Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable30] Fix npm audit #6837

Open
wants to merge 1 commit into
base: stable30
Choose a base branch
from
Open

[stable30] Fix npm audit #6837

wants to merge 1 commit into from
+4,649 −3,713

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jan 5, 2025
edited
Loading

Audit report

This audit fix resolves 17 of the total 33 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

dompurify #

  • DOMPurify allows Cross-site Scripting (XSS)
  • Severity: moderate (CVSS 4.5)
  • Reference: GHSA-vhxf-7vqr-mrjg
  • Affected versions: <3.2.4
  • Package usage:
    • node_modules/dompurify
    • node_modules/mermaid/node_modules/dompurify

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

katex #

  • KaTeX \htmlData does not validate attribute names
  • Severity: moderate (CVSS 6.3)
  • Reference: GHSA-cg87-wmx4-v546
  • Affected versions: 0.12.0 - 0.16.20
  • Package usage:
    • node_modules/katex

mermaid #

  • Caused by vulnerable dependency:
  • Affected versions: 8.11.1 - 10.3.0 || 10.9.2 - 10.9.3 || 11.3.0 - 11.4.0
  • Package usage:
    • node_modules/mermaid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

tsx #

  • Caused by vulnerable dependency:
  • Affected versions: 3.13.0 - 4.19.2
  • Package usage:
    • node_modules/tsx

undici #

  • Use of Insufficiently Random Values in undici
  • Severity: moderate (CVSS 6.8)
  • Reference: GHSA-c76h-2ccp-4975
  • Affected versions: 4.5.0 - 5.28.4
  • Package usage:
    • node_modules/undici

vite #

  • Websites were able to send any requests to the development server and read the response in vite
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-vg6x-rcgg-rjx6
  • Affected versions: 0.11.0 - 6.1.1
  • Package usage:
    • node_modules/vite

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jan 5, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 5, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 53.66%. Comparing base (dbd9b91) to head (b32dcac).

Additional details and impacted files 
@@             Coverage Diff              @@
##           stable30    #6837      +/-   ##
============================================
+ Coverage     53.60%   53.66%   +0.06%     
============================================
  Files           116      116              
  Lines          2582     2579       -3     
  Branches        524      527       +3     
============================================
  Hits           1384     1384              
+ Misses         1070     1067       -3     
  Partials        128      128

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 670d9ab to 9690697 Compare January 19, 2025 03:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from a9606db to f057ee3 Compare February 2, 2025 03:19
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from f057ee3 to 106b745 Compare February 9, 2025 03:19
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 106b745 to 2ec9e88 Compare February 16, 2025 03:28
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 2ec9e88 to 1249f00 Compare February 23, 2025 03:30
@max-nextcloud max-nextcloud force-pushed the automated/noid/stable30-fix-npm-audit branch from 1249f00 to d769c2b Compare February 27, 2025 14:25
@nextcloud-command @max-nextcloud
fix(deps): Fix npm audit
b32dcac 
Signed-off-by: GitHub <[email protected]>
Signed-off-by: Max <[email protected]>
@max-nextcloud max-nextcloud force-pushed the automated/noid/stable30-fix-npm-audit branch from d769c2b to b32dcac Compare February 27, 2025 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nextcloud-command