[stable29] Fix npm audit #463

nextcloud-command · 2024-08-11T03:11:24Z

Audit report

This audit fix resolves 17 of the total 19 vulnerabilities found in your project.

Updated dependencies

@nextcloud/l10n
@nextcloud/vue
@vue/component-compiler-utils
axios
body-parser
cookie
dompurify
elliptic
express
micromatch
node-gettext
path-to-regexp
postcss
send
serve-static
vue-loader
webpack

Fixed vulnerabilities

@nextcloud/l10n #

Caused by vulnerable dependency:
- node-gettext
Affected versions: >=1.1.0
Package usage:
- node_modules/@nextcloud/l10n

@nextcloud/vue #

Caused by vulnerable dependency:
- @nextcloud/l10n
Affected versions: >=1.4.0
Package usage:
- node_modules/@nextcloud/vue

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

axios #

Server-Side Request Forgery in axios
Severity: high
Reference: GHSA-8hc4-vh64-cxmj
Affected versions: 1.3.2 - 1.7.3
Package usage:
- node_modules/axios

body-parser #

body-parser vulnerable to denial of service when url encoding is enabled
Severity: high (CVSS 7.5)
Reference: GHSA-qwcr-r2fm-qrc7
Affected versions: <1.20.3
Package usage:
- node_modules/body-parser

cookie #

cookie accepts cookie name, path, and domain with out of bounds characters
Severity: low
Reference: GHSA-pxg6-pf52-xh8x
Affected versions: <0.7.0
Package usage:
- node_modules/cookie

dompurify #

DOMPurify allows tampering by prototype pollution
Severity: high (CVSS 7)
Reference: GHSA-mmhx-hmjr-r674
Affected versions: 3.0.0 - 3.1.2
Package usage:
- node_modules/dompurify

elliptic #

Elliptic's EDDSA missing signature length check
Severity: low (CVSS 5.3)
Reference: GHSA-f7q4-pwc6-w24p
Affected versions: <=6.5.6
Package usage:
- node_modules/elliptic

express #

express vulnerable to XSS via response.redirect()
Severity: moderate (CVSS 5)
Reference: GHSA-qw6h-vgh9-j6wx
Affected versions: <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Package usage:
- node_modules/express

micromatch #

Regular Expression Denial of Service (ReDoS) in micromatch
Severity: moderate (CVSS 5.3)
Reference: GHSA-952p-6rrq-rcjv
Affected versions: <4.0.8
Package usage:
- node_modules/micromatch

node-gettext #

node-gettext vulnerable to Prototype Pollution
Severity: moderate (CVSS 5.9)
Reference: GHSA-g974-hxvm-x689
Affected versions: *
Package usage:
- node_modules/node-gettext

path-to-regexp #

path-to-regexp outputs backtracking regular expressions
Severity: high (CVSS 7.5)
Reference: GHSA-9wv6-86v2-598j
Affected versions: <0.1.10
Package usage:
- node_modules/path-to-regexp

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

send #

send vulnerable to template injection that can lead to XSS
Severity: moderate (CVSS 5)
Reference: GHSA-m6fv-jmcg-4jfg
Affected versions: <0.19.0
Package usage:
- node_modules/send

serve-static #

serve-static vulnerable to template injection that can lead to XSS
Severity: moderate (CVSS 5)
Reference: GHSA-cm22-4g7w-348p
Affected versions: <=1.16.0
Package usage:
- node_modules/serve-static

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

webpack #

Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
Severity: moderate (CVSS 6.4)
Reference: GHSA-4vvj-4cpr-p986
Affected versions: 5.0.0-alpha.0 - 5.93.0
Package usage:
- node_modules/webpack

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command added 3. to review Waiting for reviews dependencies Pull requests that update a dependency file labels Aug 11, 2024

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from f80ad89 to 359041c Compare August 18, 2024 03:07

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 359041c to 2c794fb Compare August 25, 2024 03:08

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c794fb to 9db3013 Compare September 1, 2024 03:31

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 9db3013 to 4f414d4 Compare September 15, 2024 03:24

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4f414d4 to 4a5d002 Compare September 22, 2024 03:30

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 4a5d002 to 973aabc Compare September 29, 2024 03:34

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 973aabc to 2c365af Compare October 6, 2024 03:41

fix(deps): Fix npm audit

4278627

Signed-off-by: GitHub <noreply@github.com>

nextcloud-command force-pushed the automated/noid/stable29-fix-npm-audit branch from 2c365af to 4278627 Compare October 13, 2024 03:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[stable29] Fix npm audit #463

[stable29] Fix npm audit #463

nextcloud-command commented Aug 11, 2024 •

edited

Loading

[stable29] Fix npm audit #463

Are you sure you want to change the base?

[stable29] Fix npm audit #463

Conversation

nextcloud-command commented Aug 11, 2024 • edited Loading

Audit report

Updated dependencies

Fixed vulnerabilities

@nextcloud/l10n #

@nextcloud/vue #

@vue/component-compiler-utils #

axios #

body-parser #

cookie #

dompurify #

elliptic #

express #

micromatch #

node-gettext #

path-to-regexp #

postcss #

send #

serve-static #

vue-loader #

webpack #

nextcloud-command commented Aug 11, 2024 •

edited

Loading