Skip to content

[stable31] Fix npm audit #765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 28, 2025
Merged

[stable31] Fix npm audit #765

merged 1 commit into from
Aug 28, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Mar 30, 2025
edited
Loading

Audit report

This audit fix resolves 12 of the total 19 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/vite-config #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.6.0
  • Package usage:
    • node_modules/@nextcloud/vite-config

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

brace-expansion #

  • brace-expansion Regular Expression Denial of Service vulnerability
  • Severity: low (CVSS 3.1)
  • Reference: GHSA-v6h2-p8h4-qcjw
  • Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
  • Package usage:
    • node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
    • node_modules/@vue/language-core/node_modules/brace-expansion
    • node_modules/brace-expansion
    • node_modules/typedoc/node_modules/brace-expansion
    • node_modules/webdav/node_modules/brace-expansion

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild

form-data #

  • form-data uses unsafe random function in form-data for choosing boundary
  • Severity: critical 🚨
  • Reference: GHSA-fjxv-7rqg-78g4
  • Affected versions: 4.0.0 - 4.0.3
  • Package usage:
    • node_modules/form-data

linkifyjs #

  • Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
  • Severity: high
  • Reference: GHSA-95jq-xph2-cx9h
  • Affected versions: <4.3.2
  • Package usage:
    • node_modules/linkifyjs

pbkdf2 #

  • pbkdf2 silently disregards Uint8Array input, returning static keys
  • Severity: critical 🚨
  • Reference: GHSA-v62p-rq8g-8h59
  • Affected versions: <=3.1.2
  • Package usage:
    • node_modules/pbkdf2

rollup-plugin-esbuild-minify #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.2.0
  • Package usage:
    • node_modules/rollup-plugin-esbuild-minify

sha.js #

  • sha.js is missing type checks leading to hash rewind and passing on crafted data
  • Severity: critical 🚨
  • Reference: GHSA-95m3-7q98-8xr5
  • Affected versions: <=2.4.11
  • Package usage:
    • node_modules/sha.js

vite #

  • Vite bypasses server.fs.deny when using ?raw??
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-x574-m823-4x7w
  • Affected versions: 6.2.0 - 6.2.6
  • Package usage:
    • node_modules/vite

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 6aa5ac4 to af92c11 Compare April 6, 2025 03:38
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from eb22dd7 to c01e03d Compare April 20, 2025 03:40
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from e40af41 to 14dddd6 Compare May 4, 2025 03:44
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 14dddd6 to fd6dc93 Compare May 11, 2025 03:43
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from fd6dc93 to d517af6 Compare May 18, 2025 03:47
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from d517af6 to 1236e35 Compare May 25, 2025 03:47
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 6c27944 to 9ea30f7 Compare June 8, 2025 03:44
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 9ea30f7 to 8eca601 Compare June 15, 2025 03:51
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 2178ff1 to 5f3d3b3 Compare July 6, 2025 03:52
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 5f3d3b3 to fb42274 Compare July 13, 2025 04:04
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from fb42274 to 43f9e71 Compare July 20, 2025 04:04
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 43f9e71 to dedf18f Compare July 27, 2025 04:08
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 06399d0 to fd33387 Compare August 10, 2025 04:02
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from fd33387 to af370d9 Compare August 17, 2025 03:45
@nextcloud-command
fix(deps): Fix npm audit
8db084d 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from af370d9 to 8db084d Compare August 24, 2025 03:12
@Altahrim Altahrim merged commit 3422a70 into stable31 Aug 28, 2025
42 checks passed
@Altahrim Altahrim deleted the automated/noid/stable31-fix-npm-audit branch August 28, 2025 06:45
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 4, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Altahrim Altahrim Altahrim approved these changes

Assignees

No one assigned

Labels

3. to review dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nextcloud-command @Altahrim