Skip to content

[stable30] Fix npm audit #675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DorraJaouad merged 5 commits into from
Mar 14, 2025
Merged

[stable30] Fix npm audit #675

DorraJaouad merged 5 commits into from
Mar 14, 2025

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Oct 13, 2024
edited
Loading

Audit report

This audit fix resolves 17 of the total 24 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

cookie #

  • cookie accepts cookie name, path, and domain with out of bounds characters
  • Severity: low
  • Reference: GHSA-pxg6-pf52-xh8x
  • Affected versions: <0.7.0
  • Package usage:
    • node_modules/cookie

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dompurify #

  • DOMPurify allows Cross-site Scripting (XSS)
  • Severity: moderate (CVSS 4.5)
  • Reference: GHSA-vhxf-7vqr-mrjg
  • Affected versions: <3.2.4
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Valid ECDSA signatures erroneously rejected in Elliptic
  • Severity: low (CVSS 4.8)
  • Reference: GHSA-fc9h-whq2-v747
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

express #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-alpha1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0
  • Package usage:
    • node_modules/express

http-proxy-middleware #

  • Denial of service in http-proxy-middleware
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c7qv-q95q-8v27
  • Affected versions: <2.0.7
  • Package usage:
    • node_modules/http-proxy-middleware

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

path-to-regexp #

  • Unpatched path-to-regexp ReDoS in 0.1.x
  • Severity: high
  • Reference: GHSA-rhx6-c78j-4q9w
  • Affected versions: <0.1.12
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 4a4ce7e to dad72df Compare October 20, 2024 03:23
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from ae2b81a to c07e3dd Compare November 3, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from c07e3dd to e338c3e Compare November 10, 2024 03:12
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from e338c3e to 615e47e Compare November 17, 2024 03:23
@DorraJaouad
Copy link
Collaborator

DorraJaouad commented Nov 18, 2024

/compile /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 615e47e to de75ada Compare November 24, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from c557477 to e0b8e31 Compare December 8, 2024 03:37
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from c7693c7 to 860ced1 Compare December 22, 2024 03:16
@skjnldsv
Copy link
Member

skjnldsv commented Dec 26, 2024

/compile

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 1d9b417 to 5ee428f Compare January 5, 2025 03:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 4b811a5 to 3062ec1 Compare January 19, 2025 03:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 3062ec1 to 8a6c446 Compare January 26, 2025 03:20
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from d676cc7 to e847bf3 Compare February 9, 2025 03:19
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from e847bf3 to 590aca2 Compare February 16, 2025 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from b16431a to 1a787a6 Compare March 2, 2025 03:28
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 1a787a6 to 8dcf419 Compare March 9, 2025 03:00
@DorraJaouad
Copy link
Collaborator

DorraJaouad commented Mar 14, 2025

/compile /

@nextcloud-command
chore(assets): Recompile assets
849bb84 
Signed-off-by: nextcloud-command <[email protected]>
@DorraJaouad DorraJaouad merged commit 2ecf3a9 into stable30 Mar 14, 2025
17 checks passed
@DorraJaouad DorraJaouad deleted the automated/noid/stable30-fix-npm-audit branch March 14, 2025 11:03
@Altahrim Altahrim mentioned this pull request Mar 18, 2025
Merged
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3. to review dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nextcloud-command @DorraJaouad @skjnldsv