[stable28] Fix npm audit #1104

nextcloud-command · 2024-08-04T03:07:28Z

Audit report

This audit fix resolves 21 of the total 29 vulnerabilities found in your project.

Updated dependencies

@nextcloud/dialogs
@nextcloud/files
@nextcloud/typings
@nextcloud/webpack-vue-config
@vue/component-compiler-utils
axios
body-parser
cookie
dompurify
elliptic
express
http-proxy-middleware
micromatch
path-to-regexp
postcss
send
serve-static
vue-loader
vue-resize
vue-template-compiler
webpack

Fixed vulnerabilities

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: >=2.0.0
Package usage:
- node_modules/@nextcloud/dialogs

@nextcloud/files #

Caused by vulnerable dependency:
- @nextcloud/l10n
Affected versions: >=1.1.0
Package usage:
- node_modules/@nextcloud/files

@nextcloud/typings #

Caused by vulnerable dependency:
- vue
Affected versions: 1.7.0 - 1.8.0
Package usage:
- node_modules/@nextcloud/typings

@nextcloud/webpack-vue-config #

Caused by vulnerable dependency:
Affected versions: *
Package usage:
- node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

axios #

Server-Side Request Forgery in axios
Severity: high
Reference: GHSA-8hc4-vh64-cxmj
Affected versions: 1.3.2 - 1.7.3
Package usage:
- node_modules/axios

body-parser #

body-parser vulnerable to denial of service when url encoding is enabled
Severity: high (CVSS 7.5)
Reference: GHSA-qwcr-r2fm-qrc7
Affected versions: <1.20.3
Package usage:
- node_modules/body-parser

cookie #

cookie accepts cookie name, path, and domain with out of bounds characters
Severity: low
Reference: GHSA-pxg6-pf52-xh8x
Affected versions: <0.7.0
Package usage:
- node_modules/cookie

dompurify #

DOMPurify allows tampering by prototype pollution
Severity: high (CVSS 7)
Reference: GHSA-mmhx-hmjr-r674
Affected versions: 3.0.0 - 3.1.2
Package usage:
- node_modules/dompurify

elliptic #

Elliptic's EDDSA missing signature length check
Severity: low (CVSS 5.3)
Reference: GHSA-f7q4-pwc6-w24p
Affected versions: <=6.5.7
Package usage:
- node_modules/elliptic

express #

express vulnerable to XSS via response.redirect()
Severity: moderate (CVSS 5)
Reference: GHSA-qw6h-vgh9-j6wx
Affected versions: <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Package usage:
- node_modules/express

http-proxy-middleware #

Denial of service in http-proxy-middleware
Severity: high (CVSS 7.5)
Reference: GHSA-c7qv-q95q-8v27
Affected versions: <2.0.7
Package usage:
- node_modules/http-proxy-middleware

micromatch #

Regular Expression Denial of Service (ReDoS) in micromatch
Severity: moderate (CVSS 5.3)
Reference: GHSA-952p-6rrq-rcjv
Affected versions: <4.0.8
Package usage:
- node_modules/micromatch

path-to-regexp #

path-to-regexp outputs backtracking regular expressions
Severity: high (CVSS 7.5)
Reference: GHSA-9wv6-86v2-598j
Affected versions: <0.1.10
Package usage:
- node_modules/path-to-regexp

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

send #

send vulnerable to template injection that can lead to XSS
Severity: moderate (CVSS 5)
Reference: GHSA-m6fv-jmcg-4jfg
Affected versions: <0.19.0
Package usage:
- node_modules/send

serve-static #

serve-static vulnerable to template injection that can lead to XSS
Severity: moderate (CVSS 5)
Reference: GHSA-cm22-4g7w-348p
Affected versions: <=1.16.0
Package usage:
- node_modules/serve-static

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler

webpack #

Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
Severity: moderate (CVSS 6.4)
Reference: GHSA-4vvj-4cpr-p986
Affected versions: 5.0.0-alpha.0 - 5.93.0
Package usage:
- node_modules/webpack

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Aug 4, 2024

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 1c00ae6 to 5b1432a Compare August 18, 2024 03:03

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 5b1432a to e0fa618 Compare August 25, 2024 03:03

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from e0fa618 to b90659d Compare September 1, 2024 03:29

Pytal approved these changes Sep 3, 2024

View reviewed changes

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 3bed8f0 to 4968735 Compare September 15, 2024 03:21

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 4968735 to bddc11d Compare September 22, 2024 03:28

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from bddc11d to ea5db80 Compare September 29, 2024 03:30

Pytal force-pushed the automated/noid/stable28-fix-npm-audit branch from ea5db80 to 48c2fb5 Compare October 4, 2024 23:51

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from fae4c4e to 174e7e2 Compare October 13, 2024 03:26

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 174e7e2 to 72e69b0 Compare October 20, 2024 03:22

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 471e085 to 8a4c94f Compare November 3, 2024 03:22

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 8a4c94f to 971848a Compare November 10, 2024 03:09

fix(deps): Fix npm audit

f4cbb83

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 971848a to f4cbb83 Compare November 17, 2024 03:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[stable28] Fix npm audit #1104

[stable28] Fix npm audit #1104

nextcloud-command commented Aug 4, 2024 •

edited

Loading

[stable28] Fix npm audit #1104

Are you sure you want to change the base?

[stable28] Fix npm audit #1104

Conversation

nextcloud-command commented Aug 4, 2024 • edited Loading

Audit report

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

@nextcloud/typings #

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

axios #

body-parser #

cookie #

dompurify #

elliptic #

express #

http-proxy-middleware #

micromatch #

path-to-regexp #

postcss #

send #

serve-static #

vue-loader #

vue-resize #

vue-template-compiler #

webpack #

nextcloud-command commented Aug 4, 2024 •

edited

Loading