bruteforcesettings icon indicating copy to clipboard operation
bruteforcesettings copied to clipboard
verified publisher icon nextcloud

[stable27] Fix npm audit

Open nextcloud-command opened this issue 1 year ago • 0 comments

Audit report

This audit fix resolves 16 of the total 18 vulnerabilities found in your project.

Updated dependencies

  • @babel/traverse
  • @nextcloud/axios
  • @vue/component-compiler-utils
  • axios
  • braces
  • browserify-sign
  • elliptic
  • express
  • fast-xml-parser
  • follow-redirects
  • postcss
  • semver
  • vue-loader
  • webpack-dev-middleware
  • word-wrap
  • ws

Fixed vulnerabilities

@babel/traverse #

  • Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
  • Severity: critical 🚨 (CVSS 9.4)
  • Reference: https://github.com/advisories/GHSA-67hx-6x53-jw92
  • Affected versions: <7.23.2
  • Package usage:
    • node_modules/@babel/traverse

@nextcloud/axios #

  • Caused by vulnerable dependency:
    • axios
  • Affected versions: <=2.3.0
  • Package usage:
    • node_modules/@nextcloud/axios

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
    • postcss
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

braces #

browserify-sign #

  • browserify-sign upper bound check issue in dsaVerify leads to a signature forgery attack
  • Severity: high (CVSS 7.5)
  • Reference: https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
  • Affected versions: 2.6.0 - 4.2.1
  • Package usage:
    • node_modules/browserify-sign

elliptic #

express #

fast-xml-parser #

follow-redirects #

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss
    • node_modules/postcss

semver #

  • semver vulnerable to Regular Expression Denial of Service
  • Severity: high (CVSS 7.5)
  • Reference: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
  • Affected versions: 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
  • Package usage:
    • node_modules/builtins/node_modules/semver
    • node_modules/css-loader/node_modules/semver
    • node_modules/eslint-plugin-jsdoc/node_modules/semver
    • node_modules/eslint-plugin-n/node_modules/semver
    • node_modules/eslint-plugin-vue/node_modules/semver
    • node_modules/semver
    • node_modules/stylelint-config-recommended-vue/node_modules/semver
    • node_modules/vue-eslint-parser/node_modules/semver

vue-loader #

  • Caused by vulnerable dependency:
    • @vue/component-compiler-utils
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

webpack-dev-middleware #

word-wrap #

ws #

nextcloud-command avatar Aug 01 '24 09:08 nextcloud-command