Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[master] Fix npm audit #48815

Merged
merged 1 commit into from
Jan 26, 2025
Merged

[master] Fix npm audit #48815

merged 1 commit into from
Jan 26, 2025

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Oct 20, 2024
edited
Loading

Audit report

This audit fix resolves 22 of the total 35 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@chenfengyuan/vue-qrcode #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.0.2
  • Package usage:
    • node_modules/@chenfengyuan/vue-qrcode

@nextcloud/dialogs #

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/password-confirmation #

@nextcloud/upload #

@nextcloud/webpack-vue-config #

@testing-library/vue #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

express #

  • Caused by vulnerable dependency:
  • Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
  • Package usage:
    • node_modules/express

path-to-regexp #

  • path-to-regexp outputs backtracking regular expressions
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-9wv6-86v2-598j
  • Affected versions: <0.1.12 || >=0.2.0 <1.9.0
  • Package usage:
    • node_modules/express/node_modules/path-to-regexp
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

rollup #

  • DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  • Severity: high (CVSS 6.4)
  • Reference: GHSA-gcx4-mw62-g8wm
  • Affected versions: 4.0.0 - 4.22.3
  • Package usage:
    • node_modules/vite/node_modules/rollup

select2 #

  • Improper Neutralization of Input During Web Page Generation in Select2
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rf66-hmqf-q3fc
  • Affected versions: <4.0.6
  • Package usage:
    • node_modules/select2

v-tooltip #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-beta.1 - 4.0.0-beta.0
  • Package usage:
    • node_modules/v-tooltip

vue-infinite-loading #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-rc.1 - 2.4.5
  • Package usage:
    • node_modules/vue-infinite-loading

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 92fce6d to 9e292b3 Compare October 27, 2024 02:51
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 48e1650 to e6be1b4 Compare November 10, 2024 02:48
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 1494e0f to beef11e Compare November 17, 2024 02:56
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 01acff8 to bc7bb49 Compare November 24, 2024 02:55
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 8c61794 to 3c713b0 Compare December 8, 2024 03:00
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 27d4953 to 63838d4 Compare December 22, 2024 02:49
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 1138bba to 86d9faf Compare January 5, 2025 02:49
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 78c3165 to cafad17 Compare January 19, 2025 02:47
@nextcloud-command nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from cafad17 to 93e6394 Compare January 26, 2025 02:47
@provokateurin provokateurin merged commit 6b6401f into master Jan 26, 2025
121 checks passed
@provokateurin provokateurin deleted the automated/noid/master-fix-npm-audit branch January 26, 2025 11:11
@AndyScherzinger AndyScherzinger added this to the Nextcloud 32 milestone Jan 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@provokateurin provokateurin provokateurin approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews dependencies
Projects
None yet
Milestone
Nextcloud 32
Development

Successfully merging this pull request may close these issues.
3 participants
@nextcloud-command @AndyScherzinger @provokateurin