[stable25] Fix npm audit

[nextcloud-command]

Audit report

This audit fix resolves 29 of the total 44 vulnerabilities found in your project.

Updated dependencies

• @babel/helpers
• @nextcloud/l10n
• @nextcloud/webpack-vue-config
• @vue/component-compiler-utils
• body-parser
• brace-expansion
• browserify-sign
• cipher-base
• compression
• create-ecdh
• crypto-browserify
• dompurify
• elliptic
• express
• form-data
• http-proxy-middleware
• js-yaml
• node-forge
• node-gettext
• node-polyfill-webpack-plugin
• on-headers
• path-to-regexp
• pbkdf2
• postcss
• qs
• sha.js
• vue-loader
• vue-template-compiler
• webpack-dev-server

Fixed vulnerabilities

@babel/helpers #

• Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
• Severity: moderate (CVSS 6.2)
• Reference: GHSA-968p-4wvh-cqc8
• Affected versions: <7.26.10
• Package usage:
  • node_modules/@babel/helpers

@nextcloud/l10n #

• Caused by vulnerable dependency:
  • dompurify
• Affected versions: 2.0.0-beta.0 - 2.1.0
• Package usage:
  • node_modules/@nextcloud/l10n

@nextcloud/webpack-vue-config #

• Caused by vulnerable dependency:
  • node-polyfill-webpack-plugin
  • vue-loader
  • vue-template-compiler
  • webpack-dev-server
• Affected versions: *
• Package usage:
  • node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: *
• Package usage:
  • node_modules/@vue/component-compiler-utils

body-parser #

• Caused by vulnerable dependency:
  • qs
• Affected versions: <=1.20.3 || 2.0.0-beta.1 - 2.0.2
• Package usage:
  • node_modules/body-parser

brace-expansion #

• brace-expansion Regular Expression Denial of Service vulnerability
• Severity: low (CVSS 3.1)
• Reference: GHSA-v6h2-p8h4-qcjw
• Affected versions: 1.0.0 - 1.1.11
• Package usage:
  • node_modules/brace-expansion

browserify-sign #

• Caused by vulnerable dependency:
  • elliptic
• Affected versions: >=2.4.0
• Package usage:
  • node_modules/browserify-sign

cipher-base #

• cipher-base is missing type checks, leading to hash rewind and passing on crafted data
• Severity: critical 🚨 (CVSS 9.1)
• Reference: GHSA-cpq7-6gpm-g9rc
• Affected versions: <=1.0.4
• Package usage:
  • node_modules/cipher-base

compression #

• Caused by vulnerable dependency:
  • on-headers
• Affected versions: 1.0.3 - 1.8.0
• Package usage:
  • node_modules/compression

create-ecdh #

• Caused by vulnerable dependency:
  • elliptic
• Affected versions: *
• Package usage:
  • node_modules/create-ecdh

crypto-browserify #

• Caused by vulnerable dependency:
  • browserify-sign
  • create-ecdh
• Affected versions: >=3.4.0
• Package usage:
  • node_modules/crypto-browserify

dompurify #

• DOMPurify allows Cross-site Scripting (XSS)
• Severity: moderate (CVSS 4.5)
• Reference: GHSA-vhxf-7vqr-mrjg
• Affected versions: <3.2.4
• Package usage:
  • node_modules/dompurify

elliptic #

• Elliptic Uses a Cryptographic Primitive with a Risky Implementation
• Severity: low (CVSS 5.6)
• Reference: GHSA-848j-6mx2-7j84
• Affected versions: *
• Package usage:
  • node_modules/elliptic

express #

• Caused by vulnerable dependency:
  • body-parser
  • path-to-regexp
  • qs
• Affected versions: 2.5.8 - 2.5.11 || 3.2.1 - 3.2.3 || 4.0.0-rc1 - 4.21.2 || 5.0.0-alpha.1 - 5.0.1
• Package usage:
  • node_modules/express

form-data #

• form-data uses unsafe random function in form-data for choosing boundary
• Severity: critical 🚨
• Reference: GHSA-fjxv-7rqg-78g4
• Affected versions: 4.0.0 - 4.0.3
• Package usage:
  • node_modules/form-data

http-proxy-middleware #

• http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
• Severity: moderate (CVSS 4)
• Reference: GHSA-9gqv-wp59-fq42
• Affected versions: 1.3.0 - 2.0.8
• Package usage:
  • node_modules/http-proxy-middleware

js-yaml #

• js-yaml has prototype pollution in merge (<<)
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-mh29-5h37-fv8m
• Affected versions: 4.0.0 - 4.1.0
• Package usage:
  • node_modules/js-yaml

node-forge #

• node-forge has ASN.1 Unbounded Recursion
• Severity: high
• Reference: GHSA-554w-wpv2-vw27
• Affected versions: <=1.3.1
• Package usage:
  • node_modules/node-forge

node-gettext #

• node-gettext vulnerable to Prototype Pollution
• Severity: high (CVSS 5.9)
• Reference: GHSA-g974-hxvm-x689
• Affected versions: <=3.0.0
• Package usage:
  • node_modules/node-gettext

node-polyfill-webpack-plugin #

• Caused by vulnerable dependency:
  • crypto-browserify
• Affected versions: <=4.0.0
• Package usage:
  • node_modules/node-polyfill-webpack-plugin

on-headers #

• on-headers is vulnerable to http response header manipulation
• Severity: low (CVSS 3.4)
• Reference: GHSA-76c9-3jph-rj3q
• Affected versions: <1.1.0
• Package usage:
  • node_modules/on-headers

path-to-regexp #

• path-to-regexp contains a ReDoS
• Severity: high (CVSS 7.5)
• Reference: GHSA-rhx6-c78j-4q9w
• Affected versions: <0.1.12
• Package usage:
  • node_modules/path-to-regexp

pbkdf2 #

• pbkdf2 silently disregards Uint8Array input, returning static keys
• Severity: critical 🚨
• Reference: GHSA-v62p-rq8g-8h59
• Affected versions: <=3.1.2
• Package usage:
  • node_modules/pbkdf2

postcss #

• PostCSS line return parsing error
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-7fh5-64p2-3v2j
• Affected versions: <8.4.31
• Package usage:
  • node_modules/@vue/component-compiler-utils/node_modules/postcss

qs #

• qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
• Severity: high (CVSS 7.5)
• Reference: GHSA-6rw7-vpxm-498p
• Affected versions: <6.14.1
• Package usage:
  • node_modules/qs

sha.js #

• sha.js is missing type checks leading to hash rewind and passing on crafted data
• Severity: critical 🚨 (CVSS 9.1)
• Reference: GHSA-95m3-7q98-8xr5
• Affected versions: <=2.4.11
• Package usage:
  • node_modules/sha.js

vue-loader #

• Caused by vulnerable dependency:
  • @vue/component-compiler-utils
• Affected versions: 15.0.0-beta.1 - 15.11.1
• Package usage:
  • node_modules/vue-loader

vue-template-compiler #

• vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
• Severity: moderate (CVSS 4.2)
• Reference: GHSA-g3ch-rx76-35fx
• Affected versions: >=2.0.0
• Package usage:
  • node_modules/vue-template-compiler

webpack-dev-server #

• webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
• Severity: moderate (CVSS 6.5)
• Reference: GHSA-9jgg-88mc-972h
• Affected versions: <=5.2.0
• Package usage:
  • node_modules/webpack-dev-server