Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable30] Fix npm audit #949

Open
wants to merge 1 commit into
base: stable30
Choose a base branch
from
Open

[stable30] Fix npm audit #949

wants to merge 1 commit into from
+39 −34

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Oct 27, 2024
edited
Loading

Audit report

This audit fix resolves 7 of the total 7 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

cross-spawn #

  • Regular Expression Denial of Service (ReDoS) in cross-spawn
  • Severity: high (CVSS 7.5)
  • Reference: GHSA-3xgq-45jj-v275
  • Affected versions: 7.0.0 - 7.0.4
  • Package usage:
    • node_modules/cross-spawn

nanoid #

  • Predictable results in nanoid generation when given non-integer values
  • Severity: moderate (CVSS 4.3)
  • Reference: GHSA-mwcw-c2x4-8c55
  • Affected versions: <3.3.8
  • Package usage:
    • node_modules/nanoid

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue #

  • ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
  • Severity: low (CVSS 3.7)
  • Reference: GHSA-5j4c-8p2g-v4jx
  • Affected versions: 2.0.0-alpha.1 - 2.7.16
  • Package usage:
    • node_modules/vue

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Oct 27, 2024
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from c6e31ca to 8e3a20a Compare November 10, 2024 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from e2f94b3 to d23d3ce Compare November 24, 2024 03:27
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 03a11f8 to f7262be Compare December 15, 2024 03:36
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 1e0af96 to 94afa42 Compare December 29, 2024 03:15
@ChristophWurst ChristophWurst force-pushed the automated/noid/stable30-fix-npm-audit branch from 94afa42 to f16351c Compare January 9, 2025 14:53
@nextcloud-command
fix(deps): Fix npm audit
6dc1d17 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from f16351c to 6dc1d17 Compare January 26, 2025 03:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @ChristophWurst