Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable28] Fix npm audit #1705

Open
wants to merge 1 commit into
base: stable28
Choose a base branch
from
Open

[stable28] Fix npm audit #1705

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jun 9, 2024
edited
Loading

Audit report

This audit fix resolves 14 of the total 18 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/dialogs/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/files/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/vue #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.4.0
  • Package usage:
    • node_modules/@nextcloud/vue

@testing-library/vue #

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

fast-xml-parser #

  • fast-xml-parser vulnerable to ReDOS at currency parsing
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-mpg4-rc92-vx8v
  • Affected versions: <4.4.1
  • Package usage:
    • node_modules/fast-xml-parser

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: moderate (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

vite #

  • Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
  • Severity: moderate (CVSS 6.4)
  • Reference: GHSA-64vr-g452-qvp3
  • Affected versions: 5.4.0 - 5.4.5
  • Package usage:
    • node_modules/vite

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 9, 2024
@cypress Cypress
Copy link

cypress bot commented Jun 9, 2024
edited
Loading

Activity    Run #1997

Run Properties:  status check failed Failed #1997  •  git commit cda53dec58: [stable28] Fix npm audit
Project Activity
Branch Review automated/noid/stable28-fix-npm-audit
Run status status check failed Failed #1997
Run duration 02m 05s
Commit git commit cda53dec58: [stable28] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 1
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 3
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 6
View all changes introduced in this branch ↗︎

Tests for review

Failed  cypress/e2e/sidebar.cy.ts • 1 failed test • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has share activity Test Replay Screenshots

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 12964f0 to 0f39303 Compare June 16, 2024 03:16
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 4610c02 to 05a724a Compare July 7, 2024 03:12
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 10eb38b to 0696650 Compare July 21, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 6a4996b to bc1008c Compare August 1, 2024 10:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 8956d8d to 04bad77 Compare August 18, 2024 03:06
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 04bad77 to b1a1ef7 Compare August 25, 2024 03:04
@susnux susnux force-pushed the automated/noid/stable28-fix-npm-audit branch from b1a1ef7 to b0e7536 Compare August 25, 2024 23:01
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 46685e3 to 54602e7 Compare September 3, 2024 15:15
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 9c3b2c9 to 739a80b Compare September 15, 2024 03:25
@nextcloud-command
fix(deps): Fix npm audit
295a56a 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 739a80b to 295a56a Compare September 22, 2024 03:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nextcloud-command