Skip to content

[stable30] Fix npm audit #1945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
artonge merged 1 commit into from
May 26, 2025
Merged

[stable30] Fix npm audit #1945

artonge merged 1 commit into from
May 26, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Mar 23, 2025
edited
Loading

Audit report

This audit fix resolves 17 of the total 24 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.0
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.1 - 1.3.2
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/vite-config #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.5.6
  • Package usage:
    • node_modules/@nextcloud/vite-config

@testing-library/vue #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

dockerode #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0 - 4.0.4
  • Package usage:
    • node_modules/dockerode

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/vite/node_modules/esbuild

happy-dom #

  • happy-dom allows for server side code to be executed by a <script> tag
  • Severity: critical 🚨
  • Reference: GHSA-96g7-g7g9-jxw8
  • Affected versions: <15.10.2
  • Package usage:
    • node_modules/happy-dom

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

rollup-plugin-esbuild-minify #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.2.0
  • Package usage:
    • node_modules/rollup-plugin-esbuild-minify

tar-fs #

  • tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-pq67-2wwv-3xjx
  • Affected versions: 2.0.0 - 2.1.1
  • Package usage:
    • node_modules/tar-fs

vite #

  • Vite bypasses server.fs.deny when using ?raw??
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-x574-m823-4x7w
  • Affected versions: 0.11.0 - 6.1.6
  • Package usage:
    • node_modules/vite

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Mar 23, 2025
@codecov
Copy link

codecov bot commented Mar 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 30.80%. Comparing base (badbdf3) to head (bd7ea57).
Report is 4 commits behind head on stable30.

Additional details and impacted files 
@@            Coverage Diff            @@
##           stable30    #1945   +/-   ##
=========================================
  Coverage     30.80%   30.80%           
=========================================
  Files            43       43           
  Lines          1620     1620           
  Branches        110      110           
=========================================
  Hits            499      499           
  Misses         1095     1095           
  Partials         26       26

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cypress
Copy link

cypress bot commented Mar 23, 2025
edited
Loading

Activity    Run #2628

Run Properties:  status check passed Passed #2628  •  git commit 931d276f9b: [stable30] Fix npm audit
Project Activity
Branch Review automated/noid/stable30-fix-npm-audit
Run status status check passed Passed #2628
Run duration 01m 57s
Commit git commit 931d276f9b: [stable30] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 10
View all changes introduced in this branch ↗︎

@artonge artonge enabled auto-merge March 24, 2025 09:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 6e1c175 to 33cc8bf Compare March 30, 2025 03:34
@solracsf solracsf force-pushed the automated/noid/stable30-fix-npm-audit branch from 33cc8bf to 98e519f Compare April 3, 2025 11:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 98e519f to 49e8403 Compare April 6, 2025 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 9f188fb to 57e6073 Compare April 20, 2025 03:35
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 8bbee44 to 56fa1da Compare May 4, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 5514138 to 1fc8c49 Compare May 18, 2025 03:36
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 1fc8c49 to 8bbf92a Compare May 25, 2025 03:55
@artonge artonge force-pushed the automated/noid/stable30-fix-npm-audit branch from 8bbf92a to c132e23 Compare May 26, 2025 21:28
@nextcloud-command @artonge
fix(deps): Fix npm audit
bd7ea57 
Signed-off-by: GitHub <[email protected]>
Signed-off-by: Louis Chemineau <[email protected]>
@artonge artonge force-pushed the automated/noid/stable30-fix-npm-audit branch from c132e23 to bd7ea57 Compare May 26, 2025 21:29
@artonge artonge merged commit 2cb2cff into stable30 May 26, 2025
51 checks passed
@artonge artonge deleted the automated/noid/stable30-fix-npm-audit branch May 26, 2025 21:34
@nextcloud-bot nextcloud-bot mentioned this pull request Jun 4, 2025
Merged
11 tasks
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 18, 2025
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 25, 2025
Merged
2 tasks
@blizzz blizzz mentioned this pull request Oct 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nextcloud-command @artonge