Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable28] Fix npm audit #1034

Merged
merged 1 commit into from
Aug 29, 2024
Merged

[stable28] Fix npm audit #1034

merged 1 commit into from
Aug 29, 2024

Conversation

nextcloud-command
Copy link
Contributor

Audit report

This audit fix resolves 7 of the total 9 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@vue/component-compiler-utils #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vue/component-compiler-utils

axios #

  • Server-Side Request Forgery in axios
  • Severity: high
  • Reference: GHSA-8hc4-vh64-cxmj
  • Affected versions: 1.3.2 - 1.7.3
  • Package usage:
    • node_modules/axios

elliptic #

  • Elliptic's EDDSA missing signature length check
  • Severity: low (CVSS 5.3)
  • Reference: GHSA-f7q4-pwc6-w24p
  • Affected versions: 2.0.0 - 6.5.6
  • Package usage:
    • node_modules/elliptic

micromatch #

  • Regular Expression Denial of Service (ReDoS) in micromatch
  • Severity: moderate
  • Reference: GHSA-952p-6rrq-rcjv
  • Affected versions: <4.0.8
  • Package usage:
    • node_modules/micromatch

pdfjs-dist #

  • PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
  • Severity: high
  • Reference: GHSA-wgrm-67xf-hhpq
  • Affected versions: <=4.1.392
  • Package usage:
    • node_modules/pdfjs-dist

postcss #

  • PostCSS line return parsing error
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-7fh5-64p2-3v2j
  • Affected versions: <8.4.31
  • Package usage:
    • node_modules/@vue/component-compiler-utils/node_modules/postcss

vue-loader #

  • Caused by vulnerable dependency:
  • Affected versions: 15.0.0-beta.1 - 15.11.1
  • Package usage:
    • node_modules/vue-loader

@nextcloud-command
fix(deps): Fix npm audit
3e64389 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Aug 25, 2024
szaimen
szaimen approved these changes Aug 29, 2024
View reviewed changes
Copy link
Collaborator

@szaimen szaimen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and pdf viewer still opens correctly

@szaimen szaimen added this to the Nextcloud 28.0.10 milestone Aug 29, 2024
@szaimen szaimen enabled auto-merge August 29, 2024 09:19
@szaimen szaimen merged commit f42169a into stable28 Aug 29, 2024
39 checks passed
@blizzz blizzz mentioned this pull request Sep 4, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szaimen szaimen szaimen approved these changes

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
Nextcloud 28.0.10
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @szaimen