groupfolders icon indicating copy to clipboard operation
groupfolders copied to clipboard
verified publisher icon nextcloud

[stable29] Fix npm audit

Open nextcloud-command opened this issue 10 months ago โ€ข 0 comments

Audit report

This audit fix resolves 18 of the total 26 vulnerabilities found in your project.

Updated dependencies

  • @babel/helpers
  • @babel/runtime
  • @nextcloud/dialogs
  • @nextcloud/l10n
  • @nextcloud/password-confirmation
  • @nextcloud/webpack-vue-config
  • @vue/component-compiler-utils
  • @vue/test-utils
  • axios
  • dompurify
  • elliptic
  • esbuild
  • node-gettext
  • postcss
  • tsx
  • vue-loader
  • vue-resize
  • vue-template-compiler

Fixed vulnerabilities

@babel/helpers #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: https://github.com/advisories/GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/helpers

@babel/runtime #

  • Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
  • Severity: moderate (CVSS 6.2)
  • Reference: https://github.com/advisories/GHSA-968p-4wvh-cqc8
  • Affected versions: <7.26.10
  • Package usage:
    • node_modules/@babel/runtime

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
    • @nextcloud/vue
    • vue
    • vue-frag
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
    • node-gettext
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/dialogs/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/files/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/password-confirmation/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/vue/node_modules/@nextcloud/l10n

@nextcloud/password-confirmation #

  • Caused by vulnerable dependency:
    • @nextcloud/dialogs
    • @nextcloud/vue
    • vue
  • Affected versions: >=3.0.0
  • Package usage:
    • node_modules/@nextcloud/password-confirmation

@nextcloud/webpack-vue-config #

  • Caused by vulnerable dependency:
    • vue
    • vue-loader
    • vue-template-compiler
  • Affected versions: *
  • Package usage:
    • node_modules/@nextcloud/webpack-vue-config

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
    • postcss
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

@vue/test-utils #

  • Caused by vulnerable dependency:
    • vue
    • vue-template-compiler
  • Affected versions: <=1.3.6
  • Package usage:
    • node_modules/@vue/test-utils

axios #

dompurify #

elliptic #

  • Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
  • Severity: critical ๐Ÿšจ
  • Reference: https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
  • Affected versions: <=6.6.0
  • Package usage:
    • node_modules/elliptic

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: https://github.com/advisories/GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild

node-gettext #

postcss #

tsx #

  • Caused by vulnerable dependency:
    • esbuild
  • Affected versions: 3.13.0 - 4.19.2
  • Package usage:
    • node_modules/tsx

vue-loader #

  • Caused by vulnerable dependency:
    • @vue/component-compiler-utils
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-resize #

  • Caused by vulnerable dependency:
    • vue
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

nextcloud-command avatar Feb 16 '25 03:02 nextcloud-command