Skip to content

Comments

[main] Fix npm audit#6825

Merged
st3iny merged 1 commit intomainfrom
automated/noid/main-fix-npm-audit
Mar 24, 2025
Merged

[main] Fix npm audit#6825
st3iny merged 1 commit intomainfrom
automated/noid/main-fix-npm-audit

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Mar 16, 2025

Audit report

This audit fix resolves 14 of the total 24 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/helpers

@babel/runtime #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/moment/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/webpack-vue-config #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

  • axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
  • Severity: high
  • Reference: GHSA-jr5f-v2jv-69x6
  • Affected versions: <1.8.2
  • Package usage:
    • node_modules/axios

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

v-tooltip #

  • Caused by vulnerable dependency:
  • Affected versions: 2.0.0-beta.1 - 4.0.0-beta.0
  • Package usage:
    • node_modules/v-tooltip

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

@nextcloud-command nextcloud-command added the 3. to review Waiting for reviews label Mar 16, 2025
@nextcloud-command nextcloud-command added the dependencies Pull requests that update a dependency file label Mar 16, 2025
@codecov
Copy link

codecov bot commented Mar 16, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 28.67%. Comparing base (53ea163) to head (050f25d).
Report is 19 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #6825      +/-   ##
============================================
+ Coverage     22.95%   28.67%   +5.72%     
- Complexity      476      952     +476     
============================================
  Files           252      294      +42     
  Lines         12270    14562    +2292     
  Branches       2364     2351      -13     
============================================
+ Hits           2816     4176    +1360     
- Misses         9111    10043     +932     
  Partials        343      343
Flag Coverage Δ
javascript 14.59% <ø> (ø)
php 59.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nextcloud-command
fix(deps): Fix npm audit
050f25d 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/main-fix-npm-audit branch from 298d576 to 050f25d Compare March 23, 2025 03:32
@st3iny st3iny merged commit 6b1f03a into main Mar 24, 2025
47 checks passed
@st3iny st3iny deleted the automated/noid/main-fix-npm-audit branch March 24, 2025 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@st3iny st3iny st3iny approved these changes

@SebastianKrupinski SebastianKrupinski Awaiting requested review from SebastianKrupinski SebastianKrupinski is a code owner

@tcitworld tcitworld Awaiting requested review from tcitworld tcitworld is a code owner

Assignees

No one assigned

Labels

3. to review Waiting for reviews dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @st3iny