Skip to content

Comments

[stable31] Fix npm audit#2846

Merged
artonge merged 1 commit intostable31from
automated/noid/stable31-fix-npm-audit
Mar 3, 2025
Merged

[stable31] Fix npm audit#2846
artonge merged 1 commit intostable31from
automated/noid/stable31-fix-npm-audit

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Mar 2, 2025

Audit report

This audit fix resolves 20 of the total 30 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/upload #

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

  • Axios Cross-Site Request Forgery Vulnerability
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-wf5p-g6vw-rhxx
  • Affected versions: 0.8.1 - 0.27.2
  • Package usage:
    • node_modules/axios

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical 🚨
  • Reference: GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

rollup-plugin-terser #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0 || >=4.0.4
  • Package usage:
    • node_modules/rollup-plugin-terser

serialize-javascript #

  • Cross-site Scripting (XSS) in serialize-javascript
  • Severity: moderate (CVSS 5.4)
  • Reference: GHSA-76p7-773f-r4q5
  • Affected versions: <6.0.2
  • Package usage:
    • node_modules/serialize-javascript

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

webdav #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-rc1 - 4.11.4
  • Package usage:
    • node_modules/webdav

workbox-build #

  • Caused by vulnerable dependency:
  • Affected versions: 5.0.0-alpha.0 - 7.0.0
  • Package usage:
    • node_modules/workbox-build

workbox-webpack-plugin #

  • Caused by vulnerable dependency:
  • Affected versions: 5.0.0-alpha.0 - 7.0.0
  • Package usage:
    • node_modules/workbox-webpack-plugin

@nextcloud-command nextcloud-command added 3. to review Waiting for reviews dependencies Pull requests that update a dependency file labels Mar 2, 2025
@artonge artonge enabled auto-merge March 3, 2025 12:09
@artonge artonge merged commit fbae917 into stable31 Mar 3, 2025
43 checks passed
@artonge artonge deleted the automated/noid/stable31-fix-npm-audit branch March 3, 2025 12:23
@blizzz blizzz mentioned this pull request Mar 4, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @artonge