Skip to content

Comments

[stable29] Fix npm audit#833

Merged
come-nc merged 1 commit intostable29from
automated/noid/stable29-fix-npm-audit
Nov 25, 2024
Merged

[stable29] Fix npm audit#833
come-nc merged 1 commit intostable29from
automated/noid/stable29-fix-npm-audit

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Sep 15, 2024
edited
Loading

Audit report

This audit fix resolves 15 of the total 24 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/typings #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0 - 1.8.0
  • Package usage:
    • node_modules/@nextcloud/typings

@nextcloud/vite-config #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/language-core #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.0.28
  • Package usage:
    • node_modules/@vue/language-core

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: 3.0.0 - 3.1.2
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Valid ECDSA signatures erroneously rejected in Elliptic
  • Severity: low (CVSS 4.8)
  • Reference: GHSA-fc9h-whq2-v747
  • Affected versions: <6.6.0
  • Package usage:
    • node_modules/elliptic

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/rollup

vite #

  • Vite's server.fs.deny is bypassed when using ?import&raw
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-9cwx-2883-4wfx
  • Affected versions: 5.2.0 - 5.2.13
  • Package usage:
    • node_modules/vite

vite-plugin-dts #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-beta.1 - 4.0.0-beta.2
  • Package usage:
    • node_modules/vite-plugin-dts

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Sep 15, 2024
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 7cc1687 to 3e464ef Compare September 22, 2024 03:30
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 3e464ef to a566e04 Compare September 29, 2024 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 79c6109 to f17af6c Compare October 13, 2024 03:28
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from f17af6c to 3055c2d Compare October 20, 2024 03:22
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from d6e7fec to ae0ca1b Compare November 3, 2024 03:26
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from ae0ca1b to 9d5697e Compare November 10, 2024 03:12
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 9d5697e to 338b3f4 Compare November 17, 2024 03:23
@nextcloud-command
fix(deps): Fix npm audit
350bf64 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 338b3f4 to 350bf64 Compare November 24, 2024 03:27
@come-nc come-nc merged commit 2cdb5bd into stable29 Nov 25, 2024
@come-nc come-nc deleted the automated/noid/stable29-fix-npm-audit branch November 25, 2024 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@come-nc come-nc come-nc approved these changes

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @come-nc