[master] Fix npm audit #1947

nextcloud-command · 2024-11-03T03:28:41Z

Audit report

This audit fix resolves 42 of the total 44 vulnerabilities found in your project.

Updated dependencies

@babel/helpers
@babel/runtime
@nextcloud/dialogs
@nextcloud/files
@nextcloud/l10n
@nextcloud/moment
@nextcloud/vue
@nextcloud/vue-select
@nextcloud/webpack-vue-config
@vue/component-compiler-utils
axios
brace-expansion
cipher-base
compression
cross-spawn
dompurify
elliptic
express
floating-vue
form-data
http-proxy-middleware
js-yaml
linkifyjs
nanoid
node-forge
node-gettext
on-headers
path-to-regexp
pbkdf2
postcss
sha.js
tar-fs
tmp
vue
vue-frag
vue-infinite-loading
vue-loader
vue-resize
vue-template-compiler
vue2-datepicker
vuex
webpack-dev-server

Fixed vulnerabilities

@babel/helpers #

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/helpers

@babel/runtime #

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/runtime

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: 2.0.0 - 6.4.2
Package usage:
- node_modules/@nextcloud/dialogs

@nextcloud/files #

Caused by vulnerable dependency:
- @nextcloud/l10n
Affected versions: 1.1.0 - 3.2.1
Package usage:
- node_modules/@nextcloud/files

@nextcloud/l10n #

Caused by vulnerable dependency:
- node-gettext
Affected versions: 1.1.0 - 3.1.0
Package usage:
- node_modules/@nextcloud/l10n
- node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

Caused by vulnerable dependency:
- @nextcloud/l10n
- node-gettext
Affected versions: 1.1.1 - 1.3.2
Package usage:
- node_modules/@nextcloud/moment

@nextcloud/vue #

Caused by vulnerable dependency:
Affected versions: <=9.0.0-rc.9
Package usage:
- node_modules/@nextcloud/vue

@nextcloud/vue-select #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@nextcloud/vue-select

@nextcloud/webpack-vue-config #

Caused by vulnerable dependency:
Affected versions: <=6.2.0
Package usage:
- node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

axios #

Axios is vulnerable to DoS attack through lack of data size check
Severity: high (CVSS 7.5)
Reference: GHSA-4hjh-wcwx-xvwj
Affected versions: 1.0.0 - 1.11.0
Package usage:
- node_modules/axios

brace-expansion #

brace-expansion Regular Expression Denial of Service vulnerability
Severity: low (CVSS 3.1)
Reference: GHSA-v6h2-p8h4-qcjw
Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
Package usage:
- node_modules/brace-expansion
- node_modules/webdav/node_modules/brace-expansion

cipher-base #

cipher-base is missing type checks, leading to hash rewind and passing on crafted data
Severity: critical 🚨 (CVSS 9.1)
Reference: GHSA-cpq7-6gpm-g9rc
Affected versions: <=1.0.4
Package usage:
- node_modules/cipher-base

compression #

Caused by vulnerable dependency:
- on-headers
Affected versions: 1.0.3 - 1.8.0
Package usage:
- node_modules/compression

cross-spawn #

Regular Expression Denial of Service (ReDoS) in cross-spawn
Severity: high (CVSS 7.5)
Reference: GHSA-3xgq-45jj-v275
Affected versions: 7.0.0 - 7.0.4
Package usage:
- node_modules/cross-spawn

dompurify #

DOMPurify allows Cross-site Scripting (XSS)
Severity: moderate (CVSS 4.5)
Reference: GHSA-vhxf-7vqr-mrjg
Affected versions: <3.2.4
Package usage:
- node_modules/dompurify

elliptic #

Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Severity: critical 🚨
Reference: GHSA-vjh7-7g9h-fjfh
Affected versions: <=6.6.0
Package usage:
- node_modules/elliptic

express #

Caused by vulnerable dependency:
- path-to-regexp
Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
Package usage:
- node_modules/express

floating-vue #

Caused by vulnerable dependency:
- vue
- vue-resize
Affected versions: <=1.0.0-beta.19
Package usage:
- node_modules/floating-vue

form-data #

form-data uses unsafe random function in form-data for choosing boundary
Severity: critical 🚨
Reference: GHSA-fjxv-7rqg-78g4
Affected versions: 4.0.0 - 4.0.3
Package usage:
- node_modules/form-data

http-proxy-middleware #

Denial of service in http-proxy-middleware
Severity: high (CVSS 7.5)
Reference: GHSA-c7qv-q95q-8v27
Affected versions: <=2.0.8
Package usage:
- node_modules/http-proxy-middleware

js-yaml #

js-yaml has prototype pollution in merge (<<)
Severity: moderate (CVSS 5.3)
Reference: GHSA-mh29-5h37-fv8m
Affected versions: <3.14.2 || >=4.0.0 <4.1.1
Package usage:
- node_modules/@eslint/eslintrc/node_modules/js-yaml
- node_modules/eslint/node_modules/js-yaml
- node_modules/js-yaml

linkifyjs #

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
Severity: high
Reference: GHSA-95jq-xph2-cx9h
Affected versions: <4.3.2
Package usage:
- node_modules/linkifyjs

nanoid #

Predictable results in nanoid generation when given non-integer values
Severity: moderate (CVSS 4.3)
Reference: GHSA-mwcw-c2x4-8c55
Affected versions: <3.3.8
Package usage:
- node_modules/nanoid

node-forge #

node-forge has ASN.1 Unbounded Recursion
Severity: high
Reference: GHSA-554w-wpv2-vw27
Affected versions: <=1.3.1
Package usage:
- node_modules/node-forge

node-gettext #

node-gettext vulnerable to Prototype Pollution
Severity: high (CVSS 5.9)
Reference: GHSA-g974-hxvm-x689
Affected versions: *
Package usage:
- node_modules/node-gettext

on-headers #

on-headers is vulnerable to http response header manipulation
Severity: low (CVSS 3.4)
Reference: GHSA-76c9-3jph-rj3q
Affected versions: <1.1.0
Package usage:
- node_modules/on-headers

path-to-regexp #

path-to-regexp contains a ReDoS
Severity: high (CVSS 7.5)
Reference: GHSA-rhx6-c78j-4q9w
Affected versions: <0.1.12
Package usage:
- node_modules/path-to-regexp

pbkdf2 #

pbkdf2 silently disregards Uint8Array input, returning static keys
Severity: critical 🚨
Reference: GHSA-v62p-rq8g-8h59
Affected versions: <=3.1.2
Package usage:
- node_modules/pbkdf2

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

sha.js #

sha.js is missing type checks leading to hash rewind and passing on crafted data
Severity: critical 🚨 (CVSS 9.1)
Reference: GHSA-95m3-7q98-8xr5
Affected versions: <=2.4.11
Package usage:
- node_modules/sha.js

tar-fs #

tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
Severity: high
Reference: GHSA-vj76-c3g6-qr5v
Affected versions: 2.0.0 - 2.1.3
Package usage:
- node_modules/tar-fs

tmp #

tmp allows arbitrary temporary file / directory write via symbolic link dir parameter
Severity: low (CVSS 2.5)
Reference: GHSA-52f5-9888-hmc6
Affected versions: <=0.2.3
Package usage:
- node_modules/tmp

vue #

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Severity: low (CVSS 3.7)
Reference: GHSA-5j4c-8p2g-v4jx
Affected versions: 2.0.0-alpha.1 - 2.7.16
Package usage:
- node_modules/vue

vue-frag #

Caused by vulnerable dependency:
- vue
Affected versions: >=1.3.1
Package usage:
- node_modules/vue-frag

vue-infinite-loading #

Caused by vulnerable dependency:
- vue
Affected versions: 2.0.0-rc.1 - 2.4.5
Package usage:
- node_modules/vue-infinite-loading

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler

vue2-datepicker #

Caused by vulnerable dependency:
- vue
Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
Package usage:
- node_modules/vue2-datepicker

vuex #

Caused by vulnerable dependency:
- vue
Affected versions: 3.1.3 - 3.6.2
Package usage:
- node_modules/vuex

webpack-dev-server #

webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
Severity: moderate (CVSS 6.5)
Reference: GHSA-9jgg-88mc-972h
Affected versions: <=5.2.0
Package usage:
- node_modules/webpack-dev-server

cypress · 2024-11-03T04:00:00Z

Social Run #1083

Run Properties: Errored #1083 • b09afe22a6: [master] Fix npm audit

Project	`Social`
Branch Review	`automated/noid/master-fix-npm-audit`
Run status	`Errored #1083`
Run duration	`01m 05s`
Commit	`b09afe22a6: [master] Fix npm audit`
Committer	`Nextcloud Command Bot`
View all properties for this run ↗︎

Test results
Failures	`2`
Flaky	`0`
Pending	`0`
Skipped	`0`
Passing	`0`
View all changes introduced in this branch ↗︎

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 5a7e823 to 79db6b2 Compare November 3, 2024 03:28

nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Nov 3, 2024

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 79db6b2 to c0c1fa8 Compare November 10, 2024 03:17

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 16a1c9a to 769a46b Compare November 24, 2024 03:30

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from eaba549 to d64e6e8 Compare December 8, 2024 03:41

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 59a1ab0 to 5cd34db Compare December 22, 2024 03:20

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 5cd34db to 2b780c0 Compare January 5, 2025 03:13

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 2b780c0 to 050a1bc Compare January 26, 2025 03:24

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 050a1bc to 4174167 Compare February 9, 2025 03:25

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 4174167 to c343c99 Compare February 16, 2025 03:31

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 7ae80cf to c80367b Compare March 2, 2025 03:29

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from c80367b to 60bcff9 Compare March 16, 2025 03:32

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 41a5a94 to 68a60b4 Compare March 30, 2025 03:39

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 68a60b4 to 47bd3c1 Compare April 6, 2025 03:42

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 727f9fc to c3c3bad Compare April 20, 2025 03:39

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 813a8dd to 7056bdb Compare May 4, 2025 03:48

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 7056bdb to 93f941f Compare May 11, 2025 03:47

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from c419374 to 5b8b7a1 Compare May 25, 2025 03:41

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 154297e to 6b6ec7e Compare June 8, 2025 03:47

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 1265c84 to 472b019 Compare June 16, 2025 20:25

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 472b019 to 8b18248 Compare June 22, 2025 04:02

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 6fcffd7 to 926d2ee Compare July 6, 2025 03:58

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 42c346a to 99e658f Compare July 20, 2025 04:06

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 99e658f to 41280fc Compare July 27, 2025 04:11

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from cfacb61 to e0ec979 Compare August 10, 2025 04:01

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from c9dee3f to 263be1d Compare August 24, 2025 03:13

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 263be1d to 871efb5 Compare September 7, 2025 03:16

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 871efb5 to 09c4c84 Compare September 14, 2025 03:18

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 87bdd1a to 2da146f Compare September 28, 2025 03:18

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 2da146f to e58beaa Compare October 5, 2025 03:24

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from bb38e74 to 11a375d Compare October 26, 2025 03:21

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 25e3cc0 to 0b7b9b8 Compare November 9, 2025 03:26

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch 2 times, most recently from 2087d08 to 5468539 Compare November 23, 2025 03:32

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 5468539 to 908279a Compare November 30, 2025 03:35

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 908279a to 2214093 Compare December 7, 2025 03:41

fix(deps): Fix npm audit

0e38f42

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/master-fix-npm-audit branch from 2214093 to 0e38f42 Compare December 14, 2025 03:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[master] Fix npm audit #1947

[master] Fix npm audit #1947

Uh oh!

nextcloud-command commented Nov 3, 2024 •

edited

Loading

Uh oh!

cypress bot commented Nov 3, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[master] Fix npm audit #1947

Are you sure you want to change the base?

[master] Fix npm audit #1947

Uh oh!

Conversation

nextcloud-command commented Nov 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Audit report

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

@babel/runtime #

@nextcloud/dialogs #

@nextcloud/files #

@nextcloud/l10n #

@nextcloud/moment #

@nextcloud/vue #

@nextcloud/vue-select #

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

axios #

brace-expansion #

cipher-base #

compression #

cross-spawn #

dompurify #

elliptic #

express #

floating-vue #

form-data #

http-proxy-middleware #

js-yaml #

linkifyjs #

nanoid #

node-forge #

node-gettext #

on-headers #

path-to-regexp #

pbkdf2 #

postcss #

sha.js #

tar-fs #

tmp #

vue #

vue-frag #

vue-infinite-loading #

vue-loader #

vue-resize #

vue-template-compiler #

vue2-datepicker #

vuex #

webpack-dev-server #

Uh oh!

cypress bot commented Nov 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Social Run #1083

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

nextcloud-command commented Nov 3, 2024 •

edited

Loading

cypress bot commented Nov 3, 2024 •

edited

Loading