Skip to content

[stable31] Fix npm audit #1164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: stable31
Choose a base branch
from
Open

[stable31] Fix npm audit #1164

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jan 26, 2025
edited
Loading

Audit report

This audit fix resolves 20 of the total 27 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

  • Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/helpers

@babel/runtime #

  • Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.0
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

  • axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
  • Severity: high
  • Reference: GHSA-jr5f-v2jv-69x6
  • Affected versions: 1.0.0 - 1.8.1
  • Package usage:
    • node_modules/axios

cookie #

  • cookie accepts cookie name, path, and domain with out of bounds characters
  • Severity: low
  • Reference: GHSA-pxg6-pf52-xh8x
  • Affected versions: <0.7.0
  • Package usage:
    • node_modules/cookie

dompurify #

  • DOMPurify allows Cross-site Scripting (XSS)
  • Severity: moderate (CVSS 4.5)
  • Reference: GHSA-vhxf-7vqr-mrjg
  • Affected versions: <3.2.4
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

express #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-alpha1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0
  • Package usage:
    • node_modules/express

http-proxy-middleware #

  • Denial of service in http-proxy-middleware
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c7qv-q95q-8v27
  • Affected versions: <=2.0.8
  • Package usage:
    • node_modules/http-proxy-middleware

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

path-to-regexp #

  • path-to-regexp contains a ReDoS
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-rhx6-c78j-4q9w
  • Affected versions: <0.1.12
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

webpack-dev-server #

  • webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-9jgg-88mc-972h
  • Affected versions: <=5.2.0
  • Package usage:
    • node_modules/webpack-dev-server

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jan 26, 2025
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 6249dc8 to a1779f9 Compare February 9, 2025 03:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from a1779f9 to 98fbb39 Compare February 16, 2025 03:26
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from e1b9743 to 8adebc2 Compare March 2, 2025 03:26
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 8adebc2 to 113d77b Compare March 9, 2025 02:57
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 113d77b to a13b01c Compare March 16, 2025 03:24
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from a13b01c to 2402808 Compare March 23, 2025 03:30
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 1436008 to f229587 Compare April 6, 2025 03:22
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from 3295db6 to 6de1c09 Compare April 20, 2025 03:31
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 6de1c09 to c5fe8dc Compare April 27, 2025 03:32
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from c5fe8dc to 27c7616 Compare May 4, 2025 03:39
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 27c7616 to c00498d Compare May 11, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from c00498d to 30f680c Compare May 18, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 30f680c to 7deebcf Compare May 25, 2025 03:42
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 7deebcf to c939263 Compare June 1, 2025 03:49
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from c939263 to 0305053 Compare June 8, 2025 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nextcloud-command