privacy
privacy copied to clipboard
nextcloud
[stable28] Fix npm audit
Audit report
This audit fix resolves 21 of the total 29 vulnerabilities found in your project.
Updated dependencies
- @nextcloud/dialogs
- @nextcloud/files
- @nextcloud/typings
- @nextcloud/webpack-vue-config
- @vue/component-compiler-utils
- axios
- body-parser
- cookie
- dompurify
- elliptic
- express
- http-proxy-middleware
- micromatch
- path-to-regexp
- postcss
- send
- serve-static
- vue-loader
- vue-resize
- vue-template-compiler
- webpack
Fixed vulnerabilities
@nextcloud/dialogs #
- Caused by vulnerable dependency:
- @nextcloud/files
- @nextcloud/l10n
- @nextcloud/vue
- vue
- vue-frag
- Affected versions: >=2.0.0
- Package usage:
node_modules/@nextcloud/dialogs
@nextcloud/files #
- Caused by vulnerable dependency:
- @nextcloud/l10n
- Affected versions: >=1.1.0
- Package usage:
node_modules/@nextcloud/files
@nextcloud/typings #
- Caused by vulnerable dependency:
- vue
- Affected versions: 1.7.0 - 1.8.0
- Package usage:
node_modules/@nextcloud/typings
@nextcloud/webpack-vue-config #
- Caused by vulnerable dependency:
- vue
- vue-loader
- vue-template-compiler
- Affected versions: *
- Package usage:
node_modules/@nextcloud/webpack-vue-config
@vue/component-compiler-utils #
- Caused by vulnerable dependency:
- postcss
- Affected versions: *
- Package usage:
node_modules/@vue/component-compiler-utils
axios #
- Server-Side Request Forgery in axios
- Severity: high
- Reference: https://github.com/advisories/GHSA-8hc4-vh64-cxmj
- Affected versions: 1.3.2 - 1.7.3
- Package usage:
node_modules/axios
body-parser #
- body-parser vulnerable to denial of service when url encoding is enabled
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
- Affected versions: <1.20.3
- Package usage:
node_modules/body-parser
cookie #
- cookie accepts cookie name, path, and domain with out of bounds characters
- Severity: low
- Reference: https://github.com/advisories/GHSA-pxg6-pf52-xh8x
- Affected versions: <0.7.0
- Package usage:
node_modules/cookie
dompurify #
- DOMPurify allows tampering by prototype pollution
- Severity: high (CVSS 7)
- Reference: https://github.com/advisories/GHSA-mmhx-hmjr-r674
- Affected versions: 3.0.0 - 3.1.2
- Package usage:
node_modules/dompurify
elliptic #
- Elliptic's EDDSA missing signature length check
- Severity: low (CVSS 5.3)
- Reference: https://github.com/advisories/GHSA-f7q4-pwc6-w24p
- Affected versions: <=6.5.7
- Package usage:
node_modules/elliptic
express #
- express vulnerable to XSS via response.redirect()
- Severity: moderate (CVSS 5)
- Reference: https://github.com/advisories/GHSA-qw6h-vgh9-j6wx
- Affected versions: <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
- Package usage:
node_modules/express
http-proxy-middleware #
- Denial of service in http-proxy-middleware
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-c7qv-q95q-8v27
- Affected versions: <2.0.7
- Package usage:
node_modules/http-proxy-middleware
micromatch #
- Regular Expression Denial of Service (ReDoS) in micromatch
- Severity: moderate (CVSS 5.3)
- Reference: https://github.com/advisories/GHSA-952p-6rrq-rcjv
- Affected versions: <4.0.8
- Package usage:
node_modules/micromatch
path-to-regexp #
- path-to-regexp outputs backtracking regular expressions
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-9wv6-86v2-598j
- Affected versions: <0.1.10
- Package usage:
node_modules/path-to-regexp
postcss #
- PostCSS line return parsing error
- Severity: moderate (CVSS 5.3)
- Reference: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
- Affected versions: <8.4.31
- Package usage:
node_modules/@vue/component-compiler-utils/node_modules/postcss
send #
- send vulnerable to template injection that can lead to XSS
- Severity: moderate (CVSS 5)
- Reference: https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
- Affected versions: <0.19.0
- Package usage:
node_modules/send
serve-static #
- serve-static vulnerable to template injection that can lead to XSS
- Severity: moderate (CVSS 5)
- Reference: https://github.com/advisories/GHSA-cm22-4g7w-348p
- Affected versions: <=1.16.0
- Package usage:
node_modules/serve-static
vue-loader #
- Caused by vulnerable dependency:
- @vue/component-compiler-utils
- Affected versions: 15.0.0-beta.1 - 15.11.1
- Package usage:
node_modules/vue-loader
vue-resize #
- Caused by vulnerable dependency:
- vue
- Affected versions: 0.4.0 - 1.0.1
- Package usage:
node_modules/vue-resize
vue-template-compiler #
- vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
- Severity: moderate (CVSS 4.2)
- Reference: https://github.com/advisories/GHSA-g3ch-rx76-35fx
- Affected versions: >=2.0.0
- Package usage:
node_modules/vue-template-compiler
webpack #
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
- Severity: moderate (CVSS 6.4)
- Reference: https://github.com/advisories/GHSA-4vvj-4cpr-p986
- Affected versions: 5.0.0-alpha.0 - 5.93.0
- Package usage:
node_modules/webpack
