[stable27] Fix npm audit

[nextcloud-command]

Audit report

This audit fix resolves 27 of the total 31 vulnerabilities found in your project.

Updated dependencies

• @jimp/core
• @jimp/custom
• @nextcloud/axios
• @nextcloud/dialogs
• @nextcloud/vue
• @testing-library/vue
• @vue/component-compiler-utils
• @vue/test-utils
• axios
• browserify-sign
• create-ecdh
• crypto-browserify
• elliptic
• engine.io
• fast-xml-parser
• load-bmfont
• node-polyfill-webpack-plugin
• node-vibrant
• phin
• postcss
• puppeteer
• puppeteer-core
• select2
• socket.io
• socket.io-adapter
• vue-loader
• ws

Fixed vulnerabilities

@jimp/core #

• Caused by vulnerable dependency:
  • phin
• Affected versions: <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
• Package usage:
  • node_modules/@jimp/core

@jimp/custom #

• Caused by vulnerable dependency:
  • @jimp/core
• Affected versions: <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
• Package usage:
  • node_modules/@jimp/custom

@nextcloud/axios #

• Caused by vulnerable dependency:
  • axios
• Affected versions: <=2.3.0
• Package usage:
  • node_modules/@nextcloud/axios

@nextcloud/dialogs #

• Caused by vulnerable dependency:
  • @nextcloud/vue
• Affected versions: 4.2.0-beta.1 - 4.2.7
• Package usage:
  • node_modules/@nextcloud/dialogs

@nextcloud/vue #

• Caused by vulnerable dependency:
  • @nextcloud/axios
  • node-polyfill-webpack-plugin
• Affected versions: <=6.0.0-beta.8 || 7.6.1 - 8.3.0
• Package usage:
  • node_modules/@nextcloud/vue
  • node_modules/@nextcloud/vue-dashboard/node_modules/@nextcloud/vue

@testing-library/vue #

• Caused by vulnerable dependency:
  • @vue/test-utils
  • vue-template-compiler
• Affected versions: <=5.9.0
• Package usage:
  • node_modules/@testing-library/vue

@vue/component-compiler-utils #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: *
• Package usage:
  • node_modules/@vue/component-compiler-utils

@vue/test-utils #

• Caused by vulnerable dependency:
  • vue-template-compiler
• Affected versions: <=1.3.6
• Package usage:
  • node_modules/@vue/test-utils

axios #

• Axios Cross-Site Request Forgery Vulnerability
• Severity: moderate (CVSS 6.5)
• Reference: GHSA-wf5p-g6vw-rhxx
• Affected versions: 0.8.1 - 0.27.2
• Package usage:
  • node_modules/axios

browserify-sign #

• Caused by vulnerable dependency:
  • elliptic
• Affected versions: >=3.0.2
• Package usage:
  • node_modules/browserify-sign

create-ecdh #

• Caused by vulnerable dependency:
  • elliptic
• Affected versions: >=2.0.1
• Package usage:
  • node_modules/create-ecdh

crypto-browserify #

• Caused by vulnerable dependency:
  • browserify-sign
  • create-ecdh
• Affected versions: >=3.11.0
• Package usage:
  • node_modules/crypto-browserify

elliptic #

• Elliptic's ECDSA missing check for whether leading bit of r and s is zero
• Severity: low (CVSS 5.3)
• Reference: GHSA-977x-g7h5-7qgw
• Affected versions: >=2.0.0
• Package usage:
  • node_modules/elliptic

engine.io #

• Caused by vulnerable dependency:
  • ws
• Affected versions: 0.7.8 - 0.7.9 || 6.0.0 - 6.5.4
• Package usage:
  • node_modules/engine.io

fast-xml-parser #

• fast-xml-parser vulnerable to ReDOS at currency parsing
• Severity: high (CVSS 7.5)
• Reference: GHSA-mpg4-rc92-vx8v
• Affected versions: <4.4.1
• Package usage:
  • node_modules/fast-xml-parser

load-bmfont #

• Caused by vulnerable dependency:
  • phin
• Affected versions: 1.4.0 - 1.4.1
• Package usage:
  • node_modules/load-bmfont

node-polyfill-webpack-plugin #

• Caused by vulnerable dependency:
  • crypto-browserify
• Affected versions: *
• Package usage:
  • node_modules/node-polyfill-webpack-plugin

node-vibrant #

• Caused by vulnerable dependency:
  • @jimp/custom
• Affected versions: 3.1.5 - 3.1.6
• Package usage:
  • node_modules/node-vibrant

phin #

• phin may include sensitive headers in subsequent requests after redirect
• Severity: moderate (CVSS 4.3)
• Reference: GHSA-x565-32qp-m3vf
• Affected versions: <3.7.1
• Package usage:
  • node_modules/phin

postcss #

• PostCSS line return parsing error
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-7fh5-64p2-3v2j
• Affected versions: <8.4.31
• Package usage:
  • node_modules/postcss

puppeteer #

• Caused by vulnerable dependency:
  • puppeteer-core
• Affected versions: 18.2.0 - 22.11.1
• Package usage:
  • node_modules/puppeteer

puppeteer-core #

• Caused by vulnerable dependency:
  • ws
• Affected versions: 11.0.0 - 22.11.1
• Package usage:
  • node_modules/puppeteer-core

select2 #

• Improper Neutralization of Input During Web Page Generation in Select2
• Severity: moderate (CVSS 6.1)
• Reference: GHSA-rf66-hmqf-q3fc
• Affected versions: <4.0.6
• Package usage:
  • node_modules/select2

socket.io #

• socket.io has an unhandled 'error' event
• Severity: high (CVSS 7.3)
• Reference: GHSA-25hc-qcg6-38wj
• Affected versions: 3.0.0 - 4.6.2
• Package usage:
  • node_modules/socket.io

socket.io-adapter #

• Caused by vulnerable dependency:
  • ws
• Affected versions: 2.5.2 - 2.5.4
• Package usage:
  • node_modules/socket.io-adapter

vue-loader #

• Caused by vulnerable dependency:
  • @vue/component-compiler-utils
• Affected versions: 15.0.0-beta.1 - 15.11.1
• Package usage:
  • node_modules/vue-loader

ws #

• ws affected by a DoS when handling a request with many HTTP headers
• Severity: high (CVSS 7.5)
• Reference: GHSA-3h5v-q93c-6h6q
• Affected versions: 8.0.0 - 8.17.0
• Package usage:
  • node_modules/engine.io/node_modules/ws
  • node_modules/socket.io-adapter/node_modules/ws
  • node_modules/ws