Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable29] Fix npm audit #1710

Open
wants to merge 1 commit into
base: stable29
Choose a base branch
from
Open

[stable29] Fix npm audit #1710

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jun 16, 2024
edited
Loading

Audit report

This audit fix resolves 17 of the total 21 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/vue #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.4.0
  • Package usage:
    • node_modules/@nextcloud/vue

@testing-library/vue #

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: 3.0.0 - 3.1.2
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: 2.0.0 - 6.5.6
  • Package usage:
    • node_modules/elliptic

fast-xml-parser #

  • fast-xml-parser vulnerable to ReDOS at currency parsing
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-mpg4-rc92-vx8v
  • Affected versions: <4.4.1
  • Package usage:
    • node_modules/fast-xml-parser

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: moderate (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/rollup

vite #

  • Vite's server.fs.deny is bypassed when using ?import&raw
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-9cwx-2883-4wfx
  • Affected versions: 5.2.0 - 5.2.13
  • Package usage:
    • node_modules/vite

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 16, 2024
@cypress Cypress
Copy link

cypress bot commented Jun 16, 2024
edited
Loading

Activity    Run #2008

Run Properties:  status check failed Failed #2008  •  git commit 4ee61fb486: [stable29] Fix npm audit
Project Activity
Branch Review automated/noid/stable29-fix-npm-audit
Run status status check failed Failed #2008
Run duration 02m 58s
Commit git commit 4ee61fb486: [stable29] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 2
Tests that were flaky  Flaky 1
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 8
View all changes introduced in this branch ↗︎

Tests for review

Failed  cypress/e2e/sidebar.cy.ts • 2 failed tests • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has rename activity Test Replay Screenshots
Check activity listing in the sidebar > Has tag activity Test Replay Screenshots
Flakiness  cypress/e2e/sidebar.cy.ts • 1 flaky test • Run E2E

View Output

Test Artifacts
Check activity listing in the sidebar > Has comment activity Test Replay Screenshots

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from e759092 to 17bffc5 Compare July 7, 2024 03:12
@AndyScherzinger
Copy link
Member

/compile /

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 42f8bbd to 46c0797 Compare July 21, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 46c0797 to af3281e Compare July 28, 2024 03:23
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from af3281e to 3af5d73 Compare August 1, 2024 10:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 3af5d73 to 45ed8aa Compare August 4, 2024 03:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 6f50e64 to a07ed32 Compare August 18, 2024 03:09
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from a07ed32 to 890bead Compare August 25, 2024 03:07
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 890bead to 7f2680d Compare September 1, 2024 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 2debb88 to df662e7 Compare September 8, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from df662e7 to b0a2e5c Compare September 15, 2024 03:23
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable29-fix-npm-audit branch from b0a2e5c to 77a59d7 Compare September 21, 2024 07:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 77a59d7 to f77ec31 Compare September 22, 2024 03:31
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable29-fix-npm-audit branch from f77ec31 to 56d4bd4 Compare September 24, 2024 10:11
@nextcloud-command
fix(deps): Fix npm audit
24a892f 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 56d4bd4 to 24a892f Compare September 29, 2024 03:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susnux susnux susnux approved these changes

@artonge artonge Awaiting requested review from artonge

@miaulalala miaulalala Awaiting requested review from miaulalala

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nextcloud-command @AndyScherzinger @susnux