[stable30] Fix npm audit #886

nextcloud-command · 2024-09-15T03:21:50Z

Audit report

This audit fix resolves 11 of the total 13 vulnerabilities found in your project.

Updated dependencies

@nextcloud/l10n
@nextcloud/vue
@vue/component-compiler-utils
body-parser
express
node-gettext
path-to-regexp
postcss
send
serve-static
vue-loader

Fixed vulnerabilities

@nextcloud/l10n #

Caused by vulnerable dependency:
- node-gettext
Affected versions: >=1.1.0
Package usage:
- node_modules/@nextcloud/l10n

@nextcloud/vue #

Caused by vulnerable dependency:
- @nextcloud/l10n
Affected versions: >=1.4.0
Package usage:
- node_modules/@nextcloud/vue

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

body-parser #

body-parser vulnerable to denial of service when url encoding is enabled
Severity: high (CVSS 7.5)
Reference: GHSA-qwcr-r2fm-qrc7
Affected versions: <1.20.3
Package usage:
- node_modules/body-parser

express #

express vulnerable to XSS via response.redirect()
Severity: moderate (CVSS 5)
Reference: GHSA-qw6h-vgh9-j6wx
Affected versions: <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
Package usage:
- node_modules/express

node-gettext #

node-gettext vulnerable to Prototype Pollution
Severity: moderate (CVSS 5.9)
Reference: GHSA-g974-hxvm-x689
Affected versions: *
Package usage:
- node_modules/node-gettext

path-to-regexp #

path-to-regexp outputs backtracking regular expressions
Severity: high (CVSS 7.5)
Reference: GHSA-9wv6-86v2-598j
Affected versions: <0.1.10
Package usage:
- node_modules/path-to-regexp

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

send #

send vulnerable to template injection that can lead to XSS
Severity: moderate (CVSS 5)
Reference: GHSA-m6fv-jmcg-4jfg
Affected versions: <0.19.0
Package usage:
- node_modules/send

serve-static #

serve-static vulnerable to template injection that can lead to XSS
Severity: moderate (CVSS 5)
Reference: GHSA-cm22-4g7w-348p
Affected versions: <=1.16.0
Package usage:
- node_modules/serve-static

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

Signed-off-by: GitHub <[email protected]>

fix(deps): Fix npm audit

15b9b19

Signed-off-by: GitHub <[email protected]>

nextcloud-command added 3. to review dependencies labels Sep 15, 2024

nickvergessen approved these changes Sep 15, 2024

View reviewed changes

nickvergessen merged commit cc4715e into stable30 Sep 15, 2024

nickvergessen deleted the automated/noid/stable30-fix-npm-audit branch September 15, 2024 07:55

Altahrim mentioned this pull request Oct 1, 2024

30.0.1 RC1 nextcloud/server#48500

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[stable30] Fix npm audit #886

[stable30] Fix npm audit #886

Uh oh!

nextcloud-command commented Sep 15, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

[stable30] Fix npm audit #886

[stable30] Fix npm audit #886

Uh oh!

Conversation

nextcloud-command commented Sep 15, 2024

Audit report

Updated dependencies

Fixed vulnerabilities

@nextcloud/l10n #

@nextcloud/vue #

@vue/component-compiler-utils #

body-parser #

express #

node-gettext #

path-to-regexp #

postcss #

send #

serve-static #

vue-loader #

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants