Skip to content

Comments

[stable31] Fix npm audit#1874

Merged
artonge merged 1 commit intostable31from
automated/noid/stable31-fix-npm-audit
Mar 6, 2025
Merged

[stable31] Fix npm audit#1874
artonge merged 1 commit intostable31from
automated/noid/stable31-fix-npm-audit

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Feb 2, 2025
edited
Loading

Audit report

This audit fix resolves 15 of the total 29 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@testing-library/vue #

@vitest/coverage-v8 #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-beta.1 - 2.1.8
  • Package usage:
    • node_modules/@vitest/coverage-v8

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

dompurify #

  • DOMPurify allows Cross-site Scripting (XSS)
  • Severity: moderate (CVSS 4.5)
  • Reference: GHSA-vhxf-7vqr-mrjg
  • Affected versions: <3.2.4
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

vite #

  • Websites were able to send any requests to the development server and read the response in vite
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-vg6x-rcgg-rjx6
  • Affected versions: 0.11.0 - 6.1.1
  • Package usage:
    • node_modules/vite

vitest #

  • Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
  • Severity: critical 🚨 (CVSS 9.7)
  • Reference: GHSA-9crc-q9x8-hgqq
  • Affected versions: 2.0.0 - 2.1.8
  • Package usage:
    • node_modules/vitest

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Feb 2, 2025
@codecov
Copy link

codecov bot commented Feb 2, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 30.89%. Comparing base (2601dd3) to head (958bd14).
Report is 2 commits behind head on stable31.

Additional details and impacted files 
@@             Coverage Diff              @@
##           stable31    #1874      +/-   ##
============================================
- Coverage     31.36%   30.89%   -0.48%     
============================================
  Files            43       43              
  Lines          1629     1615      -14     
  Branches        110      110              
============================================
- Hits            511      499      -12     
+ Misses         1092     1090       -2     
  Partials         26       26

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cypress
Copy link

cypress bot commented Feb 2, 2025
edited
Loading

Activity    Run #2226

Run Properties:  status check passed Passed #2226  •  git commit 7364199969: [stable31] Fix npm audit
Project Activity
Branch Review automated/noid/stable31-fix-npm-audit
Run status status check passed Passed #2226
Run duration 03m 55s
Commit git commit 7364199969: [stable31] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 3
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 10
View all changes introduced in this branch ↗︎

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 96501eb to 4ca7fe0 Compare February 9, 2025 03:18
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from d3aa2fc to dc343b0 Compare February 22, 2025 11:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch 2 times, most recently from e129bf7 to fea8f94 Compare March 2, 2025 03:29
@artonge artonge force-pushed the automated/noid/stable31-fix-npm-audit branch from fea8f94 to 958bd14 Compare March 6, 2025 09:29
@artonge artonge merged commit 8d84641 into stable31 Mar 6, 2025
53 of 54 checks passed
@artonge artonge deleted the automated/noid/stable31-fix-npm-audit branch March 6, 2025 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @artonge