Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[stable29] Fix npm audit #1710

Open
wants to merge 1 commit into
base: stable29
Choose a base branch
from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jun 16, 2024

Audit report

This audit fix resolves 23 of the total 32 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/typings #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0 - 1.8.0
  • Package usage:
    • node_modules/@nextcloud/typings

@nextcloud/vite-config #

@testing-library/vue #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/language-core #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.0.28
  • Package usage:
    • node_modules/@vue/language-core

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: 3.0.0 - 3.1.2
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: <=6.5.7
  • Package usage:
    • node_modules/elliptic

happy-dom #

  • happy-dom allows for server side code to be executed by a <script> tag
  • Severity: critical 🚨
  • Reference: GHSA-96g7-g7g9-jxw8
  • Affected versions: <15.10.2
  • Package usage:
    • node_modules/happy-dom

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/rollup

vite #

  • Vite's server.fs.deny is bypassed when using ?import&raw
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-9cwx-2883-4wfx
  • Affected versions: 5.2.0 - 5.2.13
  • Package usage:
    • node_modules/vite

vite-plugin-dts #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-beta.1 - 4.0.0-beta.2
  • Package usage:
    • node_modules/vite-plugin-dts

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 16, 2024
Copy link

cypress bot commented Jun 16, 2024

Activity    Run #2120

Run Properties:  status check failed Failed #2120  •  git commit 2a6c0e5bd2: [stable29] Fix npm audit
Project Activity
Branch Review automated/noid/stable29-fix-npm-audit
Run status status check failed Failed #2120
Run duration 03m 17s
Commit git commit 2a6c0e5bd2: [stable29] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎

Test results
Tests that failed  Failures 3
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 7
View all changes introduced in this branch ↗︎

Tests for review

Failed  cypress/e2e/sidebar.cy.ts • 3 failed tests • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has share activity Test Replay Screenshots
Check activity listing in the sidebar > Has rename activity Test Replay Screenshots
Check activity listing in the sidebar > Has tag activity Test Replay Screenshots

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from e759092 to 17bffc5 Compare July 7, 2024 03:12
@AndyScherzinger
Copy link
Member

/compile /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 42f8bbd to 46c0797 Compare July 21, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 46c0797 to af3281e Compare July 28, 2024 03:23
@AndyScherzinger AndyScherzinger requested a review from artonge July 28, 2024 10:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from af3281e to 3af5d73 Compare August 1, 2024 10:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 3af5d73 to 45ed8aa Compare August 4, 2024 03:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 6f50e64 to a07ed32 Compare August 18, 2024 03:09
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from a07ed32 to 890bead Compare August 25, 2024 03:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 890bead to 7f2680d Compare September 1, 2024 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 2debb88 to df662e7 Compare September 8, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from df662e7 to b0a2e5c Compare September 15, 2024 03:23
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable29-fix-npm-audit branch from b0a2e5c to 77a59d7 Compare September 21, 2024 07:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 77a59d7 to f77ec31 Compare September 22, 2024 03:31
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable29-fix-npm-audit branch from f77ec31 to 56d4bd4 Compare September 24, 2024 10:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 56d4bd4 to 24a892f Compare September 29, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 24a892f to 932623c Compare October 6, 2024 03:41
@AndyScherzinger
Copy link
Member

/compile /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from d87439c to 5d7ab99 Compare October 13, 2024 03:29
@miaulalala miaulalala force-pushed the automated/noid/stable29-fix-npm-audit branch from 5d7ab99 to c9db49d Compare October 14, 2024 08:33
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from c9db49d to d24778a Compare October 20, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 90370c5 to df46a69 Compare November 3, 2024 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from df46a69 to 0a0808d Compare November 10, 2024 03:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 0a0808d to e85ee0c Compare November 17, 2024 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from e85ee0c to 519ca7d Compare November 24, 2024 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 519ca7d to 2c47751 Compare December 1, 2024 03:48
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c47751 to 208415f Compare December 8, 2024 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants