Skip to content

[stable30] Fix npm audit #991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 30, 2025
Merged

[stable30] Fix npm audit #991

merged 1 commit into from
Jun 30, 2025

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Apr 20, 2025
edited
Loading

Audit report

This audit fix resolves 9 of the total 16 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/vite-config #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.5.6
  • Package usage:
    • node_modules/@nextcloud/vite-config

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

brace-expansion #

  • brace-expansion Regular Expression Denial of Service vulnerability
  • Severity: low (CVSS 3.1)
  • Reference: GHSA-v6h2-p8h4-qcjw
  • Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
  • Package usage:
    • node_modules/@eslint/eslintrc/node_modules/brace-expansion
    • node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
    • node_modules/@microsoft/api-extractor/node_modules/brace-expansion
    • node_modules/brace-expansion
    • node_modules/eslint-plugin-import/node_modules/brace-expansion
    • node_modules/eslint-plugin-n/node_modules/brace-expansion
    • node_modules/eslint/node_modules/brace-expansion
    • node_modules/glob/node_modules/brace-expansion

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/vite/node_modules/esbuild

pbkdf2 #

  • pbkdf2 silently disregards Uint8Array input, returning static keys
  • Severity: critical 🚨
  • Reference: GHSA-v62p-rq8g-8h59
  • Affected versions: <=3.1.2
  • Package usage:
    • node_modules/pbkdf2

rollup-plugin-esbuild-minify #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.2.0
  • Package usage:
    • node_modules/rollup-plugin-esbuild-minify

vite #

  • Vite's server.fs.deny bypassed with /. for files under project root
  • Severity: moderate
  • Reference: GHSA-859w-5945-r5v3
  • Affected versions: 0.11.0 - 6.1.6
  • Package usage:
    • node_modules/vite

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Apr 20, 2025
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 644a7b0 to f3659bb Compare May 4, 2025 03:46
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from f3659bb to 8fc8dcc Compare May 11, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 8fc8dcc to 105b1ae Compare May 18, 2025 03:48
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 105b1ae to e035688 Compare May 25, 2025 03:51
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from e10f85b to 2b519ca Compare June 8, 2025 03:46
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 2b519ca to 52c84fa Compare June 15, 2025 03:44
@nextcloud-command
fix(deps): Fix npm audit
bf1db5e 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 52c84fa to bf1db5e Compare June 29, 2025 04:00
@come-nc come-nc merged commit 4aea01e into stable30 Jun 30, 2025
23 checks passed
@come-nc come-nc deleted the automated/noid/stable30-fix-npm-audit branch June 30, 2025 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@come-nc come-nc come-nc approved these changes

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @come-nc