Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable31] Fix npm audit #2170

Open
wants to merge 3 commits into
base: stable31
Choose a base branch
from
Open

[stable31] Fix npm audit #2170

wants to merge 3 commits into from

Conversation

nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jan 26, 2025
edited
Loading

Audit report

This audit fix resolves 12 of the total 19 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: >=4.2.0-beta.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/l10n #

  • Caused by vulnerable dependency:
  • Affected versions: 1.1.0 - 3.1.0
  • Package usage:
    • node_modules/@nextcloud/dialogs/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/files/node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/l10n
    • node_modules/@nextcloud/vue/node_modules/@nextcloud/l10n

@nextcloud/moment #

  • Caused by vulnerable dependency:
  • Affected versions: >=1.1.1
  • Package usage:
    • node_modules/@nextcloud/moment

@nextcloud/vite-config #

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

@vue/language-core #

  • Caused by vulnerable dependency:
  • Affected versions: <=2.0.28
  • Package usage:
    • node_modules/@vue/language-core

node-gettext #

  • node-gettext vulnerable to Prototype Pollution
  • Severity: high (CVSS 5.9)
  • Reference: GHSA-g974-hxvm-x689
  • Affected versions: *
  • Package usage:
    • node_modules/node-gettext

vite #

  • Websites were able to send any requests to the development server and read the response in vite
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-vg6x-rcgg-rjx6
  • Affected versions: 5.0.0 - 5.4.11
  • Package usage:
    • node_modules/vite

vite-plugin-dts #

  • Caused by vulnerable dependency:
  • Affected versions: 3.0.0-beta.1 - 4.0.0-beta.2
  • Package usage:
    • node_modules/vite-plugin-dts

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

vue-template-compiler #

  • vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
  • Severity: moderate (CVSS 4.2)
  • Reference: GHSA-g3ch-rx76-35fx
  • Affected versions: >=2.0.0
  • Package usage:
    • node_modules/vue-template-compiler

vue-tsc #

  • Caused by vulnerable dependency:
  • Affected versions: 1.7.0-alpha.0 - 2.0.28
  • Package usage:
    • node_modules/vue-tsc

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jan 26, 2025
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from 0e487dd to c4c0694 Compare February 2, 2025 03:16
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from c4c0694 to ef7de58 Compare February 9, 2025 03:16
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable31-fix-npm-audit branch from ef7de58 to a3299a7 Compare February 16, 2025 03:22
nextcloud-command and others added 2 commits February 21, 2025 11:02
@nextcloud-command @Antreesy
fix(deps): Fix npm audit
2ea706a 
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Maksim Sukharev <antreesy.web@gmail.com>
@Antreesy
fix(deps): bump dependencies in package.json to align with lock file
5f6de5c 
Signed-off-by: Maksim Sukharev <antreesy.web@gmail.com>
@Antreesy Antreesy force-pushed the automated/noid/stable31-fix-npm-audit branch from a3299a7 to 5f6de5c Compare February 21, 2025 10:19
@Antreesy
Copy link
Collaborator

/compile /

@nextcloud-command
chore(assets): Recompile assets
24c5c04 
Signed-off-by: nextcloud-command <nextcloud-command@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen Awaiting requested review from nickvergessen nickvergessen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
3. to review dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nextcloud-command @Antreesy