #

• Caused by vulnerable dependency:
  • @linusborg/vue-simple-portal
  • @nextcloud/vue-select
  • floating-vue
  • vue
  • vue-frag
  • vue2-datepicker
• Affected versions: <=8.26.0
• Package usage:
  • node_modules/@nextcloud/vue

@nextcloud/vue-select #

• Caused by vulnerable dependency:
  • vue
• Affected versions: *
• Package usage:
  • node_modules/@nextcloud/vue-select

@nextcloud/webpack-vue-config #

• Caused by vulnerable dependency:
  • vue
  • vue-loader
  • vue-template-compiler
• Affected versions: <=6.2.0
• Package usage:
  • node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: *
• Package usage:
  • node_modules/@vue/component-compiler-utils

floating-vue #

• Caused by vulnerable dependency:
  • vue
  • vue-resize
• Affected versions: <=1.0.0-beta.19
• Package usage:
  • node_modules/floating-vue

http-proxy-middleware #

• http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
• Severity: moderate (CVSS 4)
• Reference: GHSA-9gqv-wp59-fq42
• Affected versions: 1.3.0 - 2.0.8
• Package usage:
  • node_modules/http-proxy-middleware

pdfjs-dist #

• PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
• Severity: high (CVSS 8.8)
• Reference: GHSA-wgrm-67xf-hhpq
• Affected versions: <=4.1.392
• Package usage:
  • node_modules/pdfjs-dist

postcss #

• PostCSS line return parsing error
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-7fh5-64p2-3v2j
• Affected versions: <8.4.31
• Package usage:
  • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue #

• ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
• Severity: low (CVSS 3.7)
• Reference: GHSA-5j4c-8p2g-v4jx
• Affected versions: 2.0.0-alpha.1 - 2.7.16
• Package usage:
  • node_modules/vue

vue-frag #

• Caused by vulnerable dependency:
  • vue
• Affected versions: >=1.3.1
• Package usage:
  • node_modules/vue-frag

vue-loader #

• Caused by vulnerable dependency:
  • @vue/component-compiler-utils
• Affected versions: 15.0.0-beta.1 - 15.11.1
• Package usage:
  • node_modules/vue-loader

vue-resize #

• Caused by vulnerable dependency:
  • vue
• Affected versions: 0.4.0 - 1.0.1
• Package usage:
  • node_modules/vue-resize

vue-template-compiler #

• vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
• Severity: moderate (CVSS 4.2)
• Reference: GHSA-g3ch-rx76-35fx
• Affected versions: >=2.0.0
• Package usage:
  • node_modules/vue-template-compiler

vue2-datepicker #

• Caused by vulnerable dependency:
  • vue
• Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
• Package usage:
  • node_modules/vue2-datepicker

[danxuliu]

Tested and works 👍

I have amended the commit to remove LICENSES/BSD-2-Clause.txt, as the REUSE Compliance check complained that it was unused (I assume that after the update the tree shaking removed the modules using that license from the built JavaScript files rather than the generation of .license files being wrong 🤷).