Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[stable5.0] Fix npm audit #6375

Closed
wants to merge 1 commit into from
Closed

[stable5.0] Fix npm audit #6375

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Sep 29, 2024
edited
Loading

Audit report

This audit fix resolves 24 of the total 34 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

body-parser #

  • body-parser vulnerable to denial of service when url encoding is enabled
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-qwcr-r2fm-qrc7
  • Affected versions: <1.20.3
  • Package usage:
    • node_modules/body-parser

cookie #

  • cookie accepts cookie name, path, and domain with out of bounds characters
  • Severity: low
  • Reference: GHSA-pxg6-pf52-xh8x
  • Affected versions: <0.7.0
  • Package usage:
    • node_modules/cookie

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: 3.0.0 - 3.1.2
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: <=6.5.7
  • Package usage:
    • node_modules/elliptic

express #

  • express vulnerable to XSS via response.redirect()
  • Severity: low (CVSS 5)
  • Reference: GHSA-qw6h-vgh9-j6wx
  • Affected versions: <=4.21.1 || 5.0.0-alpha.1 - 5.0.0
  • Package usage:
    • node_modules/express

http-proxy-middleware #

  • Denial of service in http-proxy-middleware
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c7qv-q95q-8v27
  • Affected versions: <2.0.7
  • Package usage:
    • node_modules/http-proxy-middleware

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

path-to-regexp #

  • Unpatched path-to-regexp ReDoS in 0.1.x
  • Severity: high
  • Reference: GHSA-rhx6-c78j-4q9w
  • Affected versions: <=0.1.11
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

send #

  • send vulnerable to template injection that can lead to XSS
  • Severity: low (CVSS 5)
  • Reference: GHSA-m6fv-jmcg-4jfg
  • Affected versions: <0.19.0
  • Package usage:
    • node_modules/send

serve-static #

  • serve-static vulnerable to template injection that can lead to XSS
  • Severity: low (CVSS 5)
  • Reference: GHSA-cm22-4g7w-348p
  • Affected versions: <=1.16.0
  • Package usage:
    • node_modules/serve-static

v-tooltip #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-beta.1 - 4.0.0-beta.0
  • Package usage:
    • node_modules/v-tooltip

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

webpack #

  • Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
  • Severity: moderate (CVSS 6.4)
  • Reference: GHSA-4vvj-4cpr-p986
  • Affected versions: 5.0.0-alpha.0 - 5.93.0
  • Package usage:
    • node_modules/webpack

@nextcloud-command nextcloud-command added 3. to review Waiting for reviews dependencies Pull requests that update a dependency file labels Sep 29, 2024
@codecov Codecov
Copy link

codecov bot commented Sep 29, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 15.43%. Comparing base (5ef9b1e) to head (0eb3122).
Report is 10 commits behind head on stable5.0.

Additional details and impacted files 
@@              Coverage Diff              @@
##           stable5.0    #6375      +/-   ##
=============================================
+ Coverage      15.41%   15.43%   +0.01%     
=============================================
  Files            206      206              
  Lines           9451     9439      -12     
  Branches        2192     2183       -9     
=============================================
  Hits            1457     1457              
+ Misses          7676     7664      -12     
  Partials         318      318
Flag Coverage Δ
javascript 15.43% <ø> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from 7a4ceb0 to 4143922 Compare October 13, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch from 4143922 to 7a29217 Compare October 20, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 3 times, most recently from b356703 to ed6b89c Compare November 3, 2024 03:27
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch from ed6b89c to b55c6ca Compare November 10, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from c644d84 to 4f97f85 Compare November 24, 2024 03:28
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from be656c2 to bc6ddc7 Compare December 8, 2024 03:43
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from 6bdd7d8 to 14a26bd Compare December 22, 2024 03:23
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from 5ddcf3f to 694e13b Compare January 5, 2025 03:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from 37d6a52 to b569639 Compare January 19, 2025 03:23
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch 2 times, most recently from bf619f7 to ee44d47 Compare February 2, 2025 03:26
@st3iny st3iny force-pushed the automated/noid/stable5.0-fix-npm-audit branch from ee44d47 to 0692f92 Compare February 4, 2025 13:10
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch from 0692f92 to a50e03b Compare February 9, 2025 03:24
@nextcloud-command
fix(deps): Fix npm audit
0eb3122 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.0-fix-npm-audit branch from a50e03b to 0eb3122 Compare February 16, 2025 03:35
@st3iny
Copy link
Member

st3iny commented Feb 20, 2025

The branch stable5.0 was superseded.

@st3iny st3iny closed this Feb 20, 2025
@st3iny st3iny deleted the automated/noid/stable5.0-fix-npm-audit branch February 20, 2025 22:12
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@SebastianKrupinski SebastianKrupinski Awaiting requested review from SebastianKrupinski SebastianKrupinski is a code owner

@st3iny st3iny Awaiting requested review from st3iny st3iny is a code owner

@tcitworld tcitworld Awaiting requested review from tcitworld tcitworld is a code owner

Assignees
No one assigned
Labels
3. to review Waiting for reviews dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @st3iny