Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable28] Fix npm audit #3221

Merged
merged 1 commit into from
Sep 16, 2024
Merged

[stable28] Fix npm audit #3221

merged 1 commit into from
Sep 16, 2024

Conversation

nextcloud-command
Copy link
Contributor

Audit report

This audit fix resolves 12 of the total 14 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/vue #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.4.0
  • Package usage:
    • node_modules/@nextcloud/vue

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

body-parser #

  • body-parser vulnerable to denial of service when url encoding is enabled
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-qwcr-r2fm-qrc7
  • Affected versions: <1.20.3
  • Package usage:
    • node_modules/body-parser

express #

  • express vulnerable to XSS via response.redirect()
  • Severity: moderate (CVSS 5)
  • Reference: GHSA-qw6h-vgh9-j6wx
  • Affected versions: <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  • Package usage:
    • node_modules/express

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: moderate (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

path-to-regexp #

  • path-to-regexp outputs backtracking regular expressions
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-9wv6-86v2-598j
  • Affected versions: <0.1.10
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

send #

  • send vulnerable to template injection that can lead to XSS
  • Severity: moderate (CVSS 5)
  • Reference: GHSA-m6fv-jmcg-4jfg
  • Affected versions: <0.19.0
  • Package usage:
    • node_modules/send

serve-static #

  • serve-static vulnerable to template injection that can lead to XSS
  • Severity: moderate (CVSS 5)
  • Reference: GHSA-cm22-4g7w-348p
  • Affected versions: <=1.16.0
  • Package usage:
    • node_modules/serve-static

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

@nextcloud-command nextcloud-command added 3. to review Items that need to be reviewed dependencies labels Sep 15, 2024
@susnux
Copy link
Contributor

susnux commented Sep 15, 2024

/compile

@provokateurin
Copy link
Member

Compile workflow is not available in this repo, but we also don't commit the js files, so it isn't necessary anyway.

@provokateurin provokateurin force-pushed the automated/noid/stable28-fix-npm-audit branch from ed7f72c to 3e213c8 Compare September 16, 2024 07:51
@nextcloud-command @provokateurin
fix(deps): Fix npm audit
d59ce00 
Signed-off-by: GitHub <[email protected]>
Signed-off-by: provokateurin <[email protected]>
@provokateurin provokateurin force-pushed the automated/noid/stable28-fix-npm-audit branch from 3e213c8 to d59ce00 Compare September 16, 2024 07:51
@provokateurin provokateurin merged commit 73395e4 into stable28 Sep 16, 2024
39 checks passed
@provokateurin provokateurin deleted the automated/noid/stable28-fix-npm-audit branch September 16, 2024 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@provokateurin provokateurin provokateurin approved these changes

@susnux susnux susnux approved these changes

Assignees
No one assigned
Labels
3. to review Items that need to be reviewed dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nextcloud-command @susnux @provokateurin