Skip to content

[stable31] Fix npm audit#4784

Merged
elzody merged 1 commit intostable31from
automated/noid/stable31-fix-npm-audit
Aug 4, 2025
Merged

[stable31] Fix npm audit#4784
elzody merged 1 commit intostable31from
automated/noid/stable31-fix-npm-audit

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented May 18, 2025
edited
Loading

Audit report

This audit fix resolves 15 of the total 22 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

brace-expansion #

  • brace-expansion Regular Expression Denial of Service vulnerability
  • Severity: low (CVSS 3.1)
  • Reference: GHSA-v6h2-p8h4-qcjw
  • Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
  • Package usage:
    • node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
    • node_modules/brace-expansion
    • node_modules/detective-typescript/node_modules/brace-expansion
    • node_modules/webdav/node_modules/brace-expansion

compression #

  • Caused by vulnerable dependency:
  • Affected versions: 1.0.3 - 1.8.0
  • Package usage:
    • node_modules/compression

form-data #

  • form-data uses unsafe random function in form-data for choosing boundary
  • Severity: critical 🚨
  • Reference: GHSA-fjxv-7rqg-78g4
  • Affected versions: 4.0.0 - 4.0.3
  • Package usage:
    • node_modules/form-data

linkifyjs #

  • Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
  • Severity: high
  • Reference: GHSA-95jq-xph2-cx9h
  • Affected versions: <4.3.2
  • Package usage:
    • node_modules/linkifyjs

on-headers #

  • on-headers is vulnerable to http response header manipulation
  • Severity: low (CVSS 3.4)
  • Reference: GHSA-76c9-3jph-rj3q
  • Affected versions: <1.1.0
  • Package usage:
    • node_modules/on-headers

pbkdf2 #

  • pbkdf2 silently disregards Uint8Array input, returning static keys
  • Severity: critical 🚨
  • Reference: GHSA-v62p-rq8g-8h59
  • Affected versions: <=3.1.2
  • Package usage:
    • node_modules/pbkdf2

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

tar-fs #

  • tar-fs can extract outside the specified dir with a specific tarball
  • Severity: high
  • Reference: GHSA-8cj5-5rvv-wf4v
  • Affected versions: 2.0.0 - 2.1.2
  • Package usage:
    • node_modules/tar-fs

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

webpack-dev-server #

  • webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-9jgg-88mc-972h
  • Affected versions: <=5.2.0
  • Package usage:
    • node_modules/webpack-dev-server

@nextcloud-command nextcloud-command added 3. to review Ready to be reviewed dependencies Pull requests that update a dependency file labels May 18, 2025
@elzody elzody force-pushed the automated/noid/stable31-fix-npm-audit branch from bc0569a to 6e33038 Compare May 23, 2025 20:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 6e33038 to 0cd9319 Compare May 25, 2025 03:52
@elzody elzody force-pushed the automated/noid/stable31-fix-npm-audit branch from 0cd9319 to 7fdf4da Compare May 29, 2025 22:19
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 55b9407 to 0b189ff Compare June 6, 2025 00:26
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 0b189ff to 0d2b282 Compare June 15, 2025 03:48
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 0d2b282 to b7f3229 Compare June 22, 2025 03:58
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from b7f3229 to cf72363 Compare June 29, 2025 04:00
@elzody elzody force-pushed the automated/noid/stable31-fix-npm-audit branch from cf72363 to f438b58 Compare July 11, 2025 19:19
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from f438b58 to d030207 Compare July 13, 2025 04:04
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from d030207 to 4b42a07 Compare July 20, 2025 04:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 4b42a07 to a27a281 Compare July 27, 2025 04:11
@nextcloud-command
fix(deps): Fix npm audit
0f99653 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from a27a281 to 0f99653 Compare August 3, 2025 04:15
@elzody elzody merged commit af4d35b into stable31 Aug 4, 2025
52 checks passed
@elzody elzody deleted the automated/noid/stable31-fix-npm-audit branch August 4, 2025 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elzody elzody elzody approved these changes

@juliusknorr juliusknorr Awaiting requested review from juliusknorr juliusknorr is a code owner

Assignees

No one assigned

Labels

3. to review Ready to be reviewed dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @elzody