Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable27] Fix npm audit #625

Open
wants to merge 1 commit into
base: stable27
Choose a base branch
from
Open

[stable27] Fix npm audit #625

wants to merge 1 commit into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Aug 1, 2024
edited
Loading

Audit report

This audit fix resolves 16 of the total 18 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@babel/traverse #

  • Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
  • Severity: critical 🚨 (CVSS 9.4)
  • Reference: GHSA-67hx-6x53-jw92
  • Affected versions: <7.23.2
  • Package usage:
    • node_modules/@babel/traverse

@nextcloud/axios #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.3.0
  • Package usage:
    • node_modules/@nextcloud/axios

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

  • Axios Cross-Site Request Forgery Vulnerability
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-wf5p-g6vw-rhxx
  • Affected versions: 0.8.1 - 0.27.2
  • Package usage:
    • node_modules/axios

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

browserify-sign #

  • browserify-sign upper bound check issue in dsaVerify leads to a signature forgery attack
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-x9w5-v3q2-3rhw
  • Affected versions: 2.6.0 - 4.2.1
  • Package usage:
    • node_modules/browserify-sign

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: 2.0.0 - 6.5.6
  • Package usage:
    • node_modules/elliptic

express #

  • Express.js Open Redirect in malformed URLs
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rv95-896h-c2vc
  • Affected versions: <4.19.2
  • Package usage:
    • node_modules/express

fast-xml-parser #

  • fast-xml-parser vulnerable to ReDOS at currency parsing
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-mpg4-rc92-vx8v
  • Affected versions: <4.4.1
  • Package usage:
    • node_modules/fast-xml-parser

follow-redirects #

  • Follow Redirects improperly handles URLs in the url.parse() function
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-jchw-25xp-jwwc
  • Affected versions: <=1.15.5
  • Package usage:
    • node_modules/follow-redirects

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss
    • node_modules/postcss

semver #

  • semver vulnerable to Regular Expression Denial of Service
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-c2qf-rxjj-qqgw
  • Affected versions: 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
  • Package usage:
    • node_modules/builtins/node_modules/semver
    • node_modules/css-loader/node_modules/semver
    • node_modules/eslint-plugin-jsdoc/node_modules/semver
    • node_modules/eslint-plugin-n/node_modules/semver
    • node_modules/eslint-plugin-vue/node_modules/semver
    • node_modules/semver
    • node_modules/stylelint-config-recommended-vue/node_modules/semver
    • node_modules/vue-eslint-parser/node_modules/semver

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

webpack-dev-middleware #

  • Path traversal in webpack-dev-middleware
  • Severity: high (CVSS 7.4)
  • Reference: GHSA-wr3j-pwj9-hqq6
  • Affected versions: <=5.3.3
  • Package usage:
    • node_modules/webpack-dev-middleware

word-wrap #

  • word-wrap vulnerable to Regular Expression Denial of Service
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-j8xg-fqg3-53r7
  • Affected versions: <1.2.4
  • Package usage:
    • node_modules/word-wrap

ws #

  • ws affected by a DoS when handling a request with many HTTP headers
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3h5v-q93c-6h6q
  • Affected versions: 8.0.0 - 8.17.0
  • Package usage:
    • node_modules/ws

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable27-fix-npm-audit branch from e2707d1 to a344efb Compare August 4, 2024 03:08
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable27-fix-npm-audit branch from a344efb to dce635c Compare August 11, 2024 03:10
@nextcloud-command
fix(deps): Fix npm audit
f628f10 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable27-fix-npm-audit branch from dce635c to f628f10 Compare August 18, 2024 03:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DorraJaouad DorraJaouad Awaiting requested review from DorraJaouad

Assignees
No one assigned
Labels
3. to review dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nextcloud-command