social
social copied to clipboard
nextcloud
[stable29] Fix npm audit
Audit report
This audit fix resolves 43 of the total 45 vulnerabilities found in your project.
Updated dependencies
- @babel/helpers
- @babel/runtime
- @nextcloud/dialogs
- @nextcloud/files
- @nextcloud/l10n
- @nextcloud/moment
- @nextcloud/vue
- @nextcloud/vue-select
- @nextcloud/webpack-vue-config
- @vue/component-compiler-utils
- axios
- brace-expansion
- cipher-base
- compression
- cross-spawn
- dockerode
- dompurify
- elliptic
- express
- floating-vue
- form-data
- http-proxy-middleware
- js-yaml
- linkifyjs
- nanoid
- node-forge
- node-gettext
- on-headers
- path-to-regexp
- pbkdf2
- postcss
- sha.js
- tar-fs
- tmp
- vue
- vue-frag
- vue-infinite-loading
- vue-loader
- vue-resize
- vue-template-compiler
- vue2-datepicker
- vuex
- webpack-dev-server
Fixed vulnerabilities
@babel/helpers #
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
- Severity: moderate (CVSS 6.2)
- Reference: https://github.com/advisories/GHSA-968p-4wvh-cqc8
- Affected versions: <7.26.10
- Package usage:
node_modules/@babel/helpers
@babel/runtime #
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
- Severity: moderate (CVSS 6.2)
- Reference: https://github.com/advisories/GHSA-968p-4wvh-cqc8
- Affected versions: <7.26.10
- Package usage:
node_modules/@babel/runtime
@nextcloud/dialogs #
- Caused by vulnerable dependency:
- @nextcloud/files
- @nextcloud/l10n
- @nextcloud/vue
- vue
- vue-frag
- Affected versions: 2.0.0 - 6.4.1
- Package usage:
node_modules/@nextcloud/dialogs
@nextcloud/files #
- Caused by vulnerable dependency:
- @nextcloud/l10n
- Affected versions: 1.1.0 - 3.2.1
- Package usage:
node_modules/@nextcloud/files
@nextcloud/l10n #
- Caused by vulnerable dependency:
- node-gettext
- Affected versions: 1.1.0 - 3.1.0
- Package usage:
node_modules/@nextcloud/l10nnode_modules/@nextcloud/moment/node_modules/@nextcloud/l10n
@nextcloud/moment #
- Caused by vulnerable dependency:
- @nextcloud/l10n
- node-gettext
- Affected versions: 1.1.1 - 1.3.2
- Package usage:
node_modules/@nextcloud/moment
@nextcloud/vue #
- Caused by vulnerable dependency:
- @nextcloud/l10n
- @nextcloud/vue-select
- floating-vue
- vue
- vue-frag
- vue2-datepicker
- Affected versions: <=9.0.0-rc.9
- Package usage:
node_modules/@nextcloud/vue
@nextcloud/vue-select #
- Caused by vulnerable dependency:
- vue
- Affected versions: *
- Package usage:
node_modules/@nextcloud/vue-select
@nextcloud/webpack-vue-config #
- Caused by vulnerable dependency:
- vue
- vue-loader
- vue-template-compiler
- webpack-dev-server
- Affected versions: <=6.2.0
- Package usage:
node_modules/@nextcloud/webpack-vue-config
@vue/component-compiler-utils #
- Caused by vulnerable dependency:
- postcss
- Affected versions: *
- Package usage:
node_modules/@vue/component-compiler-utils
axios #
- Axios is vulnerable to DoS attack through lack of data size check
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-4hjh-wcwx-xvwj
- Affected versions: 1.0.0 - 1.11.0
- Package usage:
node_modules/axios
brace-expansion #
- brace-expansion Regular Expression Denial of Service vulnerability
- Severity: low (CVSS 3.1)
- Reference: https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
- Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
- Package usage:
node_modules/brace-expansionnode_modules/webdav/node_modules/brace-expansion
cipher-base #
- cipher-base is missing type checks, leading to hash rewind and passing on crafted data
- Severity: critical 🚨 (CVSS 9.1)
- Reference: https://github.com/advisories/GHSA-cpq7-6gpm-g9rc
- Affected versions: <=1.0.4
- Package usage:
node_modules/cipher-base
compression #
- Caused by vulnerable dependency:
- on-headers
- Affected versions: 1.0.3 - 1.8.0
- Package usage:
node_modules/compression
cross-spawn #
- Regular Expression Denial of Service (ReDoS) in cross-spawn
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-3xgq-45jj-v275
- Affected versions: 7.0.0 - 7.0.4
- Package usage:
node_modules/cross-spawn
dockerode #
- Caused by vulnerable dependency:
- tar-fs
- Affected versions: 3.0.0 - 4.0.4
- Package usage:
node_modules/@nextcloud/cypress/node_modules/dockerodenode_modules/dockerode
dompurify #
- DOMPurify allows Cross-site Scripting (XSS)
- Severity: moderate (CVSS 4.5)
- Reference: https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
- Affected versions: <3.2.4
- Package usage:
node_modules/dompurify
elliptic #
- Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
- Severity: critical 🚨
- Reference: https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
- Affected versions: <=6.6.0
- Package usage:
node_modules/elliptic
express #
- Caused by vulnerable dependency:
- path-to-regexp
- Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
- Package usage:
node_modules/express
floating-vue #
- Caused by vulnerable dependency:
- vue
- vue-resize
- Affected versions: <=1.0.0-beta.19
- Package usage:
node_modules/floating-vue
form-data #
- form-data uses unsafe random function in form-data for choosing boundary
- Severity: critical 🚨
- Reference: https://github.com/advisories/GHSA-fjxv-7rqg-78g4
- Affected versions: 4.0.0 - 4.0.3
- Package usage:
node_modules/form-data
http-proxy-middleware #
- Denial of service in http-proxy-middleware
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-c7qv-q95q-8v27
- Affected versions: <=2.0.8
- Package usage:
node_modules/http-proxy-middleware
js-yaml #
- js-yaml has prototype pollution in merge (<<)
- Severity: moderate (CVSS 5.3)
- Reference: https://github.com/advisories/GHSA-mh29-5h37-fv8m
- Affected versions: <3.14.2 || >=4.0.0 <4.1.1
- Package usage:
node_modules/@eslint/eslintrc/node_modules/js-yamlnode_modules/eslint/node_modules/js-yamlnode_modules/js-yaml
linkifyjs #
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
- Severity: high
- Reference: https://github.com/advisories/GHSA-95jq-xph2-cx9h
- Affected versions: <4.3.2
- Package usage:
node_modules/linkifyjs
nanoid #
- Predictable results in nanoid generation when given non-integer values
- Severity: moderate (CVSS 4.3)
- Reference: https://github.com/advisories/GHSA-mwcw-c2x4-8c55
- Affected versions: <3.3.8
- Package usage:
node_modules/nanoid
node-forge #
- node-forge has ASN.1 Unbounded Recursion
- Severity: high
- Reference: https://github.com/advisories/GHSA-554w-wpv2-vw27
- Affected versions: <=1.3.1
- Package usage:
node_modules/node-forge
node-gettext #
- node-gettext vulnerable to Prototype Pollution
- Severity: high (CVSS 5.9)
- Reference: https://github.com/advisories/GHSA-g974-hxvm-x689
- Affected versions: *
- Package usage:
node_modules/node-gettext
on-headers #
- on-headers is vulnerable to http response header manipulation
- Severity: low (CVSS 3.4)
- Reference: https://github.com/advisories/GHSA-76c9-3jph-rj3q
- Affected versions: <1.1.0
- Package usage:
node_modules/on-headers
path-to-regexp #
- path-to-regexp contains a ReDoS
- Severity: high (CVSS 7.5)
- Reference: https://github.com/advisories/GHSA-rhx6-c78j-4q9w
- Affected versions: <0.1.12
- Package usage:
node_modules/path-to-regexp
pbkdf2 #
- pbkdf2 silently disregards Uint8Array input, returning static keys
- Severity: critical 🚨
- Reference: https://github.com/advisories/GHSA-v62p-rq8g-8h59
- Affected versions: <=3.1.2
- Package usage:
node_modules/pbkdf2
postcss #
- PostCSS line return parsing error
- Severity: moderate (CVSS 5.3)
- Reference: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
- Affected versions: <8.4.31
- Package usage:
node_modules/@vue/component-compiler-utils/node_modules/postcss
sha.js #
- sha.js is missing type checks leading to hash rewind and passing on crafted data
- Severity: critical 🚨 (CVSS 9.1)
- Reference: https://github.com/advisories/GHSA-95m3-7q98-8xr5
- Affected versions: <=2.4.11
- Package usage:
node_modules/sha.js
tar-fs #
- tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
- Severity: high
- Reference: https://github.com/advisories/GHSA-vj76-c3g6-qr5v
- Affected versions: 2.0.0 - 2.1.3
- Package usage:
node_modules/tar-fs
tmp #
- tmp allows arbitrary temporary file / directory write via symbolic link
dirparameter - Severity: low (CVSS 2.5)
- Reference: https://github.com/advisories/GHSA-52f5-9888-hmc6
- Affected versions: <=0.2.3
- Package usage:
node_modules/tmp
vue #
- ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
- Severity: low (CVSS 3.7)
- Reference: https://github.com/advisories/GHSA-5j4c-8p2g-v4jx
- Affected versions: 2.0.0-alpha.1 - 2.7.16
- Package usage:
node_modules/vue
vue-frag #
- Caused by vulnerable dependency:
- vue
- Affected versions: >=1.3.1
- Package usage:
node_modules/vue-frag
vue-infinite-loading #
- Caused by vulnerable dependency:
- vue
- Affected versions: 2.0.0-rc.1 - 2.4.5
- Package usage:
node_modules/vue-infinite-loading
vue-loader #
- Caused by vulnerable dependency:
- @vue/component-compiler-utils
- Affected versions: 15.0.0-beta.1 - 15.11.1
- Package usage:
node_modules/vue-loader
vue-resize #
- Caused by vulnerable dependency:
- vue
- Affected versions: 0.4.0 - 1.0.1
- Package usage:
node_modules/vue-resize
vue-template-compiler #
- vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
- Severity: moderate (CVSS 4.2)
- Reference: https://github.com/advisories/GHSA-g3ch-rx76-35fx
- Affected versions: >=2.0.0
- Package usage:
node_modules/vue-template-compiler
vue2-datepicker #
- Caused by vulnerable dependency:
- vue
- Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
- Package usage:
node_modules/vue2-datepicker
vuex #
- Caused by vulnerable dependency:
- vue
- Affected versions: 3.1.3 - 3.6.2
- Package usage:
node_modules/vuex
webpack-dev-server #
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
- Severity: moderate (CVSS 6.5)
- Reference: https://github.com/advisories/GHSA-9jgg-88mc-972h
- Affected versions: <=5.2.0
- Package usage:
node_modules/webpack-dev-server
SocialÂ
Â
Run #1077
Run Properties:Â
 Errored #1077
90658cd334: [stable29] Fix npm audit
 Errored #1077 90658cd334: [stable29] Fix npm audit| Project |
Social
|
| Branch Review |
automated/noid/stable29-fix-npm-audit
|
| Run status |
|
| Run duration | 01m 05s |
| Commit |
|
| Committer | Nextcloud Command Bot |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
 Â
Failures
|
2
|
 Â
Flaky
|
0
|
 Â
Pending
|
0
|
 Â
Skipped
|
0
|
 Â
Passing
|
0
|
| View all changes introduced in this branch ↗︎ | |
![cypress[bot] avatar](https://avatars.githubusercontent.com/in/9078?v=4 "Published by a pub.dev verified publisher"){kind=small}