Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable27] Fix npm audit #45732

Merged
merged 3 commits into from
Jun 14, 2024
Merged

[stable27] Fix npm audit #45732

merged 3 commits into from
Jun 14, 2024

Conversation

nextcloud-command
Copy link
Contributor

Audit report

This audit fix resolves 21 of the total 30 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@adobe/css-tools #

  • @adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
  • Severity: moderate (CVSS 5)
  • Reference: GHSA-prr3-c3m5-p7q2
  • Affected versions: <4.3.2
  • Package usage:
    • node_modules/@adobe/css-tools

@babel/traverse #

  • Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
  • Severity: critical 🚨 (CVSS 9.4)
  • Reference: GHSA-67hx-6x53-jw92
  • Affected versions: <7.23.2
  • Package usage:
    • node_modules/@babel/traverse

@cypress/request #

  • Server-Side Request Forgery in Request
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-p8p7-x288-28g6
  • Affected versions: <=2.88.12
  • Package usage:
    • node_modules/@cypress/request

@jimp/core #

  • Caused by vulnerable dependency:
  • Affected versions: <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
  • Package usage:
    • node_modules/@jimp/core

@jimp/custom #

  • Caused by vulnerable dependency:
  • Affected versions: <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
  • Package usage:
    • node_modules/@jimp/custom

@nextcloud/cypress #

  • Caused by vulnerable dependency:
  • Affected versions:
  • Package usage:
    • node_modules/@nextcloud/cypress

browserify-sign #

  • browserify-sign upper bound check issue in dsaVerify leads to a signature forgery attack
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-x9w5-v3q2-3rhw
  • Affected versions: 2.6.0 - 4.2.1
  • Package usage:
    • node_modules/browserify-sign

cypress #

  • Caused by vulnerable dependency:
  • Affected versions: 4.3.0 - 12.17.4
  • Package usage:
    • node_modules/cypress

ejs #

  • ejs lacks certain pollution protection
  • Severity: moderate
  • Reference: GHSA-ghr5-ch3p-vcr6
  • Affected versions: <3.1.10
  • Package usage:
    • node_modules/ejs

express #

  • Express.js Open Redirect in malformed URLs
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rv95-896h-c2vc
  • Affected versions: <4.19.2
  • Package usage:
    • node_modules/express

follow-redirects #

  • Follow Redirects improperly handles URLs in the url.parse() function
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-jchw-25xp-jwwc
  • Affected versions: <=1.15.5
  • Package usage:
    • node_modules/follow-redirects

load-bmfont #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.4.0
  • Package usage:
    • node_modules/load-bmfont

nextcloud-vue-collections #

  • Caused by vulnerable dependency:
  • Affected versions: 0.6.0 - 0.10.0
  • Package usage:
    • node_modules/nextcloud-vue-collections

node-vibrant #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.5 - 3.1.6
  • Package usage:
    • node_modules/node-vibrant

parse-bmfont-xml #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.1.4
  • Package usage:
    • node_modules/parse-bmfont-xml

phin #

  • phin may include sensitive headers in subsequent requests after redirect
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-x565-32qp-m3vf
  • Affected versions: <3.7.1
  • Package usage:
    • node_modules/phin

select2 #

  • Improper Neutralization of Input During Web Page Generation in Select2
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rf66-hmqf-q3fc
  • Affected versions: <4.0.6
  • Package usage:
    • node_modules/select2

tar #

  • Denial of service while parsing a tar file due to lack of folders count validation
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-f5x3-32g6-xq36
  • Affected versions: <6.2.1
  • Package usage:
    • node_modules/tar

wait-on #

  • Caused by vulnerable dependency:
  • Affected versions: 5.0.0-rc.0 - 7.1.0
  • Package usage:
    • node_modules/wait-on

webpack-dev-middleware #

  • Path traversal in webpack-dev-middleware
  • Severity: high (CVSS 7.4)
  • Reference: GHSA-wr3j-pwj9-hqq6
  • Affected versions: <=5.3.3
  • Package usage:
    • node_modules/webpack-dev-middleware

xml2js #

  • xml2js is vulnerable to prototype pollution
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-776f-qx25-q3cc
  • Affected versions: <0.5.0
  • Package usage:
    • node_modules/xml2js

@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable27-fix-npm-audit branch from 251a504 to fe67ade Compare June 11, 2024 12:11
@AndyScherzinger AndyScherzinger added this to the Nextcloud 27.1.11 milestone Jun 11, 2024
@blizzz blizzz mentioned this pull request Jun 11, 2024
Merged
1 task
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable27-fix-npm-audit branch from fe67ade to 5dddfef Compare June 11, 2024 16:05
@susnux susnux force-pushed the automated/noid/stable27-fix-npm-audit branch 2 times, most recently from 3854a20 to 5b84290 Compare June 11, 2024 20:01
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable27-fix-npm-audit branch from 5b84290 to 26dc8c6 Compare June 12, 2024 07:13
@blizzz
Copy link
Member

blizzz commented Jun 13, 2024

/compile /

@artonge artonge force-pushed the automated/noid/stable27-fix-npm-audit branch 2 times, most recently from 029f787 to 63faa65 Compare June 13, 2024 09:21
@blizzz
Copy link
Member

blizzz commented Jun 13, 2024
edited
Loading

Cypress error:

AssertionError: Timed out retrying after 4000ms: Expected to find element: [data-cy-files-navigation-settings-quota], but never found it.

Related or flaky?

@susnux
Copy link
Contributor

susnux commented Jun 13, 2024

Related or flaky?

sounds flaky

@blizzz
Copy link
Member

blizzz commented Jun 13, 2024

Related or flaky?

sounds flaky

There is a similar failing test with Selenium 🤔 https://drone.nextcloud.com/nextcloud/server/55895/57/4

@susnux susnux force-pushed the automated/noid/stable27-fix-npm-audit branch from 63faa65 to b563edd Compare June 13, 2024 14:03
@AndyScherzinger AndyScherzinger force-pushed the automated/noid/stable27-fix-npm-audit branch 2 times, most recently from e61077c to 0feafef Compare June 13, 2024 16:33
@blizzz
Copy link
Member

blizzz commented Jun 14, 2024

@susnux * │ ✖ Navigation.cy.ts 00:55 9 5 4 - - │* keeps failing

AssertionError: Timed out retrying after 4000ms: Expected to find element: [data-cy-files-navigation-settings-quota], but never found it.

susnux and others added 3 commits June 14, 2024 11:08
@susnux
fix(files): Make navigation reactive again
7d002db 
Signed-off-by: Ferdinand Thiessen <[email protected]>
@nextcloud-command @susnux
fix(deps): Fix npm audit
6899ca2 
Co-authored-by: Ferdinand Thiessen <[email protected]>
Signed-off-by: GitHub <[email protected]>
Signed-off-by: Louis Chemineau <[email protected]>
@susnux
tests: Fix cypress component test import of package for mocking
10b104f 
Signed-off-by: Ferdinand Thiessen <[email protected]>
@susnux susnux force-pushed the automated/noid/stable27-fix-npm-audit branch from 0feafef to 10b104f Compare June 14, 2024 09:16
@susnux
Copy link
Contributor

susnux commented Jun 14, 2024

Seems like the module export changed, so for mocking in the test we need to default import.
Long story short: Fixed.

@blizzz blizzz merged commit 25e1bd4 into stable27 Jun 14, 2024
38 of 40 checks passed
@blizzz blizzz deleted the automated/noid/stable27-fix-npm-audit branch June 14, 2024 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@artonge artonge Awaiting requested review from artonge

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

Assignees
No one assigned
Labels
3. to review Waiting for reviews dependencies
Projects
None yet
Milestone
Nextcloud 27.1.11
Development

Successfully merging this pull request may close these issues.
4 participants
@nextcloud-command @blizzz @susnux @AndyScherzinger