Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable28] Fix npm audit #626

Merged
merged 1 commit into from
Sep 30, 2024
Merged

[stable28] Fix npm audit #626

merged 1 commit into from
Sep 30, 2024

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Aug 1, 2024
edited
Loading

Audit report

This audit fix resolves 22 of the total 24 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.0
  • Package usage:
    • node_modules/@nextcloud/l10n

@nextcloud/vue #

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

body-parser #

  • body-parser vulnerable to denial of service when url encoding is enabled
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-qwcr-r2fm-qrc7
  • Affected versions: <1.20.3
  • Package usage:
    • node_modules/body-parser

braces #

  • Uncontrolled resource consumption in braces
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-grv7-fg5c-xmjg
  • Affected versions: <3.0.3
  • Package usage:
    • node_modules/braces

dompurify #

  • DOMPurify allows tampering by prototype pollution
  • Severity: high (CVSS 7)
  • Reference: GHSA-mmhx-hmjr-r674
  • Affected versions: 3.0.0 - 3.1.2
  • Package usage:
    • node_modules/dompurify

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: 2.0.0 - 6.5.6
  • Package usage:
    • node_modules/elliptic

express #

  • Express.js Open Redirect in malformed URLs
  • Severity: moderate (CVSS 6.1)
  • Reference: GHSA-rv95-896h-c2vc
  • Affected versions: <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  • Package usage:
    • node_modules/express

fast-xml-parser #

  • fast-xml-parser vulnerable to ReDOS at currency parsing
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-mpg4-rc92-vx8v
  • Affected versions: <4.4.1
  • Package usage:
    • node_modules/fast-xml-parser

follow-redirects #

  • follow-redirects' Proxy-Authorization header kept across hosts
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-cxjh-pqwp-8mfp
  • Affected versions: <=1.15.5
  • Package usage:
    • node_modules/follow-redirects

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: moderate (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

path-to-regexp #

  • path-to-regexp outputs backtracking regular expressions
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-9wv6-86v2-598j
  • Affected versions: <0.1.10
  • Package usage:
    • node_modules/path-to-regexp

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

send #

  • send vulnerable to template injection that can lead to XSS
  • Severity: moderate (CVSS 5)
  • Reference: GHSA-m6fv-jmcg-4jfg
  • Affected versions: <0.19.0
  • Package usage:
    • node_modules/send

serve-static #

  • serve-static vulnerable to template injection that can lead to XSS
  • Severity: moderate (CVSS 5)
  • Reference: GHSA-cm22-4g7w-348p
  • Affected versions: <=1.16.0
  • Package usage:
    • node_modules/serve-static

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

webpack #

  • Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
  • Severity: moderate (CVSS 6.4)
  • Reference: GHSA-4vvj-4cpr-p986
  • Affected versions: 5.0.0-alpha.0 - 5.93.0
  • Package usage:
    • node_modules/webpack

webpack-dev-middleware #

  • Path traversal in webpack-dev-middleware
  • Severity: high (CVSS 7.4)
  • Reference: GHSA-wr3j-pwj9-hqq6
  • Affected versions: <=5.3.3
  • Package usage:
    • node_modules/webpack-dev-middleware

ws #

  • ws affected by a DoS when handling a request with many HTTP headers
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3h5v-q93c-6h6q
  • Affected versions: 8.0.0 - 8.17.0
  • Package usage:
    • node_modules/ws

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from e2e805f to d4f2e3f Compare August 18, 2024 03:06
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from d4f2e3f to aee7bf6 Compare August 25, 2024 03:04
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from aee7bf6 to e6c40c3 Compare September 1, 2024 03:30
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch 2 times, most recently from d0a244a to 1b612c2 Compare September 15, 2024 03:23
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 1b612c2 to 387ba79 Compare September 22, 2024 03:28
@nextcloud-command
fix(deps): Fix npm audit
3f885b9 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable28-fix-npm-audit branch from 387ba79 to 3f885b9 Compare September 29, 2024 03:33
@DorraJaouad DorraJaouad merged commit 176a3c5 into stable28 Sep 30, 2024
27 checks passed
@DorraJaouad DorraJaouad deleted the automated/noid/stable28-fix-npm-audit branch September 30, 2024 06:26
@Altahrim Altahrim mentioned this pull request Oct 1, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DorraJaouad DorraJaouad DorraJaouad approved these changes

Assignees
No one assigned
Labels
3. to review dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @DorraJaouad