Skip to content

[stable29] Fix npm audit #1598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 15, 2025
Merged

[stable29] Fix npm audit #1598

merged 1 commit into from
Apr 15, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Apr 6, 2025
edited
Loading

Audit report

This audit fix resolves 11 of the total 18 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/vite-config #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/vite/node_modules/esbuild

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

rollup-plugin-esbuild-minify #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/rollup-plugin-esbuild-minify

vite #

  • Vite has a server.fs.deny bypassed for inline and raw with ?import query
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-4r4m-qw57-chr8
  • Affected versions: 0.11.0 - 6.1.5
  • Package usage:
    • node_modules/vite

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Apr 6, 2025
@nextcloud-command
fix(deps): Fix npm audit
f1801e7 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2680483 to f1801e7 Compare April 13, 2025 04:25
Antreesy
Antreesy approved these changes Apr 15, 2025
View reviewed changes
Copy link
Collaborator

@Antreesy Antreesy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested

@Antreesy Antreesy merged commit 7b8e49c into stable29 Apr 15, 2025
31 checks passed
@Antreesy Antreesy deleted the automated/noid/stable29-fix-npm-audit branch April 15, 2025 07:21
This was referenced Apr 15, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Antreesy Antreesy Antreesy approved these changes

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nextcloud-command @Antreesy