Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[stable28] Fix npm audit #1705

Open
wants to merge 1 commit into
base: stable28
Choose a base branch
from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jun 9, 2024

Audit report

This audit fix resolves 20 of the total 29 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/vite-config #

@testing-library/vue #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/language-core #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.0.28
  • Package usage:
    • node_modules/@vue/language-core

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

elliptic #

  • Valid ECDSA signatures erroneously rejected in Elliptic
  • Severity: low (CVSS 4.8)
  • Reference: GHSA-fc9h-whq2-v747
  • Affected versions: <6.6.0
  • Package usage:
    • node_modules/elliptic

happy-dom #

  • happy-dom allows for server side code to be executed by a <script> tag
  • Severity: critical 🚨
  • Reference: GHSA-96g7-g7g9-jxw8
  • Affected versions: <15.10.2
  • Package usage:
    • node_modules/happy-dom

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/rollup

vite #

  • Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
  • Severity: moderate (CVSS 6.4)
  • Reference: GHSA-64vr-g452-qvp3
  • Affected versions: 5.4.0 - 5.4.5
  • Package usage:
    • node_modules/vite

vite-plugin-dts #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-beta.1 - 4.0.0-beta.2
  • Package usage:
    • node_modules/vite-plugin-dts

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 9, 2024
Copy link

cypress bot commented Jun 9, 2024

Activity    Run #2106

Run Properties:  status check passed Passed #2106  •  git commit e30b200d13: [stable28] Fix npm audit
Project Activity
Branch Review automated/noid/stable28-fix-npm-audit
Run status status check passed Passed #2106
Run duration 01m 39s
Commit git commit e30b200d13: [stable28] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 3
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 7
View all changes introduced in this branch ↗︎

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 12964f0 to 0f39303 Compare June 16, 2024 03:16
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 4610c02 to 05a724a Compare July 7, 2024 03:12
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 10eb38b to 0696650 Compare July 21, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 6a4996b to bc1008c Compare August 1, 2024 10:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 8956d8d to 04bad77 Compare August 18, 2024 03:06
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 04bad77 to b1a1ef7 Compare August 25, 2024 03:04
@susnux susnux force-pushed the automated/noid/stable28-fix-npm-audit branch from b1a1ef7 to b0e7536 Compare August 25, 2024 23:01
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 46685e3 to 54602e7 Compare September 3, 2024 15:15
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 9c3b2c9 to 739a80b Compare September 15, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 739a80b to 295a56a Compare September 22, 2024 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 295a56a to 78e99a7 Compare September 29, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 78e99a7 to d7fc974 Compare October 6, 2024 03:40
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from d7fc974 to e1e27a7 Compare October 13, 2024 03:29
@miaulalala miaulalala force-pushed the automated/noid/stable28-fix-npm-audit branch from e1e27a7 to f596b42 Compare October 14, 2024 08:33
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from f596b42 to ddea987 Compare October 20, 2024 03:25
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 9c51644 to 904e426 Compare November 3, 2024 03:27
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 904e426 to 50a467e Compare November 10, 2024 03:11
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 50a467e to 21b511a Compare November 17, 2024 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants