[stable29] Fix npm audit #1946

nextcloud-command · 2024-11-03T03:28:29Z

Audit report

This audit fix resolves 43 of the total 45 vulnerabilities found in your project.

Updated dependencies

@babel/helpers
@babel/runtime
@nextcloud/dialogs
@nextcloud/files
@nextcloud/l10n
@nextcloud/moment
@nextcloud/vue
@nextcloud/vue-select
@nextcloud/webpack-vue-config
@vue/component-compiler-utils
axios
brace-expansion
cipher-base
compression
cross-spawn
dockerode
dompurify
elliptic
express
floating-vue
form-data
http-proxy-middleware
js-yaml
linkifyjs
nanoid
node-forge
node-gettext
on-headers
path-to-regexp
pbkdf2
postcss
sha.js
tar-fs
tmp
vue
vue-frag
vue-infinite-loading
vue-loader
vue-resize
vue-template-compiler
vue2-datepicker
vuex
webpack-dev-server

Fixed vulnerabilities

@babel/helpers #

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/helpers

@babel/runtime #

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/runtime

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: 2.0.0 - 6.4.2
Package usage:
- node_modules/@nextcloud/dialogs

@nextcloud/files #

Caused by vulnerable dependency:
- @nextcloud/l10n
Affected versions: 1.1.0 - 3.2.1
Package usage:
- node_modules/@nextcloud/files

@nextcloud/l10n #

Caused by vulnerable dependency:
- node-gettext
Affected versions: 1.1.0 - 3.1.0
Package usage:
- node_modules/@nextcloud/l10n
- node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

Caused by vulnerable dependency:
- @nextcloud/l10n
- node-gettext
Affected versions: 1.1.1 - 1.3.2
Package usage:
- node_modules/@nextcloud/moment

@nextcloud/vue #

Caused by vulnerable dependency:
Affected versions: <=9.0.0-rc.9
Package usage:
- node_modules/@nextcloud/vue

@nextcloud/vue-select #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@nextcloud/vue-select

@nextcloud/webpack-vue-config #

Caused by vulnerable dependency:
Affected versions: <=6.2.0
Package usage:
- node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

axios #

Axios is vulnerable to DoS attack through lack of data size check
Severity: high (CVSS 7.5)
Reference: GHSA-4hjh-wcwx-xvwj
Affected versions: 1.0.0 - 1.11.0
Package usage:
- node_modules/axios

brace-expansion #

brace-expansion Regular Expression Denial of Service vulnerability
Severity: low (CVSS 3.1)
Reference: GHSA-v6h2-p8h4-qcjw
Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
Package usage:
- node_modules/brace-expansion
- node_modules/webdav/node_modules/brace-expansion

cipher-base #

cipher-base is missing type checks, leading to hash rewind and passing on crafted data
Severity: critical 🚨 (CVSS 9.1)
Reference: GHSA-cpq7-6gpm-g9rc
Affected versions: <=1.0.4
Package usage:
- node_modules/cipher-base

compression #

Caused by vulnerable dependency:
- on-headers
Affected versions: 1.0.3 - 1.8.0
Package usage:
- node_modules/compression

cross-spawn #

Regular Expression Denial of Service (ReDoS) in cross-spawn
Severity: high (CVSS 7.5)
Reference: GHSA-3xgq-45jj-v275
Affected versions: 7.0.0 - 7.0.4
Package usage:
- node_modules/cross-spawn

dockerode #

Caused by vulnerable dependency:
- tar-fs
Affected versions: 3.0.0 - 4.0.4
Package usage:
- node_modules/@nextcloud/cypress/node_modules/dockerode
- node_modules/dockerode

dompurify #

DOMPurify allows Cross-site Scripting (XSS)
Severity: moderate (CVSS 4.5)
Reference: GHSA-vhxf-7vqr-mrjg
Affected versions: <3.2.4
Package usage:
- node_modules/dompurify

elliptic #

Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Severity: critical 🚨
Reference: GHSA-vjh7-7g9h-fjfh
Affected versions: <=6.6.0
Package usage:
- node_modules/elliptic

express #

Caused by vulnerable dependency:
- path-to-regexp
Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
Package usage:
- node_modules/express

floating-vue #

Caused by vulnerable dependency:
- vue
- vue-resize
Affected versions: <=1.0.0-beta.19
Package usage:
- node_modules/floating-vue

form-data #

form-data uses unsafe random function in form-data for choosing boundary
Severity: critical 🚨
Reference: GHSA-fjxv-7rqg-78g4
Affected versions: 4.0.0 - 4.0.3
Package usage:
- node_modules/form-data

http-proxy-middleware #

Denial of service in http-proxy-middleware
Severity: high (CVSS 7.5)
Reference: GHSA-c7qv-q95q-8v27
Affected versions: <=2.0.8
Package usage:
- node_modules/http-proxy-middleware

js-yaml #

js-yaml has prototype pollution in merge (<<)
Severity: moderate (CVSS 5.3)
Reference: GHSA-mh29-5h37-fv8m
Affected versions: <3.14.2 || >=4.0.0 <4.1.1
Package usage:
- node_modules/@eslint/eslintrc/node_modules/js-yaml
- node_modules/eslint/node_modules/js-yaml
- node_modules/js-yaml

linkifyjs #

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
Severity: high
Reference: GHSA-95jq-xph2-cx9h
Affected versions: <4.3.2
Package usage:
- node_modules/linkifyjs

nanoid #

Predictable results in nanoid generation when given non-integer values
Severity: moderate (CVSS 4.3)
Reference: GHSA-mwcw-c2x4-8c55
Affected versions: <3.3.8
Package usage:
- node_modules/nanoid

node-forge #

node-forge has ASN.1 Unbounded Recursion
Severity: high
Reference: GHSA-554w-wpv2-vw27
Affected versions: <=1.3.1
Package usage:
- node_modules/node-forge

node-gettext #

node-gettext vulnerable to Prototype Pollution
Severity: high (CVSS 5.9)
Reference: GHSA-g974-hxvm-x689
Affected versions: *
Package usage:
- node_modules/node-gettext

on-headers #

on-headers is vulnerable to http response header manipulation
Severity: low (CVSS 3.4)
Reference: GHSA-76c9-3jph-rj3q
Affected versions: <1.1.0
Package usage:
- node_modules/on-headers

path-to-regexp #

path-to-regexp contains a ReDoS
Severity: high (CVSS 7.5)
Reference: GHSA-rhx6-c78j-4q9w
Affected versions: <0.1.12
Package usage:
- node_modules/path-to-regexp

pbkdf2 #

pbkdf2 silently disregards Uint8Array input, returning static keys
Severity: critical 🚨
Reference: GHSA-v62p-rq8g-8h59
Affected versions: <=3.1.2
Package usage:
- node_modules/pbkdf2

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

sha.js #

sha.js is missing type checks leading to hash rewind and passing on crafted data
Severity: critical 🚨 (CVSS 9.1)
Reference: GHSA-95m3-7q98-8xr5
Affected versions: <=2.4.11
Package usage:
- node_modules/sha.js

tar-fs #

tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
Severity: high
Reference: GHSA-vj76-c3g6-qr5v
Affected versions: 2.0.0 - 2.1.3
Package usage:
- node_modules/tar-fs

tmp #

tmp allows arbitrary temporary file / directory write via symbolic link dir parameter
Severity: low (CVSS 2.5)
Reference: GHSA-52f5-9888-hmc6
Affected versions: <=0.2.3
Package usage:
- node_modules/tmp

vue #

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Severity: low (CVSS 3.7)
Reference: GHSA-5j4c-8p2g-v4jx
Affected versions: 2.0.0-alpha.1 - 2.7.16
Package usage:
- node_modules/vue

vue-frag #

Caused by vulnerable dependency:
- vue
Affected versions: >=1.3.1
Package usage:
- node_modules/vue-frag

vue-infinite-loading #

Caused by vulnerable dependency:
- vue
Affected versions: 2.0.0-rc.1 - 2.4.5
Package usage:
- node_modules/vue-infinite-loading

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler

vue2-datepicker #

Caused by vulnerable dependency:
- vue
Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
Package usage:
- node_modules/vue2-datepicker

vuex #

Caused by vulnerable dependency:
- vue
Affected versions: 3.1.3 - 3.6.2
Package usage:
- node_modules/vuex

webpack-dev-server #

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
Severity: moderate (CVSS 6.5)
Reference: GHSA-9jgg-88mc-972h
Affected versions: <=5.2.0
Package usage:
- node_modules/webpack-dev-server

cypress · 2024-11-10T03:46:21Z

Social Run #1082

Run Properties: Errored #1082 • c224c726f5: [stable29] Fix npm audit

Project	`Social`
Branch Review	`automated/noid/stable29-fix-npm-audit`
Run status	`Errored #1082`
Run duration	`01m 07s`
Commit	`c224c726f5: [stable29] Fix npm audit`
Committer	`Nextcloud Command Bot`
View all properties for this run ↗︎

Test results
Failures	`2`
Flaky	`0`
Pending	`0`
Skipped	`0`
Passing	`0`
View all changes introduced in this branch ↗︎

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Nov 3, 2024

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c72401 to 9a4237c Compare November 10, 2024 03:17

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from a90b127 to 375c8db Compare November 24, 2024 03:28

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 43aa7db to 4ceaf17 Compare December 15, 2024 03:39

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4ceaf17 to 4a7565c Compare December 22, 2024 03:20

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4a7565c to f8cb049 Compare January 5, 2025 03:13

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from f8cb049 to 2c5ce74 Compare January 26, 2025 03:23

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c5ce74 to 357b03e Compare February 9, 2025 03:22

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 357b03e to a958952 Compare February 16, 2025 03:32

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 77ad596 to 7f1be85 Compare March 2, 2025 03:29

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 7f1be85 to cb4ea2f Compare March 9, 2025 03:07

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from cb4ea2f to 7fd01a4 Compare March 16, 2025 03:17

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 82ad6e4 to 30eb073 Compare March 30, 2025 03:35

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 30eb073 to c18c0a5 Compare April 6, 2025 03:45

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 8c1736d to 53985dd Compare April 20, 2025 03:33

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 059db52 to c9c848a Compare May 4, 2025 03:49

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from c9c848a to f29bf98 Compare May 11, 2025 03:33

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from f29bf98 to c6da1dc Compare May 18, 2025 03:43

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from c6da1dc to c727036 Compare May 25, 2025 03:51

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 362f9c0 to 1622e45 Compare June 8, 2025 03:56

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 1622e45 to b700e87 Compare June 15, 2025 03:42

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from f77d383 to bac134f Compare July 6, 2025 03:59

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from bac134f to a416f03 Compare July 13, 2025 04:04

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from a416f03 to 0677d4d Compare July 20, 2025 04:06

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 0677d4d to de24058 Compare July 27, 2025 04:11

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from a65eea0 to 1041a3b Compare August 10, 2025 04:05

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from a0826dc to 9b64994 Compare August 24, 2025 03:14

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 9b64994 to db99d25 Compare September 7, 2025 03:14

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from db99d25 to 9a1b8a7 Compare September 14, 2025 03:15

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 59770c9 to 902c239 Compare September 28, 2025 03:21

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 902c239 to 14d50b1 Compare October 5, 2025 03:25

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 14d50b1 to 4b83019 Compare October 19, 2025 03:28

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from d9c3066 to a391ab2 Compare November 9, 2025 03:29

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch 2 times, most recently from 6de2de9 to 89d3e4b Compare November 23, 2025 03:35

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 89d3e4b to 0a98fda Compare November 30, 2025 03:35

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 0a98fda to 48f0909 Compare December 7, 2025 03:38

fix(deps): Fix npm audit

03084f9

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 48f0909 to 03084f9 Compare December 14, 2025 03:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[stable29] Fix npm audit #1946

[stable29] Fix npm audit #1946

Uh oh!

nextcloud-command commented Nov 3, 2024 •

edited

Loading

Uh oh!

cypress bot commented Nov 10, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[stable29] Fix npm audit #1946

Are you sure you want to change the base?

[stable29] Fix npm audit #1946

Uh oh!

Conversation

nextcloud-command commented Nov 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Audit report

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

@babel/runtime #

@nextcloud/dialogs #

@nextcloud/files #

@nextcloud/l10n #

@nextcloud/moment #

@nextcloud/vue #

@nextcloud/vue-select #

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

axios #

brace-expansion #

cipher-base #

compression #

cross-spawn #

dockerode #

dompurify #

elliptic #

express #

floating-vue #

form-data #

http-proxy-middleware #

js-yaml #

linkifyjs #

nanoid #

node-forge #

node-gettext #

on-headers #

path-to-regexp #

pbkdf2 #

postcss #

sha.js #

tar-fs #

tmp #

vue #

vue-frag #

vue-infinite-loading #

vue-loader #

vue-resize #

vue-template-compiler #

vue2-datepicker #

vuex #

webpack-dev-server #

Uh oh!

cypress bot commented Nov 10, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Social Run #1082

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

nextcloud-command commented Nov 3, 2024 •

edited

Loading

cypress bot commented Nov 10, 2024 •

edited

Loading