Skip to content

[stable31] Fix npm audit #50840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 21, 2025
Merged

[stable31] Fix npm audit #50840

merged 1 commit into from
Mar 21, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Feb 16, 2025
edited
Loading

Audit report

This audit fix resolves 30 of the total 41 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/helpers

@babel/runtime #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@chenfengyuan/vue-qrcode #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.0.2
  • Package usage:
    • node_modules/@chenfengyuan/vue-qrcode

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/password-confirmation #

@nextcloud/upload #

@nextcloud/webpack-vue-config #

@testing-library/vue #

@vitest/coverage-v8 #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.2.0-beta.2
  • Package usage:
    • node_modules/@vitest/coverage-v8

@vitest/mocker #

  • Caused by vulnerable dependency:
  • Affected versions: <=3.0.0-beta.4
  • Package usage:
    • node_modules/@vitest/mocker

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
  • Severity: high
  • Reference: GHSA-jr5f-v2jv-69x6
  • Affected versions: <1.8.2
  • Package usage:
    • node_modules/axios

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/tsx/node_modules/esbuild

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

select2 #

  • Improper Neutralization of Input During Web Page Generation in Select2
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rf66-hmqf-q3fc
  • Affected versions: <4.0.6
  • Package usage:
    • node_modules/select2

tsx #

  • Caused by vulnerable dependency:
  • Affected versions: 3.13.0 - 4.19.2
  • Package usage:
    • node_modules/tsx

v-tooltip #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-beta.1 - 4.0.0-beta.0
  • Package usage:
    • node_modules/v-tooltip

vite #

  • Caused by vulnerable dependency:
  • Affected versions: 0.11.0 - 6.1.1
  • Package usage:
    • node_modules/vite

vite-node #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.2.0-beta.2
  • Package usage:
    • node_modules/vite-node

vitest #

  • Caused by vulnerable dependency:
  • Affected versions: 0.0.1 - 0.0.12 || 0.0.29 - 0.0.122 || 0.3.3 - 3.0.0-beta.4
  • Package usage:
    • node_modules/vitest

vue-infinite-loading #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-rc.1 - 2.4.5
  • Package usage:
    • node_modules/vue-infinite-loading

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@solracsf solracsf added this to the Nextcloud 31 milestone Feb 16, 2025
@Altahrim Altahrim mentioned this pull request Feb 20, 2025
Merged
5 tasks
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 004b03c to f3e4fd0 Compare February 23, 2025 02:48
@blizzz blizzz mentioned this pull request Feb 24, 2025
Merged
@blizzz blizzz modified the milestones: Nextcloud 31, Nextcloud 31.0.1 Feb 24, 2025
@blizzz blizzz mentioned this pull request Feb 24, 2025
Merged
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from f3e4fd0 to 3f32768 Compare March 2, 2025 02:51
@blizzz blizzz mentioned this pull request Mar 4, 2025
Merged
3 tasks
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 3f32768 to 24c44af Compare March 4, 2025 20:55
@AndyScherzinger AndyScherzinger requested a review from susnux March 4, 2025 21:05
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 4bc5dfe to 25516e5 Compare March 5, 2025 20:49
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 25516e5 to 4774b57 Compare March 9, 2025 02:49
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 4774b57 to fb686ef Compare March 16, 2025 02:53
@Altahrim Altahrim mentioned this pull request Mar 18, 2025
Merged
20 tasks
@blizzz blizzz mentioned this pull request Mar 19, 2025
Merged
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from fb686ef to c6004ac Compare March 19, 2025 22:01
@nextcloud-command
fix(deps): Fix npm audit
0fdf24c 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from c6004ac to 0fdf24c Compare March 21, 2025 17:48
@AndyScherzinger AndyScherzinger merged commit 6a86a38 into stable31 Mar 21, 2025
128 of 130 checks passed
@AndyScherzinger AndyScherzinger deleted the automated/noid/stable31-fix-npm-audit branch March 21, 2025 20:15
@Altahrim Altahrim mentioned this pull request Apr 3, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@susnux susnux Awaiting requested review from susnux

Assignees

No one assigned

Labels

3. to review Waiting for reviews dependencies

Projects

None yet

Milestone

Nextcloud 31.0.3

Development

Successfully merging this pull request may close these issues.

5 participants

@nextcloud-command @AndyScherzinger @blizzz @solracsf