Skip to content

[stable29] Fix npm audit #1710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
artonge merged 3 commits into from
Apr 14, 2025
Merged

[stable29] Fix npm audit #1710

artonge merged 3 commits into from
Apr 14, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jun 16, 2024
edited
Loading

Audit report

This audit fix resolves 25 of the total 41 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/helpers

@babel/runtime #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.2.1
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/typings #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0 - 1.8.0
  • Package usage:
    • node_modules/@nextcloud/typings

@testing-library/vue #

@vitest/coverage-v8 #

  • Caused by vulnerable dependency:
  • Affected versions: 1.3.0 - 1.6.0
  • Package usage:
    • node_modules/@vitest/coverage-v8

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.0.0 - 1.8.1
  • Package usage:
    • node_modules/axios

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dockerode #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0 - 4.0.4
  • Package usage:
    • node_modules/dockerode

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: <=3.2.3
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

happy-dom #

  • happy-dom allows for server side code to be executed by a <script> tag
  • Severity: critical 🚨
  • Reference: GHSA-96g7-g7g9-jxw8
  • Affected versions: <15.10.2
  • Package usage:
    • node_modules/happy-dom

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/rollup

tar-fs #

  • tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-pq67-2wwv-3xjx
  • Affected versions: 2.0.0 - 2.1.1
  • Package usage:
    • node_modules/tar-fs

vite #

  • Vite's server.fs.deny is bypassed when using ?import&raw
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-9cwx-2883-4wfx
  • Affected versions: 0.11.0 - 6.1.5
  • Package usage:
    • node_modules/vite

vitest #

  • Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
  • Severity: critical 🚨 (CVSS 9.7)
  • Reference: GHSA-9crc-q9x8-hgqq
  • Affected versions: 1.0.0 - 1.6.0
  • Package usage:
    • node_modules/vitest

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 16, 2024
@cypress
Copy link

cypress bot commented Jun 16, 2024
edited
Loading

Activity    Run #2495

Run Properties:  status check failed Failed #2495  •  git commit cf75d9c379: [stable29] Fix npm audit
Project Activity
Branch Review automated/noid/stable29-fix-npm-audit
Run status status check failed Failed #2495
Run duration 03m 56s
Commit git commit cf75d9c379: [stable29] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 3
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 7
View all changes introduced in this branch ↗︎

Tests for review

Failed  cypress/e2e/sidebar.cy.ts • 3 failed tests • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has share activity Test Replay Screenshots
Check activity listing in the sidebar > Has rename activity Test Replay Screenshots
Check activity listing in the sidebar > Has tag activity Test Replay Screenshots

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from e759092 to 17bffc5 Compare July 7, 2024 03:12
@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jul 10, 2024

/compile /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 42f8bbd to 46c0797 Compare July 21, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 46c0797 to af3281e Compare July 28, 2024 03:23
@AndyScherzinger AndyScherzinger requested a review from artonge July 28, 2024 10:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from af3281e to 3af5d73 Compare August 1, 2024 10:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 3af5d73 to 45ed8aa Compare August 4, 2024 03:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 6f50e64 to a07ed32 Compare August 18, 2024 03:09
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from a07ed32 to 890bead Compare August 25, 2024 03:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 890bead to 7f2680d Compare September 1, 2024 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 2debb88 to df662e7 Compare September 8, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from df662e7 to b0a2e5c Compare September 15, 2024 03:23
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable29-fix-npm-audit branch from b0a2e5c to 77a59d7 Compare September 21, 2024 07:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 77a59d7 to f77ec31 Compare September 22, 2024 03:31
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable29-fix-npm-audit branch from f77ec31 to 56d4bd4 Compare September 24, 2024 10:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 56d4bd4 to 24a892f Compare September 29, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 24a892f to 932623c Compare October 6, 2024 03:41
@AndyScherzinger
Copy link
Member

AndyScherzinger commented Oct 6, 2024

/compile /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from d87439c to 5d7ab99 Compare October 13, 2024 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 38a2059 to 736ccde Compare March 2, 2025 03:26
@artonge
Copy link
Collaborator

artonge commented Mar 6, 2025

/compile amend /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 385b915 to 0648cfb Compare March 9, 2025 03:02
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 0648cfb to bd90669 Compare March 16, 2025 03:17
@miaulalala
Copy link
Collaborator

miaulalala commented Mar 17, 2025

/compile /

@miaulalala
Copy link
Collaborator

miaulalala commented Mar 17, 2025

/compile amend /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 9c5a5a6 to 01c1718 Compare March 23, 2025 03:43
@codecov
Copy link

codecov bot commented Mar 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 41.87%. Comparing base (0a07d0a) to head (3a002dc).
Report is 4 commits behind head on stable29.

Additional details and impacted files 
@@            Coverage Diff            @@
##           stable29    #1710   +/-   ##
=========================================
  Coverage     41.87%   41.87%           
=========================================
  Files            43       43           
  Lines          3847     3847           
  Branches        110      110           
=========================================
  Hits           1611     1611           
  Misses         2210     2210           
  Partials         26       26

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@miaulalala miaulalala force-pushed the automated/noid/stable29-fix-npm-audit branch from 01c1718 to 228cbac Compare March 24, 2025 11:03
@miaulalala
Copy link
Collaborator

miaulalala commented Mar 24, 2025

/compile amend/

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 228cbac to c2cfdf4 Compare March 24, 2025 11:07
@miaulalala
Copy link
Collaborator

miaulalala commented Mar 24, 2025

/compile amend /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 1e8d0e1 to a232e88 Compare March 30, 2025 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from a232e88 to afc8682 Compare April 6, 2025 03:32
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from afc8682 to 42bb3ca Compare April 13, 2025 04:28
@miaulalala miaulalala force-pushed the automated/noid/stable29-fix-npm-audit branch from 42bb3ca to 8bf0ef8 Compare April 14, 2025 10:53
@miaulalala
Copy link
Collaborator

miaulalala commented Apr 14, 2025

/compile amend /

@nextcloud-command
fix(deps): Fix npm audit
cf0eded 
Signed-off-by: GitHub <[email protected]>
Signed-off-by: nextcloud-command <[email protected]>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 8bf0ef8 to cf0eded Compare April 14, 2025 10:55
dependabot bot and others added 2 commits April 14, 2025 17:47
@dependabot @artonge
chore: Drop unused dependency
485bdca 
Signed-off-by: dependabot[bot] <[email protected]>
@artonge
chore: Bump @nextcloud/cypress
3a002dc 
Signed-off-by: Louis Chemineau <[email protected]>
@artonge
Copy link
Collaborator

artonge commented Apr 14, 2025

Local cypress run is green, merging.

@artonge artonge merged commit 008840a into stable29 Apr 14, 2025
51 of 55 checks passed
@artonge artonge deleted the automated/noid/stable29-fix-npm-audit branch April 14, 2025 16:33
This was referenced Apr 15, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susnux susnux susnux approved these changes

@skjnldsv skjnldsv skjnldsv approved these changes

@artonge artonge Awaiting requested review from artonge

@miaulalala miaulalala Awaiting requested review from miaulalala

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@nextcloud-command @AndyScherzinger @artonge @miaulalala @susnux @skjnldsv