This run took 110 seconds.
$ date --- stdout --- Wed Nov 6 05:28:44 UTC 2024 --- end --- $ git clone file:///srv/git/wikimedia-toolhub.git repo --depth=1 -b main --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/main --- stdout --- be40b8360a9e6903a1143daa19819f4f796c3ec1 refs/heads/main --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@apitools/openapi-parser": { "name": "@apitools/openapi-parser", "severity": "low", "isDirect": false, "via": [ "swagger-client" ], "effects": [ "rapidoc" ], "range": "<=0.0.33", "nodes": [ "node_modules/@apitools/openapi-parser" ], "fixAvailable": true }, "@apollographql/graphql-upload-8-fork": { "name": "@apollographql/graphql-upload-8-fork", "severity": "high", "isDirect": false, "via": [ "busboy" ], "effects": [ "apollo-server-core" ], "range": "*", "nodes": [ "node_modules/@apollographql/graphql-upload-8-fork" ], "fixAvailable": true }, "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@casl/vue": { "name": "@casl/vue", "severity": "low", "isDirect": true, "via": [ "vue" ], "effects": [], "range": "<=2.0.1", "nodes": [ "node_modules/@casl/vue" ], "fixAvailable": { "name": "@casl/vue", "version": "2.2.2", "isSemVerMajor": true } }, "@sideway/formula": { "name": "@sideway/formula", "severity": "moderate", "isDirect": false, "via": [ { "source": 1091026, "name": "@sideway/formula", "dependency": "@sideway/formula", "title": "@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability", "url": "https://github.com/advisories/GHSA-c2jc-4fpr-4vhg", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<3.0.1" } ], "effects": [], "range": "3.0.0", "nodes": [ "node_modules/@sideway/formula" ], "fixAvailable": true }, "@vue/cli": { "name": "@vue/cli", "severity": "high", "isDirect": true, "via": [ "download-git-repo", "vue", "vue-codemod" ], "effects": [], "range": "*", "nodes": [ "node_modules/@vue/cli" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "@vue/cli-plugin-babel": { "name": "@vue/cli-plugin-babel", "severity": "moderate", "isDirect": true, "via": [ "@vue/cli-service" ], "effects": [], "range": ">=4.0.0-alpha.0", "nodes": [ "node_modules/@vue/cli-plugin-babel" ], "fixAvailable": { "name": "@vue/cli-plugin-babel", "version": "3.12.1", "isSemVerMajor": true } }, "@vue/cli-plugin-eslint": { "name": "@vue/cli-plugin-eslint", "severity": "moderate", "isDirect": true, "via": [ "@vue/cli-service" ], "effects": [], "range": ">=4.0.0-alpha.0", "nodes": [ "node_modules/@vue/cli-plugin-eslint" ], "fixAvailable": { "name": "@vue/cli-plugin-eslint", "version": "3.12.1", "isSemVerMajor": true } }, "@vue/cli-plugin-router": { "name": "@vue/cli-plugin-router", "severity": "moderate", "isDirect": true, "via": [ "@vue/cli-service" ], "effects": [], "range": "*", "nodes": [ "node_modules/@vue/cli-plugin-router" ], "fixAvailable": false }, "@vue/cli-plugin-unit-mocha": { "name": "@vue/cli-plugin-unit-mocha", "severity": "moderate", "isDirect": true, "via": [ "@vue/cli-service", "mocha" ], "effects": [], "range": ">=4.0.0-alpha.0", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "@vue/cli-plugin-vuex": { "name": "@vue/cli-plugin-vuex", "severity": "moderate", "isDirect": true, "via": [ "@vue/cli-service" ], "effects": [ "@vue/cli-service" ], "range": "*", "nodes": [ "node_modules/@vue/cli-plugin-vuex" ], "fixAvailable": false }, "@vue/cli-service": { "name": "@vue/cli-service", "severity": "moderate", "isDirect": true, "via": [ "@vue/cli-plugin-router", "@vue/cli-plugin-vuex", "@vue/component-compiler-utils", "vue-loader", "vue-template-compiler" ], "effects": [ "@vue/cli-plugin-babel", "@vue/cli-plugin-eslint", "@vue/cli-plugin-router", "@vue/cli-plugin-unit-mocha", "@vue/cli-plugin-vuex" ], "range": "*", "nodes": [ "node_modules/@vue/cli-service" ], "fixAvailable": false }, "@vue/component-compiler-utils": { "name": "@vue/component-compiler-utils", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "@vue/cli-service", "vue-loader" ], "range": "*", "nodes": [ "node_modules/@vue/component-compiler-utils" ], "fixAvailable": false }, "@vue/test-utils": { "name": "@vue/test-utils", "severity": "moderate", "isDirect": true, "via": [ "vue", "vue-template-compiler" ], "effects": [], "range": "<=1.3.6", "nodes": [ "node_modules/@vue/test-utils" ], "fixAvailable": { "name": "@vue/test-utils", "version": "2.4.6", "isSemVerMajor": true } }, "@wikimedia/jsonschema-tools": { "name": "@wikimedia/jsonschema-tools", "severity": "critical", "isDirect": true, "via": [ "json-schema-faker" ], "effects": [], "range": ">=0.10.3", "nodes": [ "node_modules/@wikimedia/jsonschema-tools" ], "fixAvailable": { "name": "@wikimedia/jsonschema-tools", "version": "0.10.2", "isSemVerMajor": true } }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094090, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=3.0.0 <3.0.1" }, { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" }, { "source": 1094092, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.0.1" } ], "effects": [], "range": "3.0.0 || 4.0.0 - 4.1.0 || 5.0.0", "nodes": [ "node_modules/ansi-regex", "node_modules/inquirer/node_modules/ansi-regex", "node_modules/log-update/node_modules/ansi-regex", "node_modules/mocha/node_modules/ansi-regex", "node_modules/nyc/node_modules/ansi-regex", "node_modules/wide-align/node_modules/ansi-regex" ], "fixAvailable": true }, "apollo-server-core": { "name": "apollo-server-core", "severity": "high", "isDirect": false, "via": [ "@apollographql/graphql-upload-8-fork", { "source": 1093178, "name": "apollo-server-core", "dependency": "apollo-server-core", "title": "Prevent logging invalid header values", "url": "https://github.com/advisories/GHSA-j5g3-5c8r-7qfx", "severity": "low", "cwe": [], "cvss": { "score": 0, "vectorString": null }, "range": "<2.26.1" } ], "effects": [], "range": "<=2.26.2", "nodes": [ "node_modules/apollo-server-core" ], "fixAvailable": true }, "async": { "name": "async", "severity": "high", "isDirect": false, "via": [ { "source": 1097691, "name": "async", "dependency": "async", "title": "Prototype Pollution in async", "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.6.4" } ], "effects": [], "range": "2.0.0 - 2.6.3", "nodes": [ "node_modules/portfinder/node_modules/async" ], "fixAvailable": true }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [ "micromatch" ], "range": "<3.0.3", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha/node_modules/braces", "node_modules/braces", "node_modules/chokidar/node_modules/braces", "node_modules/eslint-webpack-plugin/node_modules/braces", "node_modules/fast-glob/node_modules/braces", "node_modules/http-proxy-middleware/node_modules/braces", "node_modules/mocha/node_modules/braces", "node_modules/stylelint-config-wikimedia/node_modules/braces", "node_modules/stylelint/node_modules/braces", "node_modules/webpack-dev-server/node_modules/braces" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "busboy": { "name": "busboy", "severity": "high", "isDirect": false, "via": [ "dicer" ], "effects": [ "@apollographql/graphql-upload-8-fork" ], "range": "<=0.3.1", "nodes": [ "node_modules/busboy" ], "fixAvailable": true }, "cacheable-request": { "name": "cacheable-request", "severity": "high", "isDirect": false, "via": [ "http-cache-semantics" ], "effects": [ "got" ], "range": "0.1.0 - 2.1.4", "nodes": [ "node_modules/cacheable-request" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express", "swagger-client" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": true }, "core-js-compat": { "name": "core-js-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [ "node_modules/core-js-compat" ], "fixAvailable": true }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "dicer": { "name": "dicer", "severity": "high", "isDirect": false, "via": [ { "source": 1093150, "name": "dicer", "dependency": "dicer", "title": "Crash in HeaderParser in dicer", "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=0.3.1" } ], "effects": [ "busboy" ], "range": "*", "nodes": [ "node_modules/dicer" ], "fixAvailable": true }, "download": { "name": "download", "severity": "moderate", "isDirect": false, "via": [ "got" ], "effects": [ "download-git-repo" ], "range": ">=4.0.0", "nodes": [ "node_modules/download" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "download-git-repo": { "name": "download-git-repo", "severity": "high", "isDirect": false, "via": [ "download", "git-clone" ], "effects": [ "@vue/cli" ], "range": "*", "nodes": [ "node_modules/download-git-repo" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "ejs": { "name": "ejs", "severity": "critical", "isDirect": false, "via": [ { "source": 1089270, "name": "ejs", "dependency": "ejs", "title": "ejs template injection vulnerability", "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q", "severity": "critical", "cwe": [ "CWE-74" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<3.1.7" }, { "source": 1098366, "name": "ejs", "dependency": "ejs", "title": "ejs lacks certain pollution protection", "url": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6", "severity": "moderate", "cwe": [ "CWE-693", "CWE-1321" ], "cvss": { "score": 4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<3.1.10" } ], "effects": [], "range": "<=3.1.9", "nodes": [ "node_modules/ejs" ], "fixAvailable": true }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": true }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, { "source": 1099529, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "follow-redirects": { "name": "follow-redirects", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096353, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", "severity": "moderate", "cwe": [ "CWE-20", "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.15.4" }, { "source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=1.15.5" } ], "effects": [], "range": "<=1.15.5", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "get-func-name": { "name": "get-func-name", "severity": "high", "isDirect": false, "via": [ { "source": 1094574, "name": "get-func-name", "dependency": "get-func-name", "title": "Chaijs/get-func-name vulnerable to ReDoS", "url": "https://github.com/advisories/GHSA-4q6p-r6v2-jvc5", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.0.1" } ], "effects": [], "range": "<2.0.1", "nodes": [ "node_modules/get-func-name" ], "fixAvailable": true }, "git-clone": { "name": "git-clone", "severity": "high", "isDirect": false, "via": [ { "source": 1093404, "name": "git-clone", "dependency": "git-clone", "title": "Command injection in git-clone", "url": "https://github.com/advisories/GHSA-8jmw-wjr8-2x66", "severity": "high", "cwe": [ "CWE-77", "CWE-88" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=0.2.0" } ], "effects": [ "download-git-repo" ], "range": "*", "nodes": [ "node_modules/git-clone" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "got": { "name": "got", "severity": "high", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" }, "cacheable-request" ], "effects": [ "download" ], "range": "<=11.8.3", "nodes": [ "node_modules/got" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "http-cache-semantics": { "name": "http-cache-semantics", "severity": "high", "isDirect": false, "via": [ { "source": 1092316, "name": "http-cache-semantics", "dependency": "http-cache-semantics", "title": "http-cache-semantics vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-rc47-6667-2j5j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.1.1" } ], "effects": [ "cacheable-request" ], "range": "<4.1.1", "nodes": [ "node_modules/http-cache-semantics" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "http-proxy-middleware": { "name": "http-proxy-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1100223, "name": "http-proxy-middleware", "dependency": "http-proxy-middleware", "title": "Denial of service in http-proxy-middleware", "url": "https://github.com/advisories/GHSA-c7qv-q95q-8v27", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.0.7" } ], "effects": [], "range": "<2.0.7", "nodes": [ "node_modules/http-proxy-middleware" ], "fixAvailable": true }, "ip": { "name": "ip", "severity": "high", "isDirect": false, "via": [ { "source": 1097720, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" }, { "source": 1099357, "name": "ip", "dependency": "ip", "title": "ip SSRF improper categorization in isPublic", "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=2.0.1" } ], "effects": [], "range": "*", "nodes": [ "node_modules/ip" ], "fixAvailable": true }, "jscodeshift": { "name": "jscodeshift", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "vue-codemod" ], "range": "0.3.20 - 0.13.1", "nodes": [ "node_modules/jscodeshift" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "json-pointer": { "name": "json-pointer", "severity": "critical", "isDirect": true, "via": [ { "source": 1088901, "name": "json-pointer", "dependency": "json-pointer", "title": "Prototype Pollution in json-pointer", "url": "https://github.com/advisories/GHSA-v5vg-g7rq-363w", "severity": "moderate", "cwe": [ "CWE-843", "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=0.6.1" }, { "source": 1096878, "name": "json-pointer", "dependency": "json-pointer", "title": "json-pointer vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-6xrf-q977-5vgc", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.6.2" } ], "effects": [], "range": "<=0.6.1", "nodes": [ "node_modules/json-pointer" ], "fixAvailable": true }, "json-schema-faker": { "name": "json-schema-faker", "severity": "critical", "isDirect": false, "via": [ "jsonpath-plus" ], "effects": [ "@wikimedia/jsonschema-tools" ], "range": "0.5.0-rc1 - 0.5.0-rcv.46 || >=0.5.2", "nodes": [ "node_modules/json-schema-faker" ], "fixAvailable": { "name": "@wikimedia/jsonschema-tools", "version": "0.10.2", "isSemVerMajor": true } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/json5", "node_modules/loader-utils/node_modules/json5" ], "fixAvailable": true }, "jsonpath-plus": { "name": "jsonpath-plus", "severity": "critical", "isDirect": false, "via": [ { "source": 1100203, "name": "jsonpath-plus", "dependency": "jsonpath-plus", "title": "JSONPath Plus Remote Code Execution (RCE) Vulnerability", "url": "https://github.com/advisories/GHSA-pppg-cpfq-h7wr", "severity": "critical", "cwe": [ "CWE-94" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<10.0.0" } ], "effects": [ "json-schema-faker" ], "range": "<10.0.0", "nodes": [ "node_modules/jsonpath-plus" ], "fixAvailable": { "name": "@wikimedia/jsonschema-tools", "version": "0.10.2", "isSemVerMajor": true } }, "loader-utils": { "name": "loader-utils", "severity": "critical", "isDirect": false, "via": [ { "source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<1.4.1" }, { "source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.0.3" }, { "source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" }, { "source": 1097142, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1097143, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" } ], "effects": [], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": [ "node_modules/loader-utils", "node_modules/null-loader/node_modules/loader-utils", "node_modules/thread-loader/node_modules/loader-utils", "node_modules/vue-loader/node_modules/loader-utils", "node_modules/vuetify-loader/node_modules/loader-utils" ], "fixAvailable": true }, "marked": { "name": "marked", "severity": "high", "isDirect": false, "via": [ { "source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" }, { "source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" } ], "effects": [ "rapidoc" ], "range": "<=4.0.9", "nodes": [ "node_modules/marked" ], "fixAvailable": true }, "micromatch": { "name": "micromatch", "severity": "high", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" }, "braces" ], "effects": [ "jscodeshift" ], "range": "<=4.0.7", "nodes": [ "node_modules/eslint-webpack-plugin/node_modules/micromatch", "node_modules/fast-glob/node_modules/micromatch", "node_modules/http-proxy-middleware/node_modules/micromatch", "node_modules/micromatch", "node_modules/stylelint-config-wikimedia/node_modules/micromatch", "node_modules/stylelint/node_modules/micromatch" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": true, "via": [ "minimatch", "nanoid" ], "effects": [ "@vue/cli-plugin-unit-mocha" ], "range": "5.1.0 - 9.2.1", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha/node_modules/mocha", "node_modules/mocha" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "moment": { "name": "moment", "severity": "high", "isDirect": false, "via": [ { "source": 1095072, "name": "moment", "dependency": "moment", "title": "Moment.js vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-wc69-rhjr-hc9g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.18.0 <2.29.4" }, { "source": 1095083, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", "severity": "high", "cwe": [ "CWE-22", "CWE-27" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<2.29.2" } ], "effects": [], "range": "<=2.29.3", "nodes": [ "node_modules/moment" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [ "mocha" ], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha/node_modules/nanoid" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "node-forge": { "name": "node-forge", "severity": "high", "isDirect": false, "via": [ { "source": 1088746, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in `node-forge`", "url": "https://github.com/advisories/GHSA-2r2c-g63r-vccr", "severity": "moderate", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<1.3.0" }, { "source": 1095012, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in node-forge", "url": "https://github.com/advisories/GHSA-cfm4-qjh2-4765", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<1.3.0" }, { "source": 1095013, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in node-forge", "url": "https://github.com/advisories/GHSA-x4jg-mjrx-434g", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<1.3.0" } ], "effects": [], "range": "<=1.2.1", "nodes": [ "node_modules/node-forge" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099561, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.2.0 <1.9.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 0.2.0 - 1.8.0", "nodes": [ "node_modules/nise/node_modules/path-to-regexp", "node_modules/path-to-regexp" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "@vue/component-compiler-utils" ], "range": "<8.4.31", "nodes": [ "node_modules/@vue/component-compiler-utils/node_modules/postcss", "node_modules/postcss" ], "fixAvailable": false }, "prismjs": { "name": "prismjs", "severity": "high", "isDirect": false, "via": [ { "source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "https://github.com/advisories/GHSA-3949-f494-cm99", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L" }, "range": ">=1.14.0 <1.27.0" } ], "effects": [], "range": "1.14.0 - 1.26.0", "nodes": [ "node_modules/prismjs" ], "fixAvailable": true }, "rapidoc": { "name": "rapidoc", "severity": "high", "isDirect": true, "via": [ "@apitools/openapi-parser", "marked" ], "effects": [], "range": "*", "nodes": [ "node_modules/rapidoc" ], "fixAvailable": true }, "rss-parser": { "name": "rss-parser", "severity": "moderate", "isDirect": false, "via": [ "xml2js" ], "effects": [], "range": "<=3.12.0", "nodes": [ "node_modules/rss-parser" ], "fixAvailable": true }, "semver": { "name": "semver", "severity": "high", "isDirect": false, "via": [ { "source": 1098562, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1098563, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.7.2" }, { "source": 1098564, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "core-js-compat", "eslint-plugin-compat" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/register/node_modules/semver", "node_modules/@intlify/eslint-plugin-vue-i18n/node_modules/semver", "node_modules/@vue/cli-plugin-babel/node_modules/semver", "node_modules/@vue/cli-shared-utils/node_modules/semver", "node_modules/core-js-compat/node_modules/semver", "node_modules/cross-spawn/node_modules/semver", "node_modules/css-loader/node_modules/semver", "node_modules/editorconfig/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-unicorn/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/find-cache-dir/node_modules/semver", "node_modules/jsonc-eslint-parser/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/node-notifier/node_modules/semver", "node_modules/normalize-package-data/node_modules/semver", "node_modules/postcss-loader/node_modules/semver", "node_modules/semver", "node_modules/stylelint-config-recommended-vue/node_modules/semver", "node_modules/vue-cli-plugin-vuetify/node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": true }, "send": { "name": "send", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099525, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099527, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "shelljs": { "name": "shelljs", "severity": "high", "isDirect": false, "via": [ { "source": 1088208, "name": "shelljs", "dependency": "shelljs", "title": "Improper Privilege Management in shelljs", "url": "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", "severity": "moderate", "cwe": [ "CWE-269" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.8.5" }, { "source": 1095126, "name": "shelljs", "dependency": "shelljs", "title": "Improper Privilege Management in shelljs", "url": "https://github.com/advisories/GHSA-4rq4-32rv-6wp6", "severity": "high", "cwe": [ "CWE-269" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" }, "range": "<0.8.5" } ], "effects": [], "range": "<=0.8.4", "nodes": [ "node_modules/shelljs" ], "fixAvailable": true }, "swagger-client": { "name": "swagger-client", "severity": "low", "isDirect": true, "via": [ "cookie" ], "effects": [ "@apitools/openapi-parser" ], "range": "3.3.0 - 3.29.3", "nodes": [ "node_modules/swagger-client" ], "fixAvailable": true }, "terser": { "name": "terser", "severity": "high", "isDirect": false, "via": [ { "source": 1091690, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.14.2" } ], "effects": [], "range": "5.0.0 - 5.14.1", "nodes": [ "node_modules/terser" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": true }, "vue": { "name": "vue", "severity": "low", "isDirect": true, "via": [ { "source": 1100238, "name": "vue", "dependency": "vue", "title": "ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function", "url": "https://github.com/advisories/GHSA-5j4c-8p2g-v4jx", "severity": "low", "cwe": [ "CWE-1333" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=2.0.0-alpha.1 <3.0.0-alpha.0" } ], "effects": [ "@casl/vue", "@vue/cli", "@vue/test-utils", "vue-async-computed", "vue-frag", "vuetify", "vuex" ], "range": "2.0.0-alpha.1 - 2.7.16", "nodes": [ "node_modules/vue" ], "fixAvailable": { "name": "vue", "version": "3.5.12", "isSemVerMajor": true } }, "vue-async-computed": { "name": "vue-async-computed", "severity": "low", "isDirect": true, "via": [ "vue" ], "effects": [], "range": "2.0.0-rc.1 - 4.0.0-mixin.0", "nodes": [ "node_modules/vue-async-computed" ], "fixAvailable": { "name": "vue-async-computed", "version": "4.0.1", "isSemVerMajor": true } }, "vue-codemod": { "name": "vue-codemod", "severity": "moderate", "isDirect": false, "via": [ "jscodeshift" ], "effects": [ "@vue/cli" ], "range": "*", "nodes": [ "node_modules/vue-codemod" ], "fixAvailable": { "name": "@vue/cli", "version": "4.2.2", "isSemVerMajor": true } }, "vue-frag": { "name": "vue-frag", "severity": "low", "isDirect": true, "via": [ "vue" ], "effects": [], "range": ">=1.3.1", "nodes": [ "node_modules/vue-frag" ], "fixAvailable": { "name": "vue-frag", "version": "1.3.0", "isSemVerMajor": true } }, "vue-loader": { "name": "vue-loader", "severity": "moderate", "isDirect": false, "via": [ "@vue/component-compiler-utils" ], "effects": [ "@vue/cli-service" ], "range": "15.0.0-beta.1 - 15.11.1", "nodes": [ "node_modules/@vue/vue-loader-v15" ], "fixAvailable": false }, "vue-template-compiler": { "name": "vue-template-compiler", "severity": "moderate", "isDirect": true, "via": [ { "source": 1098721, "name": "vue-template-compiler", "dependency": "vue-template-compiler", "title": "vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)", "url": "https://github.com/advisories/GHSA-g3ch-rx76-35fx", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 4.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, "range": ">=2.0.0 <3.0.0" } ], "effects": [ "@vue/cli-service", "vuetify-loader" ], "range": ">=2.0.0", "nodes": [ "node_modules/vue-template-compiler" ], "fixAvailable": false }, "vuetify": { "name": "vuetify", "severity": "moderate", "isDirect": true, "via": [ { "source": 1089240, "name": "vuetify", "dependency": "vuetify", "title": "Vuetify Cross-site Scripting vulnerability", "url": "https://github.com/advisories/GHSA-q4q5-c5cv-2p68", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, "range": ">=2.0.0-beta.4 <2.6.10" }, "vue" ], "effects": [], "range": "<=0.2.0 || 0.8.8 - 0.14.2 || 0.16.7 - 2.7.2", "nodes": [ "node_modules/vuetify" ], "fixAvailable": true }, "vuetify-loader": { "name": "vuetify-loader", "severity": "moderate", "isDirect": true, "via": [ "vue-template-compiler" ], "effects": [], "range": "1.0.0 - 1.8.0", "nodes": [ "node_modules/vuetify-loader" ], "fixAvailable": true }, "vuex": { "name": "vuex", "severity": "low", "isDirect": true, "via": [ "vue" ], "effects": [], "range": "3.1.3 - 3.6.2", "nodes": [ "node_modules/vuex" ], "fixAvailable": { "name": "vuex", "version": "4.1.0", "isSemVerMajor": true } }, "webpack": { "name": "webpack", "severity": "critical", "isDirect": false, "via": [ { "source": 1094471, "name": "webpack", "dependency": "webpack", "title": "Cross-realm object access in Webpack 5", "url": "https://github.com/advisories/GHSA-hc6q-2mpp-qw7j", "severity": "critical", "cwe": [], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=5.0.0 <5.76.0" }, { "source": 1099351, "name": "webpack", "dependency": "webpack", "title": "Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS", "url": "https://github.com/advisories/GHSA-4vvj-4cpr-p986", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, "range": ">=5.0.0-alpha.0 <5.94.0" } ], "effects": [], "range": "5.0.0-alpha.0 - 5.93.0", "nodes": [ "node_modules/webpack" ], "fixAvailable": true }, "webpack-dev-middleware": { "name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, "range": "<=5.3.3" } ], "effects": [], "range": "<=5.3.3", "nodes": [ "node_modules/webpack-dev-middleware" ], "fixAvailable": true }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097681, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" }, { "source": 1098393, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.10" } ], "effects": [], "range": "7.0.0 - 7.5.9 || 8.0.0 - 8.17.0", "nodes": [ "node_modules/subscriptions-transport-ws/node_modules/ws", "node_modules/webpack-bundle-analyzer/node_modules/ws", "node_modules/ws" ], "fixAvailable": true }, "xml2js": { "name": "xml2js", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096693, "name": "xml2js", "dependency": "xml2js", "title": "xml2js is vulnerable to prototype pollution", "url": "https://github.com/advisories/GHSA-776f-qx25-q3cc", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<0.5.0" } ], "effects": [ "rss-parser" ], "range": "<0.5.0", "nodes": [ "node_modules/xml2js" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 8, "moderate": 25, "high": 36, "critical": 9, "total": 78 }, "dependencies": { "prod": 68, "dev": 2087, "optional": 3, "peer": 3, "peerOptional": 0, "total": 2154 } } } --- end --- Upgrading n:eslint from ^8.10.0 -> 8.57.0 Upgrading n:eslint-config-wikimedia from ^0.22.1 -> 0.28.2 Upgrading n:grunt-banana-checker from 0.10.0 -> 0.13.0 Upgrading n:stylelint from ^14.5.3 -> 16.2.0 Upgrading n:stylelint-config-wikimedia from ^0.12.2 -> 0.17.2 $ /usr/bin/npm install --- stderr --- npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/ npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details. npm WARN deprecated subscriptions-transport-ws@0.9.19: The `subscriptions-transport-ws` package is no longer maintained. We recommend you use `graphql-ws` instead. For help migrating Apollo software to `graphql-ws`, see https://www.apollographql.com/docs/apollo-server/data/subscriptions/#switching-from-subscriptions-transport-ws For general help using `graphql-ws`, see https://github.com/enisdenjo/graphql-ws/blob/master/README.md npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options. npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 2203 packages, and audited 2204 packages in 46s 217 packages are looking for funding run `npm fund` for details 75 vulnerabilities (8 low, 24 moderate, 34 high, 9 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ ./node_modules/.bin/eslint . --fix --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.0 TypeError: Cannot read properties of null (reading 'range') Occurred while linting /src/repo/vue/src/App.vue:200 Rule: "vuetify/grid-unknown-attributes" at SourceCode.getTokenBefore (/src/repo/node_modules/eslint/lib/source-code/token-store/index.js:298:18) at validateNode (/src/repo/node_modules/eslint/lib/rules/operator-linebreak.js:155:42) at EventEmitter.validateBinaryExpression (/src/repo/node_modules/eslint/lib/rules/operator-linebreak.js:226:13) at EventEmitter.emit (node:events:517:28) at NodeEventGenerator.applySelector (/src/repo/node_modules/vue-eslint-parser/index.js:3883:26) at NodeEventGenerator.applySelectors (/src/repo/node_modules/vue-eslint-parser/index.js:3897:22) at NodeEventGenerator.enterNode (/src/repo/node_modules/vue-eslint-parser/index.js:3905:14) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:154:13) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:166:13) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:166:13) --- stdout --- --- end --- $ ./node_modules/.bin/eslint . -f json --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.0 TypeError: Cannot read properties of null (reading 'range') Occurred while linting /src/repo/vue/src/App.vue:200 Rule: "vuetify/grid-unknown-attributes" at SourceCode.getTokenBefore (/src/repo/node_modules/eslint/lib/source-code/token-store/index.js:298:18) at validateNode (/src/repo/node_modules/eslint/lib/rules/operator-linebreak.js:155:42) at EventEmitter.validateBinaryExpression (/src/repo/node_modules/eslint/lib/rules/operator-linebreak.js:226:13) at EventEmitter.emit (node:events:517:28) at NodeEventGenerator.applySelector (/src/repo/node_modules/vue-eslint-parser/index.js:3883:26) at NodeEventGenerator.applySelectors (/src/repo/node_modules/vue-eslint-parser/index.js:3897:22) at NodeEventGenerator.enterNode (/src/repo/node_modules/vue-eslint-parser/index.js:3905:14) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:154:13) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:166:13) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:166:13) --- stdout --- --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1803, in run self.npm_upgrade(plan) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1197, in npm_upgrade hook(update) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1500, in _handle_eslint errors = json.loads( ^^^^^^^^^^^ File "/usr/lib/python3.11/json/__init__.py", line 346, in loads return _default_decoder.decode(s) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)