Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[stable30] Fix npm audit #1750

Open
wants to merge 1 commit into
base: stable30
Choose a base branch
from
Open

[stable30] Fix npm audit #1750

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Aug 18, 2024
edited
Loading

Audit report

This audit fix resolves 26 of the total 33 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.2.1
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/dialogs/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/files/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/typings #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0 - 1.8.0
  • Package usage:
    • node_modules/@nextcloud/typings

@nextcloud/vite-config #

@testing-library/vue #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/language-core #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.0.28
  • Package usage:
    • node_modules/@vue/language-core

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: 3.0.0 - 3.1.2
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: <=6.5.7
  • Package usage:
    • node_modules/elliptic

fast-xml-parser #

  • fast-xml-parser vulnerable to ReDOS at currency parsing
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-mpg4-rc92-vx8v
  • Affected versions: 4.3.5 - 4.4.0
  • Package usage:
    • node_modules/fast-xml-parser

happy-dom #

  • happy-dom allows for server side code to be executed by a <script> tag
  • Severity: critical 🚨
  • Reference: GHSA-96g7-g7g9-jxw8
  • Affected versions: <15.10.2
  • Package usage:
    • node_modules/happy-dom

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/rollup

vite #

  • Vite's server.fs.deny is bypassed when using ?import&raw
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-9cwx-2883-4wfx
  • Affected versions: 5.0.0 - 5.4.11
  • Package usage:
    • node_modules/vite

vite-plugin-dts #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-beta.1 - 4.0.0-beta.2
  • Package usage:
    • node_modules/vite-plugin-dts

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Aug 18, 2024
@cypress Cypress
Copy link

cypress bot commented Aug 18, 2024
edited
Loading

Activity    Run #2181

Run Properties:  status check failed Failed #2181  •  git commit 94dc6cf553: [stable30] Fix npm audit
Project Activity
Branch Review automated/noid/stable30-fix-npm-audit
Run status status check failed Failed #2181
Run duration 03m 06s
Commit git commit 94dc6cf553: [stable30] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 1
Tests that were flaky  Flaky 1
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 9
View all changes introduced in this branch ↗︎

Tests for review

Failed  cypress/e2e/sidebar.cy.ts • 1 failed test • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has tag activity Test Replay Screenshots
Flakiness  cypress/e2e/sidebar.cy.ts • 1 flaky test • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has move activity Test Replay Screenshots

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from d387418 to bc8899a Compare August 25, 2024 03:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 3 times, most recently from c66b5b3 to 216443a Compare September 3, 2024 15:15
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 45e6936 to 30c79b6 Compare September 15, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 30c79b6 to 4f16b27 Compare September 22, 2024 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 4f16b27 to 9e71fac Compare September 29, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 9e71fac to 673dc83 Compare October 6, 2024 03:40
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 673dc83 to 41cc521 Compare October 13, 2024 03:28
@miaulalala miaulalala force-pushed the automated/noid/stable30-fix-npm-audit branch from 41cc521 to c3e6aeb Compare October 14, 2024 08:33
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from c3e6aeb to 2f24cd3 Compare October 20, 2024 03:21
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 12c7a0d to c1ff91b Compare November 3, 2024 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from c1ff91b to ef2600c Compare November 10, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from d0cf327 to 32f2dbf Compare November 24, 2024 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 33fceec to efc2992 Compare December 8, 2024 03:39
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from efc2992 to 94e4863 Compare December 15, 2024 03:35
@codecov Codecov
Copy link

codecov bot commented Dec 15, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 30.89%. Comparing base (3e2f5e2) to head (677f0d1).

Additional details and impacted files 
@@             Coverage Diff              @@
##           stable30    #1750      +/-   ##
============================================
- Coverage     31.36%   30.89%   -0.48%     
============================================
  Files            43       43              
  Lines          1629     1615      -14     
  Branches        110      110              
============================================
- Hits            511      499      -12     
+ Misses         1092     1090       -2     
  Partials         26       26

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 50be670 to 8da0a27 Compare December 29, 2024 03:15
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 8da0a27 to 41ebaf1 Compare January 5, 2025 03:09
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 0e97d5d to c9a1800 Compare January 19, 2025 03:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 7997642 to df53c1b Compare February 2, 2025 03:20
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from df53c1b to a9784ea Compare February 9, 2025 03:20
@nextcloud-command
fix(deps): Fix npm audit
677f0d1 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from a9784ea to 677f0d1 Compare February 16, 2025 03:27
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@skjnldsv skjnldsv skjnldsv approved these changes

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @skjnldsv