[stable30] Fix npm audit #2623

nextcloud-command · 2024-08-25T03:16:14Z

Audit report

This audit fix resolves 10 of the total 12 vulnerabilities found in your project.

Updated dependencies

@vue/component-compiler-utils
@vue/test-utils
axios
elliptic
micromatch
postcss
vue-loader
vue-template-compiler
webdav
webpack

Fixed vulnerabilities

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

@vue/test-utils #

Caused by vulnerable dependency:
- vue-template-compiler
Affected versions: <=1.3.6
Package usage:
- node_modules/@vue/test-utils

axios #

Axios Cross-Site Request Forgery Vulnerability
Severity: moderate (CVSS 6.5)
Reference: GHSA-wf5p-g6vw-rhxx
Affected versions: 0.8.1 - 0.27.2 || 1.3.2 - 1.7.3
Package usage:
- node_modules/@nextcloud/axios/node_modules/axios
- node_modules/axios
- node_modules/wait-on/node_modules/axios

elliptic #

Elliptic's EDDSA missing signature length check
Severity: low (CVSS 5.3)
Reference: GHSA-f7q4-pwc6-w24p
Affected versions: 2.0.0 - 6.5.6
Package usage:
- node_modules/elliptic

micromatch #

Regular Expression Denial of Service (ReDoS) in micromatch
Severity: moderate (CVSS 5.3)
Reference: GHSA-952p-6rrq-rcjv
Affected versions: <4.0.8
Package usage:
- node_modules/micromatch

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler

webdav #

Caused by vulnerable dependency:
- axios
Affected versions: 2.0.0-rc1 - 4.11.3
Package usage:
- node_modules/webdav

webpack #

Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
Severity: moderate (CVSS 6.4)
Reference: GHSA-4vvj-4cpr-p986
Affected versions: <5.94.0
Package usage:
- node_modules/webpack

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command added 3. to review Waiting for reviews dependencies Pull requests that update a dependency file labels Aug 25, 2024

artonge approved these changes Aug 26, 2024

View reviewed changes

fix(deps): Fix npm audit

b34eef2

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 41d520b to b34eef2 Compare September 1, 2024 03:37

artonge approved these changes Sep 2, 2024

View reviewed changes

AndyScherzinger merged commit 8cc7c60 into stable30 Sep 2, 2024
46 of 47 checks passed

AndyScherzinger deleted the automated/noid/stable30-fix-npm-audit branch September 2, 2024 16:28

AndyScherzinger added this to the Nextcloud 30 milestone Sep 2, 2024

blizzz mentioned this pull request Sep 4, 2024

30.0.0 RC4 nextcloud/server#47757

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[stable30] Fix npm audit #2623

[stable30] Fix npm audit #2623

nextcloud-command commented Aug 25, 2024 •

edited

Loading

[stable30] Fix npm audit #2623

[stable30] Fix npm audit #2623

Conversation

nextcloud-command commented Aug 25, 2024 • edited Loading

Audit report

Updated dependencies

Fixed vulnerabilities

@vue/component-compiler-utils #

@vue/test-utils #

axios #

elliptic #

micromatch #

postcss #

vue-loader #

vue-template-compiler #

webdav #

webpack #

nextcloud-command commented Aug 25, 2024 •

edited

Loading