Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable31] Fix npm audit #50840

Open
wants to merge 1 commit into
base: stable31
Choose a base branch
from
Open

[stable31] Fix npm audit #50840

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Feb 16, 2025
edited
Loading

Audit report

This audit fix resolves 27 of the total 38 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@chenfengyuan/vue-qrcode #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.0.2
  • Package usage:
    • node_modules/@chenfengyuan/vue-qrcode

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/password-confirmation #

@nextcloud/upload #

@nextcloud/webpack-vue-config #

@testing-library/vue #

@vitest/coverage-v8 #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.2.0-beta.2
  • Package usage:
    • node_modules/@vitest/coverage-v8

@vitest/mocker #

  • Caused by vulnerable dependency:
  • Affected versions: <=3.0.0-beta.4
  • Package usage:
    • node_modules/@vitest/mocker

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/tsx/node_modules/esbuild

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

select2 #

  • Improper Neutralization of Input During Web Page Generation in Select2
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rf66-hmqf-q3fc
  • Affected versions: <4.0.6
  • Package usage:
    • node_modules/select2

tsx #

  • Caused by vulnerable dependency:
  • Affected versions: 3.13.0 - 4.19.2
  • Package usage:
    • node_modules/tsx

v-tooltip #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-beta.1 - 4.0.0-beta.0
  • Package usage:
    • node_modules/v-tooltip

vite #

  • Caused by vulnerable dependency:
  • Affected versions: 0.11.0 - 6.1.1
  • Package usage:
    • node_modules/vite

vite-node #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.2.0-beta.2
  • Package usage:
    • node_modules/vite-node

vitest #

  • Caused by vulnerable dependency:
  • Affected versions: 0.0.1 - 0.0.12 || 0.0.29 - 0.0.122 || 0.3.3 - 3.0.0-beta.4
  • Package usage:
    • node_modules/vitest

vue-infinite-loading #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-rc.1 - 2.4.5
  • Package usage:
    • node_modules/vue-infinite-loading

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@solracsf solracsf added this to the Nextcloud 31 milestone Feb 16, 2025
@Altahrim Altahrim mentioned this pull request Feb 20, 2025
Merged
5 tasks
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 004b03c to f3e4fd0 Compare February 23, 2025 02:48
@blizzz blizzz mentioned this pull request Feb 24, 2025
Merged
@blizzz blizzz modified the milestones: Nextcloud 31, Nextcloud 31.0.1 Feb 24, 2025
@blizzz blizzz mentioned this pull request Feb 24, 2025
Merged
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from f3e4fd0 to 3f32768 Compare March 2, 2025 02:51
@blizzz blizzz mentioned this pull request Mar 4, 2025
Open
3 tasks
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 3f32768 to 24c44af Compare March 4, 2025 20:55
@AndyScherzinger AndyScherzinger requested a review from susnux March 4, 2025 21:05
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 24c44af to 4bc5dfe Compare March 4, 2025 23:03
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 4bc5dfe to 25516e5 Compare March 5, 2025 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susnux susnux Awaiting requested review from susnux

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
3. to review Waiting for reviews dependencies
Projects
None yet
Milestone
Nextcloud 31.0.1
Development

Successfully merging this pull request may close these issues.
3 participants
@nextcloud-command @blizzz @solracsf