Skip to content

[stable33] Fix npm audit#1063

Merged
ChristophWurst merged 1 commit into
stable33from
automated/noid/stable33-fix-npm-audit
Jul 8, 2026
Merged

[stable33] Fix npm audit#1063
ChristophWurst merged 1 commit into
stable33from
automated/noid/stable33-fix-npm-audit

Conversation

@nextcloud-command

Copy link
Copy Markdown
Contributor

Audit report

No fixable problems found (0 unfixable, 30 only fixable manually using --force)

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 21, 2026
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable33-fix-npm-audit branch from 92f6444 to 7113155 Compare June 28, 2026 04:27
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable33-fix-npm-audit branch from 7113155 to 8f3b85c Compare July 5, 2026 04:14
@ChristophWurst

Copy link
Copy Markdown
Member

@coderabbitai review for any suspicious bumps, like dependencies updated without a purpose, because it says "0 unfixable"

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr view 1063 --repo nextcloud/recommendations --json title,body,files,additions,deletions
echo "---DIFF package.json---"
gh pr diff 1063 --repo nextcloud/recommendations -- package.json 2>/dev/null || true
echo "---FILES---"
gh pr view 1063 --repo nextcloud/recommendations --json files --jq '.files[].path'

Length of output: 2044


🏁 Script executed:

#!/bin/bash
gh pr diff 1063 --repo nextcloud/recommendations -- package-lock.json

Length of output: 426


🏁 Script executed:

#!/bin/bash
gh pr diff 1063 --repo nextcloud/recommendations > /tmp/pr.diff
wc -l /tmp/pr.diff
sed -n '/diff --git a\/package-lock.json/,/diff --git a\/js/p' /tmp/pr.diff | head -500

Length of output: 22668


@ChristophWurst I reviewed the diff for #1063. Findings:

  • package.json is unchanged — only package-lock.json (and the regenerated js/recommendations-* dist bundles/maps/license files) were touched. That's consistent with running npm install/npm audit fix without --force, which only re-resolves versions within the semver ranges already declared in package.json.
  • Every bumped package is a patch or minor version bump, no majors, no new packages added, no name/scope changes, and all resolve from the official registry.npmjs.org with valid integrity hashes:
    • Dev/build-toolchain only ("dev": true / "peer": true): the entire @babel/* family (7.27–7.29 → 7.29.7), webpack-dev-server 5.2.5→5.2.6, launch-editor 2.9.1→2.14.1, http-proxy-middleware 2.0.9→2.0.10, js-yaml 4.1.1→4.3.0, shell-quote 1.8.4→1.9.0.
    • Runtime deps: dompurify 3.4.2→3.4.11, fast-xml-parser 4.5.6→4.5.7, form-data 4.0.5→4.0.6, hasown 2.0.2→2.0.4.
  • dompurify is the notable runtime bump since it's shipped in the built JS and is security-sensitive (XSS sanitization); the jump to 3.4.11 covers several patch-level security fixes, which fits the audit-fix narrative.

I don't see any suspicious or unrelated bumps (e.g., unexpected major version jumps, unpinned ranges, or packages unrelated to the audit). Everything appears to be transitive dependency resolution triggered by npm audit fix, matching the "0 unfixable" report in the PR description.

[resolve]

@ChristophWurst ChristophWurst merged commit 6bfdae5 into stable33 Jul 8, 2026
41 checks passed
@ChristophWurst ChristophWurst deleted the automated/noid/stable33-fix-npm-audit branch July 8, 2026 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants