[stable31] Fix npm audit #2318

nextcloud-command · 2025-04-27T03:37:34Z

Audit report

This audit fix resolves 11 of the total 17 vulnerabilities found in your project.

Updated dependencies

@nextcloud/dialogs
@nextcloud/l10n
@nextcloud/moment
@nextcloud/vite-config
@vitejs/plugin-vue2
esbuild
node-gettext
rollup-plugin-esbuild-minify
vue
vue-resize
vue-template-compiler

Fixed vulnerabilities

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: >=4.2.0-beta.1
Package usage:
- node_modules/@nextcloud/dialogs

@nextcloud/l10n #

Caused by vulnerable dependency:
- node-gettext
Affected versions: 1.1.0 - 3.1.0
Package usage:
- node_modules/@nextcloud/l10n

@nextcloud/moment #

Caused by vulnerable dependency:
- @nextcloud/l10n
- node-gettext
Affected versions: >=1.1.1
Package usage:
- node_modules/@nextcloud/moment

@nextcloud/vite-config #

Caused by vulnerable dependency:
- @vitejs/plugin-vue2
Affected versions: <=1.5.3
Package usage:
- node_modules/@nextcloud/vite-config

@vitejs/plugin-vue2 #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@vitejs/plugin-vue2

esbuild #

esbuild enables any website to send any requests to the development server and read the response
Severity: moderate (CVSS 5.3)
Reference: GHSA-67mh-4wv8-2f99
Affected versions: <=0.24.2
Package usage:
- node_modules/esbuild

node-gettext #

node-gettext vulnerable to Prototype Pollution
Severity: high (CVSS 5.9)
Reference: GHSA-g974-hxvm-x689
Affected versions: *
Package usage:
- node_modules/node-gettext

rollup-plugin-esbuild-minify #

Caused by vulnerable dependency:
- esbuild
Affected versions: <=1.2.0
Package usage:
- node_modules/rollup-plugin-esbuild-minify

vue #

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Severity: low (CVSS 3.7)
Reference: GHSA-5j4c-8p2g-v4jx
Affected versions: 2.0.0-alpha.1 - 2.7.16
Package usage:
- node_modules/vue

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler

Signed-off-by: GitHub <noreply@github.com>

fix(deps): Fix npm audit

7a7f613

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command requested a review from nickvergessen as a code owner April 27, 2025 03:37

nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Apr 27, 2025

Antreesy approved these changes Apr 28, 2025

View reviewed changes

Antreesy merged commit dec7524 into stable31 Apr 28, 2025
41 checks passed

Antreesy deleted the automated/noid/stable31-fix-npm-audit branch April 28, 2025 07:44

blizzz mentioned this pull request May 5, 2025

31.0.5 RC1 nextcloud/server#52638

Merged

10 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[stable31] Fix npm audit #2318

[stable31] Fix npm audit #2318

Uh oh!

nextcloud-command commented Apr 27, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

[stable31] Fix npm audit #2318

[stable31] Fix npm audit #2318

Uh oh!

Conversation

nextcloud-command commented Apr 27, 2025

Audit report

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/l10n #

@nextcloud/moment #

@nextcloud/vite-config #

@vitejs/plugin-vue2 #

esbuild #

node-gettext #

rollup-plugin-esbuild-minify #

vue #

vue-resize #

vue-template-compiler #

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants