Skip to content

[stable31] Fix npm audit #6888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mejo- merged 1 commit into from
Apr 2, 2025
Merged

[stable31] Fix npm audit #6888

mejo- merged 1 commit into from
Apr 2, 2025

Conversation

@nextcloud-command
Copy link
Collaborator

@nextcloud-command nextcloud-command commented Feb 2, 2025
edited
Loading

Audit report

This audit fix resolves 17 of the total 29 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/runtime #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@vitest/coverage-v8 #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.2.0-beta.2
  • Package usage:
    • node_modules/@vitest/coverage-v8

@vitest/mocker #

  • Caused by vulnerable dependency:
  • Affected versions: <=3.0.0-beta.4
  • Package usage:
    • node_modules/@vitest/mocker

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
  • Severity: high
  • Reference: GHSA-jr5f-v2jv-69x6
  • Affected versions: <1.8.2
  • Package usage:
    • node_modules/axios

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

undici #

  • Use of Insufficiently Random Values in undici
  • Severity: moderate (CVSS 6.8)
  • Reference: GHSA-c76h-2ccp-4975
  • Affected versions: 4.5.0 - 5.28.4
  • Package usage:
    • node_modules/undici

vite #

  • Caused by vulnerable dependency:
  • Affected versions: 0.11.0 - 6.1.2
  • Package usage:
    • node_modules/vite

vite-node #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.2.0-beta.2
  • Package usage:
    • node_modules/vite-node

vitest #

  • Caused by vulnerable dependency:
  • Affected versions: 0.0.1 - 0.0.12 || 0.0.29 - 0.0.122 || 0.3.3 - 3.0.0-beta.4
  • Package usage:
    • node_modules/vitest

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Feb 2, 2025
@codecov
Copy link

codecov bot commented Feb 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.03%. Comparing base (7c61483) to head (38cd4a8).
Report is 2 commits behind head on stable31.

Additional details and impacted files 
@@             Coverage Diff              @@
##           stable31    #6888      +/-   ##
============================================
+ Coverage     52.07%   59.03%   +6.95%     
============================================
  Files           286      285       -1     
  Lines         40622    35836    -4786     
  Branches        790      789       -1     
============================================
  Hits          21155    21155              
+ Misses        19346    14561    -4785     
+ Partials        121      120       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from ec489f1 to a4881df Compare February 9, 2025 03:16
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from a4881df to d3c3657 Compare February 16, 2025 03:27
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from d3c3657 to c626ef7 Compare February 23, 2025 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 20f58f5 to 370b6eb Compare March 9, 2025 02:59
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 370b6eb to ae742a6 Compare March 16, 2025 03:23
@juliusknorr juliusknorr force-pushed the automated/noid/stable31-fix-npm-audit branch from ae742a6 to 749a394 Compare March 19, 2025 21:58
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 749a394 to 68797fd Compare March 23, 2025 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 68797fd to 33600fd Compare March 30, 2025 03:34
@mejo- mejo- force-pushed the automated/noid/stable31-fix-npm-audit branch from 33600fd to 38cd4a8 Compare April 2, 2025 12:25
@mejo- mejo- merged commit 76a337e into stable31 Apr 2, 2025
64 checks passed
@mejo- mejo- deleted the automated/noid/stable31-fix-npm-audit branch April 2, 2025 12:38
@Altahrim Altahrim mentioned this pull request Apr 3, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@max-nextcloud max-nextcloud max-nextcloud approved these changes

@mejo- mejo- Awaiting requested review from mejo- mejo- is a code owner

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nextcloud-command @juliusknorr @max-nextcloud @mejo-