Skip to content

[stable30] Fix npm audit #764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 28, 2025
Merged

[stable30] Fix npm audit #764

merged 1 commit into from
Aug 28, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Mar 30, 2025
edited
Loading

Audit report

This audit fix resolves 13 of the total 19 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/vite-config #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.6.0
  • Package usage:
    • node_modules/@nextcloud/vite-config

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

brace-expansion #

  • brace-expansion Regular Expression Denial of Service vulnerability
  • Severity: low (CVSS 3.1)
  • Reference: GHSA-v6h2-p8h4-qcjw
  • Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
  • Package usage:
    • node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
    • node_modules/@vue/language-core/node_modules/brace-expansion
    • node_modules/brace-expansion
    • node_modules/typedoc/node_modules/brace-expansion
    • node_modules/webdav/node_modules/brace-expansion

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/vite/node_modules/esbuild

form-data #

  • form-data uses unsafe random function in form-data for choosing boundary
  • Severity: critical 🚨
  • Reference: GHSA-fjxv-7rqg-78g4
  • Affected versions: 4.0.0 - 4.0.3
  • Package usage:
    • node_modules/form-data

linkifyjs #

  • Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
  • Severity: high
  • Reference: GHSA-95jq-xph2-cx9h
  • Affected versions: <4.3.2
  • Package usage:
    • node_modules/linkifyjs

pbkdf2 #

  • pbkdf2 silently disregards Uint8Array input, returning static keys
  • Severity: critical 🚨
  • Reference: GHSA-v62p-rq8g-8h59
  • Affected versions: <=3.1.2
  • Package usage:
    • node_modules/pbkdf2

rollup-plugin-esbuild-minify #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.2.0
  • Package usage:
    • node_modules/rollup-plugin-esbuild-minify

sha.js #

  • sha.js is missing type checks leading to hash rewind and passing on crafted data
  • Severity: critical 🚨
  • Reference: GHSA-95m3-7q98-8xr5
  • Affected versions: <=2.4.11
  • Package usage:
    • node_modules/sha.js

vite #

  • Vite bypasses server.fs.deny when using ?raw??
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-x574-m823-4x7w
  • Affected versions: 0.11.0 - 6.1.6
  • Package usage:
    • node_modules/vite

vue #

  • ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
  • Severity: low (CVSS 3.7)
  • Reference: GHSA-5j4c-8p2g-v4jx
  • Affected versions: 2.0.0-alpha.1 - 2.7.16
  • Package usage:
    • node_modules/vue

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 5114be2 to 48ac9de Compare April 6, 2025 03:38
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 8a0a2fd to 3628ec6 Compare April 20, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from e8f7c6a to 83896c5 Compare May 4, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 79b25f4 to 4fc6a00 Compare May 18, 2025 03:35
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 4fc6a00 to 6a59e0d Compare May 25, 2025 03:37
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from cb37757 to 3470b9a Compare June 8, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 3470b9a to 26aca14 Compare June 15, 2025 03:47
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from e6b2188 to 0e9801f Compare July 6, 2025 03:53
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 0e9801f to d4c9090 Compare July 13, 2025 04:02
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from d4c9090 to 8e51c4f Compare July 20, 2025 04:05
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 8e51c4f to 7b19aa9 Compare July 27, 2025 04:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 1be38da to 14f8d64 Compare August 10, 2025 04:03
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 14f8d64 to 8044aba Compare August 17, 2025 03:46
@nextcloud-command
fix(deps): Fix npm audit
1f7c2c4 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 8044aba to 1f7c2c4 Compare August 24, 2025 03:11
@Altahrim Altahrim merged commit facb3ab into stable30 Aug 28, 2025
43 checks passed
@Altahrim Altahrim deleted the automated/noid/stable30-fix-npm-audit branch August 28, 2025 06:45
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 4, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Altahrim Altahrim Altahrim approved these changes

Assignees

No one assigned

Labels

3. to review dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nextcloud-command @Altahrim