Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable28] Fix npm audit #809

Merged
merged 2 commits into from
Jan 25, 2025
Merged

[stable28] Fix npm audit #809

merged 2 commits into from
Jan 25, 2025

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Oct 27, 2024
edited
Loading

Audit report

This audit fix resolves 12 of the total 26 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/files #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/files

@nextcloud/typings #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0 - 1.8.0
  • Package usage:
    • node_modules/@nextcloud/router/node_modules/@nextcloud/typings

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

elliptic #

  • Valid ECDSA signatures erroneously rejected in Elliptic
  • Severity: low (CVSS 4.8)
  • Reference: GHSA-fc9h-whq2-v747
  • Affected versions: <6.6.0
  • Package usage:
    • node_modules/elliptic

express #

  • Caused by vulnerable dependency:
  • Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
  • Package usage:
    • node_modules/express

http-proxy-middleware #

  • Denial of service in http-proxy-middleware
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c7qv-q95q-8v27
  • Affected versions: <2.0.7
  • Package usage:
    • node_modules/http-proxy-middleware

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

path-to-regexp #

  • Unpatched path-to-regexp ReDoS in 0.1.x
  • Severity: moderate
  • Reference: GHSA-rhx6-c78j-4q9w
  • Affected versions: <0.1.12
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vuex #

  • Caused by vulnerable dependency:
  • Affected versions: 3.1.3 - 3.6.2
  • Package usage:
    • node_modules/vuex

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Oct 27, 2024
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from f0922bf to 7326585 Compare November 10, 2024 03:14
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from aa79b7a to 4453adf Compare November 24, 2024 03:29
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from c103b24 to fa08c79 Compare December 15, 2024 03:37
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from 47d5380 to fdaa785 Compare December 29, 2024 03:15
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from fdaa785 to c68d881 Compare January 5, 2025 03:10
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from c68d881 to ce3c7d5 Compare January 12, 2025 03:34
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from ce3c7d5 to f785208 Compare January 19, 2025 03:21
@susnux
ci: Fix wrong server version
8b0fa5a 
Signed-off-by: Ferdinand Thiessen <[email protected]>
@susnux susnux merged commit 319f91f into stable28 Jan 25, 2025
17 of 18 checks passed
@susnux susnux deleted the automated/noid/stable28-fix-npm-audit branch January 25, 2025 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susnux susnux susnux approved these changes

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @susnux