Skip to content

[stable29] Fix npm audit #1946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nextcloud-command wants to merge 1 commit into
base: stable29
Choose a base branch
from
Open

[stable29] Fix npm audit #1946

nextcloud-command wants to merge 1 commit into from

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Nov 3, 2024
edited
Loading

Audit report

This audit fix resolves 54 of the total 64 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/eslint-parser #

  • Caused by vulnerable dependency:
  • Affected versions: 7.16.0 - 7.24.1 || 8.0.0-alpha.0 - 8.0.0-alpha.8
  • Package usage:
    • node_modules/@babel/eslint-parser

@babel/helpers #

  • Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/helpers

@babel/runtime #

  • Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@cypress/request #

  • Caused by vulnerable dependency:
  • Affected versions: <=3.0.9
  • Package usage:
    • node_modules/@cypress/request

@nextcloud/cypress #

  • Caused by vulnerable dependency:
  • Affected versions:
  • Package usage:
    • node_modules/@nextcloud/cypress

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.4.2
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/vue #

@nextcloud/vue-select #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@nextcloud/vue-select

@nextcloud/webpack-vue-config #

@typescript-eslint/type-utils #

  • Caused by vulnerable dependency:
  • Affected versions: 5.9.2-alpha.0 - 8.0.0-alpha.62
  • Package usage:
    • node_modules/@typescript-eslint/type-utils

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

  • axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
  • Severity: high
  • Reference: GHSA-jr5f-v2jv-69x6
  • Affected versions: 1.0.0 - 1.11.0
  • Package usage:
    • node_modules/axios

body-parser #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.20.3 || 2.0.0-beta.1 - 2.0.2
  • Package usage:
    • node_modules/body-parser

brace-expansion #

  • brace-expansion Regular Expression Denial of Service vulnerability
  • Severity: low (CVSS 3.1)
  • Reference: GHSA-v6h2-p8h4-qcjw
  • Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
  • Package usage:
    • node_modules/brace-expansion
    • node_modules/webdav/node_modules/brace-expansion

cipher-base #

  • cipher-base is missing type checks, leading to hash rewind and passing on crafted data
  • Severity: critical 🚨 (CVSS 9.1)
  • Reference: GHSA-cpq7-6gpm-g9rc
  • Affected versions: <=1.0.4
  • Package usage:
    • node_modules/cipher-base

compression #

  • Caused by vulnerable dependency:
  • Affected versions: 1.0.3 - 1.8.0
  • Package usage:
    • node_modules/compression

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

diff #

  • jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
  • Severity: low
  • Reference: GHSA-73rr-hh4g-fpgx
  • Affected versions: 5.0.0 - 5.2.1
  • Package usage:
    • node_modules/diff

dockerode #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0 - 4.0.4
  • Package usage:
    • node_modules/@nextcloud/cypress/node_modules/dockerode
    • node_modules/dockerode

dompurify #

  • DOMPurify allows Cross-site Scripting (XSS)
  • Severity: moderate (CVSS 4.5)
  • Reference: GHSA-vhxf-7vqr-mrjg
  • Affected versions: <3.2.4
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: *
  • Package usage:
    • node_modules/elliptic

eslint-plugin-import #

  • Caused by vulnerable dependency:
  • Affected versions: 1.0.0-beta.0 - 2.30.0
  • Package usage:
    • node_modules/eslint-plugin-import

eslint-plugin-promise #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0 - 3.3.1 || 5.0.0 - 6.1.1
  • Package usage:
    • node_modules/eslint-plugin-promise

eslint-plugin-vue #

  • Caused by vulnerable dependency:
  • Affected versions: 1.0.0 - 9.24.0
  • Package usage:
    • node_modules/eslint-plugin-vue

express #

  • Caused by vulnerable dependency:
  • Affected versions: 2.5.8 - 2.5.11 || 3.2.1 - 3.2.3 || 4.0.0-rc1 - 4.21.2 || 5.0.0-alpha.1 - 5.0.1
  • Package usage:
    • node_modules/express

fast-xml-parser #

  • fast-xml-parser has RangeError DoS Numeric Entities Bug
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-37qj-frw5-hhjh
  • Affected versions: 4.3.6 - 5.3.3
  • Package usage:
    • node_modules/fast-xml-parser

floating-vue #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.0.0-beta.19
  • Package usage:
    • node_modules/floating-vue

form-data #

  • form-data uses unsafe random function in form-data for choosing boundary
  • Severity: critical 🚨
  • Reference: GHSA-fjxv-7rqg-78g4
  • Affected versions: 4.0.0 - 4.0.3
  • Package usage:
    • node_modules/form-data

http-proxy-middleware #

  • Denial of service in http-proxy-middleware
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c7qv-q95q-8v27
  • Affected versions: <=2.0.8
  • Package usage:
    • node_modules/http-proxy-middleware

is-svg #

  • Caused by vulnerable dependency:
  • Affected versions: 5.1.0
  • Package usage:
    • node_modules/@nextcloud/files/node_modules/is-svg

js-yaml #

  • js-yaml has prototype pollution in merge (<<)
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-mh29-5h37-fv8m
  • Affected versions: <3.14.2 || >=4.0.0 <4.1.1
  • Package usage:
    • node_modules/@eslint/eslintrc/node_modules/js-yaml
    • node_modules/eslint/node_modules/js-yaml
    • node_modules/js-yaml

linkifyjs #

  • Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
  • Severity: high
  • Reference: GHSA-95jq-xph2-cx9h
  • Affected versions: <4.3.2
  • Package usage:
    • node_modules/linkifyjs

lodash #

  • Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-xxjr-mmjv-4gpg
  • Affected versions: 4.0.0 - 4.17.21
  • Package usage:
    • node_modules/lodash

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-forge #

  • node-forge has ASN.1 Unbounded Recursion
  • Severity: high
  • Reference: GHSA-554w-wpv2-vw27
  • Affected versions: <=1.3.1
  • Package usage:
    • node_modules/node-forge

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: <=3.0.0
  • Package usage:
    • node_modules/node-gettext

on-headers #

  • on-headers is vulnerable to http response header manipulation
  • Severity: low (CVSS 3.4)
  • Reference: GHSA-76c9-3jph-rj3q
  • Affected versions: <1.1.0
  • Package usage:
    • node_modules/on-headers

path-to-regexp #

  • path-to-regexp contains a ReDoS
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-rhx6-c78j-4q9w
  • Affected versions: <0.1.12
  • Package usage:
    • node_modules/path-to-regexp

pbkdf2 #

  • pbkdf2 silently disregards Uint8Array input, returning static keys
  • Severity: critical 🚨
  • Reference: GHSA-v62p-rq8g-8h59
  • Affected versions: <=3.1.2
  • Package usage:
    • node_modules/pbkdf2

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

qs #

  • qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-6rw7-vpxm-498p
  • Affected versions: <6.14.1
  • Package usage:
    • node_modules/qs

sha.js #

  • sha.js is missing type checks leading to hash rewind and passing on crafted data
  • Severity: critical 🚨 (CVSS 9.1)
  • Reference: GHSA-95m3-7q98-8xr5
  • Affected versions: <=2.4.11
  • Package usage:
    • node_modules/sha.js

tar-fs #

  • tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
  • Severity: high
  • Reference: GHSA-vj76-c3g6-qr5v
  • Affected versions: 2.0.0 - 2.1.3
  • Package usage:
    • node_modules/tar-fs

tmp #

  • tmp allows arbitrary temporary file / directory write via symbolic link dir parameter
  • Severity: low (CVSS 2.5)
  • Reference: GHSA-52f5-9888-hmc6
  • Affected versions: <=0.2.3
  • Package usage:
    • node_modules/tmp

vue #

  • ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
  • Severity: low (CVSS 3.7)
  • Reference: GHSA-5j4c-8p2g-v4jx
  • Affected versions: 2.0.0-alpha.1 - 2.7.16
  • Package usage:
    • node_modules/vue

vue-frag #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.3.1
  • Package usage:
    • node_modules/vue-frag

vue-infinite-loading #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-rc.1 - 2.4.5
  • Package usage:
    • node_modules/vue-infinite-loading

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vue2-datepicker #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
  • Package usage:
    • node_modules/vue2-datepicker

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

webdav #

  • Caused by vulnerable dependency:
  • Affected versions: >=5.7.0
  • Package usage:
    • node_modules/webdav

webpack-dev-server #

  • webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-9jgg-88mc-972h
  • Affected versions: <=5.2.0
  • Package usage:
    • node_modules/webpack-dev-server

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Nov 3, 2024
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c72401 to 9a4237c Compare November 10, 2024 03:17
@cypress
Copy link

cypress bot commented Nov 10, 2024
edited
Loading

Social    Run #1094

Run Properties:  status check failed Failed #1094  •  git commit 96eb55faeb: [stable29] Fix npm audit
Project Social
Branch Review automated/noid/stable29-fix-npm-audit
Run status status check failed Failed #1094
Run duration 01m 12s
Commit git commit 96eb55faeb: [stable29] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 2
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 0
View all changes introduced in this branch ↗︎

Tests for review

Failed  post.cy.ts • 1 failed test • Run E2E

View Output

Test Artifacts
An uncaught error was detected outside of a test Test Replay Screenshots
Failed  setup.cy.ts • 1 failed test • Run E2E

View Output

Test Artifacts
An uncaught error was detected outside of a test Test Replay Screenshots

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from a90b127 to 375c8db Compare November 24, 2024 03:28
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 43aa7db to 4ceaf17 Compare December 15, 2024 03:39
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4ceaf17 to 4a7565c Compare December 22, 2024 03:20
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4a7565c to f8cb049 Compare January 5, 2025 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from f8cb049 to 2c5ce74 Compare January 26, 2025 03:23
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c5ce74 to 357b03e Compare February 9, 2025 03:22
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 357b03e to a958952 Compare February 16, 2025 03:32
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 77ad596 to 7f1be85 Compare March 2, 2025 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 7f1be85 to cb4ea2f Compare March 9, 2025 03:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from cb4ea2f to 7fd01a4 Compare March 16, 2025 03:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 82ad6e4 to 30eb073 Compare March 30, 2025 03:35
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 30eb073 to c18c0a5 Compare April 6, 2025 03:45
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 8c1736d to 53985dd Compare April 20, 2025 03:33
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 059db52 to c9c848a Compare May 4, 2025 03:49
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from c9c848a to f29bf98 Compare May 11, 2025 03:33
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from f29bf98 to c6da1dc Compare May 18, 2025 03:43
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from c6da1dc to c727036 Compare May 25, 2025 03:51
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 362f9c0 to 1622e45 Compare June 8, 2025 03:56
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 1622e45 to b700e87 Compare June 15, 2025 03:42
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from f77d383 to bac134f Compare July 6, 2025 03:59
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from bac134f to a416f03 Compare July 13, 2025 04:04
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from a416f03 to 0677d4d Compare July 20, 2025 04:06
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 0677d4d to de24058 Compare July 27, 2025 04:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from a65eea0 to 1041a3b Compare August 10, 2025 04:05
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from a0826dc to 9b64994 Compare August 24, 2025 03:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 9b64994 to db99d25 Compare September 7, 2025 03:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from db99d25 to 9a1b8a7 Compare September 14, 2025 03:15
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 59770c9 to 902c239 Compare September 28, 2025 03:21
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 902c239 to 14d50b1 Compare October 5, 2025 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 14d50b1 to 4b83019 Compare October 19, 2025 03:28
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from d9c3066 to a391ab2 Compare November 9, 2025 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 6de2de9 to 89d3e4b Compare November 23, 2025 03:35
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 89d3e4b to 0a98fda Compare November 30, 2025 03:35
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 48f0909 to 03084f9 Compare December 14, 2025 03:35
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 03084f9 to fc0edfc Compare January 4, 2026 03:36
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 4088a22 to b0b9687 Compare January 18, 2026 03:47
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from b0b9687 to d44b166 Compare January 25, 2026 03:48
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from d44b166 to 983d0c3 Compare February 1, 2026 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command