Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable28] Fix npm audit #47019

Merged
merged 1 commit into from
Aug 21, 2024
Merged

[stable28] Fix npm audit #47019

merged 1 commit into from
Aug 21, 2024

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Aug 4, 2024
edited
Loading

Audit report

This audit fix resolves 17 of the total 19 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@jimp/core #

  • Caused by vulnerable dependency:
  • Affected versions: <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
  • Package usage:
    • node_modules/@jimp/core

@jimp/custom #

  • Caused by vulnerable dependency:
  • Affected versions: <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
  • Package usage:
    • node_modules/@jimp/custom

@testing-library/vue #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: 2.0.0 - 6.5.6
  • Package usage:
    • node_modules/elliptic

fast-xml-parser #

  • fast-xml-parser vulnerable to ReDOS at currency parsing
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-mpg4-rc92-vx8v
  • Affected versions: <4.4.1
  • Package usage:
    • node_modules/fast-xml-parser

node-vibrant #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.5 - 3.1.6
  • Package usage:
    • node_modules/node-vibrant

phin #

  • phin may include sensitive headers in subsequent requests after redirect
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-x565-32qp-m3vf
  • Affected versions: <3.7.1
  • Package usage:
    • node_modules/phin

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

puppeteer #

  • Caused by vulnerable dependency:
  • Affected versions: 18.2.0 - 22.11.1
  • Package usage:
    • node_modules/puppeteer

puppeteer-core #

  • Caused by vulnerable dependency:
  • Affected versions: 11.0.0 - 22.11.1
  • Package usage:
    • node_modules/puppeteer-core

select2 #

  • Improper Neutralization of Input During Web Page Generation in Select2
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rf66-hmqf-q3fc
  • Affected versions: <4.0.6
  • Package usage:
    • node_modules/select2

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

ws #

  • ws affected by a DoS when handling a request with many HTTP headers
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3h5v-q93c-6h6q
  • Affected versions: 8.0.0 - 8.17.0
  • Package usage:
    • node_modules/ws

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 9c34917 to f440823 Compare August 7, 2024 13:51
@AndyScherzinger AndyScherzinger added this to the Nextcloud 28.0.9 milestone Aug 8, 2024
@Altahrim Altahrim mentioned this pull request Aug 8, 2024
Merged
3 tasks
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from f440823 to f41966f Compare August 11, 2024 02:58
@sorbaugh sorbaugh requested a review from skjnldsv August 13, 2024 09:55
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from f41966f to e42597a Compare August 18, 2024 02:59
@skjnldsv skjnldsv added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Aug 18, 2024
@skjnldsv skjnldsv mentioned this pull request Aug 20, 2024
Merged
12 tasks
@nextcloud-command
fix(deps): Fix npm audit
4727e25 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command added the 3. to review Waiting for reviews label Aug 21, 2024
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from e42597a to 4727e25 Compare August 21, 2024 12:23
@skjnldsv skjnldsv merged commit 93916b8 into stable28 Aug 21, 2024
47 checks passed
@skjnldsv skjnldsv deleted the automated/noid/stable28-fix-npm-audit branch August 21, 2024 17:08
@blizzz blizzz mentioned this pull request Sep 4, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skjnldsv skjnldsv skjnldsv approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews 4. to release Ready to be released and/or waiting for tests to finish dependencies
Projects
None yet
Milestone
Nextcloud 28.0.10
Development

Successfully merging this pull request may close these issues.
3 participants
@nextcloud-command @skjnldsv @AndyScherzinger