This run took 198 seconds.
$ date --- stdout --- Thu Nov 7 05:52:36 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-extensions-GrowthExperiments.git repo --depth=1 -b REL1_43 --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/REL1_43 --- stdout --- 0361b382dd5564db7b592144d95b446327a5ca20 refs/heads/REL1_43 --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@wdio/cli": { "name": "@wdio/cli", "severity": "high", "isDirect": true, "via": [ "webdriverio" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/cli" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.2.10", "isSemVerMajor": true } }, "@wdio/devtools-service": { "name": "@wdio/devtools-service", "severity": "high", "isDirect": true, "via": [ "lighthouse", "puppeteer-core", "speedline", "webdriverio" ], "effects": [], "range": "*", "nodes": [ "node_modules/@wdio/devtools-service" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "@wdio/local-runner": { "name": "@wdio/local-runner", "severity": "high", "isDirect": true, "via": [ "@wdio/runner" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/local-runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true } }, "@wdio/runner": { "name": "@wdio/runner", "severity": "high", "isDirect": false, "via": [ "webdriverio" ], "effects": [ "@wdio/local-runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true } }, "babel-core": { "name": "babel-core", "severity": "critical", "isDirect": true, "via": [ "babel-helpers", "babel-register", "babel-template", "babel-traverse", "json5" ], "effects": [ "babel-register" ], "range": "5.8.20 - 7.0.0-beta.3", "nodes": [ "node_modules/babel-core" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-helpers": { "name": "babel-helpers", "severity": "critical", "isDirect": false, "via": [ "babel-template" ], "effects": [], "range": "*", "nodes": [ "node_modules/babel-helpers" ], "fixAvailable": true }, "babel-register": { "name": "babel-register", "severity": "high", "isDirect": false, "via": [ "babel-core" ], "effects": [ "babel-core" ], "range": "*", "nodes": [ "node_modules/babel-register" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-template": { "name": "babel-template", "severity": "critical", "isDirect": false, "via": [ "babel-traverse" ], "effects": [ "babel-helpers" ], "range": "*", "nodes": [ "node_modules/babel-template" ], "fixAvailable": true }, "babel-traverse": { "name": "babel-traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096879, "name": "babel-traverse", "dependency": "babel-traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [ "babel-core", "babel-template" ], "range": "*", "nodes": [ "node_modules/babel-traverse" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "raven" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "devtools": { "name": "devtools", "severity": "high", "isDirect": false, "via": [ "puppeteer-core" ], "effects": [], "range": ">=7.16.5", "nodes": [ "node_modules/devtools" ], "fixAvailable": true }, "got": { "name": "got", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" } ], "effects": [ "package-json" ], "range": "<11.8.5", "nodes": [ "node_modules/package-json/node_modules/got" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" } ], "effects": [ "babel-core" ], "range": "<1.0.2", "nodes": [ "node_modules/babel-core/node_modules/json5" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "latest-version": { "name": "latest-version", "severity": "moderate", "isDirect": false, "via": [ "package-json" ], "effects": [ "update-notifier" ], "range": "0.2.0 - 5.1.0", "nodes": [ "node_modules/latest-version" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "lighthouse": { "name": "lighthouse", "severity": "high", "isDirect": false, "via": [ "lodash.set", "raven", "update-notifier" ], "effects": [ "@wdio/devtools-service" ], "range": "1.6.5 - 9.4.0", "nodes": [ "node_modules/lighthouse" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "lodash.set": { "name": "lodash.set", "severity": "high", "isDirect": false, "via": [ { "source": 1096302, "name": "lodash.set", "dependency": "lodash.set", "title": "Prototype Pollution in lodash", "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw", "severity": "high", "cwe": [ "CWE-770", "CWE-1321" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, "range": ">=3.7.0 <=4.3.2" } ], "effects": [ "lighthouse" ], "range": "*", "nodes": [ "node_modules/lodash.set" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "meow": { "name": "meow", "severity": "high", "isDirect": false, "via": [ "trim-newlines" ], "effects": [ "speedline" ], "range": "3.4.0 - 5.0.0", "nodes": [ "node_modules/meow" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "mwbot": { "name": "mwbot", "severity": "moderate", "isDirect": false, "via": [ "request" ], "effects": [ "wdio-mediawiki" ], "range": ">=0.1.6", "nodes": [ "node_modules/mwbot" ], "fixAvailable": false }, "package-json": { "name": "package-json", "severity": "moderate", "isDirect": false, "via": [ "got" ], "effects": [ "latest-version" ], "range": "<=6.5.0", "nodes": [ "node_modules/package-json" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "puppeteer-core": { "name": "puppeteer-core", "severity": "high", "isDirect": false, "via": [ "ws" ], "effects": [ "@wdio/devtools-service", "devtools", "webdriverio" ], "range": "11.0.0 - 22.11.1", "nodes": [ "node_modules/puppeteer-core" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "raven": { "name": "raven", "severity": "low", "isDirect": false, "via": [ "cookie" ], "effects": [ "lighthouse" ], "range": ">=0.6.1", "nodes": [ "node_modules/raven" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "mwbot" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "speedline": { "name": "speedline", "severity": "high", "isDirect": false, "via": [ "meow" ], "effects": [ "@wdio/devtools-service" ], "range": "*", "nodes": [ "node_modules/speedline" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/request/node_modules/tough-cookie" ], "fixAvailable": false }, "trim-newlines": { "name": "trim-newlines", "severity": "high", "isDirect": false, "via": [ { "source": 1095100, "name": "trim-newlines", "dependency": "trim-newlines", "title": "Uncontrolled Resource Consumption in trim-newlines", "url": "https://github.com/advisories/GHSA-7p7h-4mm5-852v", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.1" } ], "effects": [ "meow" ], "range": "<3.0.1", "nodes": [ "node_modules/trim-newlines" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "update-notifier": { "name": "update-notifier", "severity": "moderate", "isDirect": false, "via": [ "latest-version" ], "effects": [ "lighthouse" ], "range": "0.2.0 - 5.1.0", "nodes": [ "node_modules/update-notifier" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "wdio-mediawiki": { "name": "wdio-mediawiki", "severity": "moderate", "isDirect": true, "via": [ "mwbot" ], "effects": [], "range": "*", "nodes": [ "node_modules/wdio-mediawiki" ], "fixAvailable": false }, "webdriverio": { "name": "webdriverio", "severity": "high", "isDirect": false, "via": [ "devtools", "puppeteer-core" ], "effects": [ "@wdio/cli", "@wdio/devtools-service", "@wdio/runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/webdriverio" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" } ], "effects": [ "puppeteer-core" ], "range": "8.0.0 - 8.17.0", "nodes": [ "node_modules/puppeteer-core/node_modules/ws" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 2, "moderate": 8, "high": 15, "critical": 4, "total": 29 }, "dependencies": { "prod": 1, "dev": 1739, "optional": 4, "peer": 1, "peerOptional": 0, "total": 1739 } } } --- end --- $ /usr/bin/composer install --- stderr --- No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information. Loading composer repositories with package information Updating dependencies Lock file operations: 50 installs, 0 updates, 0 removals - Locking composer/pcre (3.3.1) - Locking composer/semver (3.4.2) - Locking composer/spdx-licenses (1.5.8) - Locking composer/xdebug-handler (3.0.5) - Locking dealerdirect/phpcodesniffer-composer-installer (v1.0.0) - Locking doctrine/annotations (2.0.2) - Locking doctrine/deprecations (1.1.3) - Locking doctrine/lexer (3.0.1) - Locking felixfbecker/advanced-json-rpc (v3.2.1) - Locking mediawiki/mediawiki-codesniffer (v44.0.0) - Locking mediawiki/mediawiki-phan-config (0.14.0) - Locking mediawiki/minus-x (1.1.3) - Locking mediawiki/phan-taint-check-plugin (6.0.0) - Locking microsoft/tolerant-php-parser (v0.1.2) - Locking netresearch/jsonmapper (v4.5.0) - Locking phan/phan (5.4.3) - Locking php-parallel-lint/php-console-color (v1.0.1) - Locking php-parallel-lint/php-console-highlighter (v1.0.0) - Locking php-parallel-lint/php-parallel-lint (v1.4.0) - Locking phpbench/container (2.2.2) - Locking phpbench/dom (0.3.3) - Locking phpbench/phpbench (1.3.1) - Locking phpcsstandards/phpcsextra (1.2.1) - Locking phpcsstandards/phpcsutils (1.0.11) - Locking phpdocumentor/reflection-common (2.2.0) - Locking phpdocumentor/reflection-docblock (5.5.1) - Locking phpdocumentor/type-resolver (1.9.0) - Locking phpstan/phpdoc-parser (1.33.0) - Locking psr/cache (3.0.0) - Locking psr/container (2.0.2) - Locking psr/log (3.0.2) - Locking sabre/event (5.1.7) - Locking seld/jsonlint (1.11.0) - Locking squizlabs/php_codesniffer (3.9.0) - Locking symfony/console (v7.1.7) - Locking symfony/deprecation-contracts (v3.5.0) - Locking symfony/filesystem (v7.1.6) - Locking symfony/finder (v7.1.6) - Locking symfony/options-resolver (v7.1.6) - Locking symfony/polyfill-ctype (v1.31.0) - Locking symfony/polyfill-intl-grapheme (v1.31.0) - Locking symfony/polyfill-intl-normalizer (v1.31.0) - Locking symfony/polyfill-mbstring (v1.31.0) - Locking symfony/polyfill-php80 (v1.31.0) - Locking symfony/process (v7.1.7) - Locking symfony/service-contracts (v3.5.0) - Locking symfony/string (v7.1.6) - Locking tysonandre/var_representation_polyfill (0.1.3) - Locking webmozart/assert (1.11.0) - Locking webmozart/glob (4.7.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 50 installs, 0 updates, 0 removals - Downloading phpbench/phpbench (1.3.1) 0/1 [>---------------------------] 0% 1/1 [============================] 100% - Installing squizlabs/php_codesniffer (3.9.0): Extracting archive - Installing dealerdirect/phpcodesniffer-composer-installer (v1.0.0): Extracting archive - Installing composer/pcre (3.3.1): Extracting archive - Installing doctrine/lexer (3.0.1): Extracting archive - Installing symfony/polyfill-php80 (v1.31.0): Extracting archive - Installing phpcsstandards/phpcsutils (1.0.11): Extracting archive - Installing phpcsstandards/phpcsextra (1.2.1): Extracting archive - Installing symfony/polyfill-mbstring (v1.31.0): Extracting archive - Installing composer/spdx-licenses (1.5.8): Extracting archive - Installing composer/semver (3.4.2): Extracting archive - Installing mediawiki/mediawiki-codesniffer (v44.0.0): Extracting archive - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.31.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.31.0): Extracting archive - Installing symfony/polyfill-ctype (v1.31.0): Extracting archive - Installing symfony/string (v7.1.6): Extracting archive - Installing symfony/deprecation-contracts (v3.5.0): Extracting archive - Installing psr/container (2.0.2): Extracting archive - Installing symfony/service-contracts (v3.5.0): Extracting archive - Installing symfony/console (v7.1.7): Extracting archive - Installing sabre/event (5.1.7): Extracting archive - Installing netresearch/jsonmapper (v4.5.0): Extracting archive - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive - Installing webmozart/assert (1.11.0): Extracting archive - Installing phpstan/phpdoc-parser (1.33.0): Extracting archive - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive - Installing doctrine/deprecations (1.1.3): Extracting archive - Installing phpdocumentor/type-resolver (1.9.0): Extracting archive - Installing phpdocumentor/reflection-docblock (5.5.1): Extracting archive - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive - Installing psr/log (3.0.2): Extracting archive - Installing composer/xdebug-handler (3.0.5): Extracting archive - Installing phan/phan (5.4.3): Extracting archive - Installing mediawiki/phan-taint-check-plugin (6.0.0): Extracting archive - Installing mediawiki/mediawiki-phan-config (0.14.0): Extracting archive - Installing mediawiki/minus-x (1.1.3): Extracting archive - Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive - Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive - Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive - Installing webmozart/glob (4.7.0): Extracting archive - Installing symfony/process (v7.1.7): Extracting archive - Installing symfony/options-resolver (v7.1.6): Extracting archive - Installing symfony/finder (v7.1.6): Extracting archive - Installing symfony/filesystem (v7.1.6): Extracting archive - Installing seld/jsonlint (1.11.0): Extracting archive - Installing phpbench/dom (0.3.3): Extracting archive - Installing phpbench/container (2.2.2): Extracting archive - Installing psr/cache (3.0.0): Extracting archive - Installing doctrine/annotations (2.0.2): Extracting archive - Installing phpbench/phpbench (1.3.1): Extracting archive 0/48 [>---------------------------] 0% 20/48 [===========>----------------] 41% 32/48 [==================>---------] 66% 47/48 [===========================>] 97% 48/48 [============================] 100% 1 package suggestions were added by new dependencies, use `composer suggest` to see details. Package phpbench/dom is abandoned, you should avoid using it. No replacement was suggested. Generating autoload files 23 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@wdio/cli": { "name": "@wdio/cli", "severity": "high", "isDirect": true, "via": [ "webdriverio" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/cli" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.2.10", "isSemVerMajor": true } }, "@wdio/devtools-service": { "name": "@wdio/devtools-service", "severity": "high", "isDirect": true, "via": [ "lighthouse", "puppeteer-core", "speedline", "webdriverio" ], "effects": [], "range": "*", "nodes": [ "node_modules/@wdio/devtools-service" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "@wdio/local-runner": { "name": "@wdio/local-runner", "severity": "high", "isDirect": true, "via": [ "@wdio/runner" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/local-runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true } }, "@wdio/runner": { "name": "@wdio/runner", "severity": "high", "isDirect": false, "via": [ "webdriverio" ], "effects": [ "@wdio/local-runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true } }, "babel-core": { "name": "babel-core", "severity": "critical", "isDirect": true, "via": [ "babel-helpers", "babel-register", "babel-template", "babel-traverse", "json5" ], "effects": [ "babel-register" ], "range": "5.8.20 - 7.0.0-beta.3", "nodes": [ "node_modules/babel-core" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-helpers": { "name": "babel-helpers", "severity": "critical", "isDirect": false, "via": [ "babel-template" ], "effects": [], "range": "*", "nodes": [ "node_modules/babel-helpers" ], "fixAvailable": true }, "babel-register": { "name": "babel-register", "severity": "high", "isDirect": false, "via": [ "babel-core" ], "effects": [ "babel-core" ], "range": "*", "nodes": [ "node_modules/babel-register" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-template": { "name": "babel-template", "severity": "critical", "isDirect": false, "via": [ "babel-traverse" ], "effects": [ "babel-helpers" ], "range": "*", "nodes": [ "node_modules/babel-template" ], "fixAvailable": true }, "babel-traverse": { "name": "babel-traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096879, "name": "babel-traverse", "dependency": "babel-traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [ "babel-core", "babel-template" ], "range": "*", "nodes": [ "node_modules/babel-traverse" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "raven" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "devtools": { "name": "devtools", "severity": "high", "isDirect": false, "via": [ "puppeteer-core" ], "effects": [], "range": ">=7.16.5", "nodes": [ "node_modules/devtools" ], "fixAvailable": true }, "got": { "name": "got", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" } ], "effects": [ "package-json" ], "range": "<11.8.5", "nodes": [ "node_modules/package-json/node_modules/got" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" } ], "effects": [ "babel-core" ], "range": "<1.0.2", "nodes": [ "node_modules/babel-core/node_modules/json5" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "latest-version": { "name": "latest-version", "severity": "moderate", "isDirect": false, "via": [ "package-json" ], "effects": [ "update-notifier" ], "range": "0.2.0 - 5.1.0", "nodes": [ "node_modules/latest-version" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "lighthouse": { "name": "lighthouse", "severity": "high", "isDirect": false, "via": [ "lodash.set", "raven", "update-notifier" ], "effects": [ "@wdio/devtools-service" ], "range": "1.6.5 - 9.4.0", "nodes": [ "node_modules/lighthouse" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "lodash.set": { "name": "lodash.set", "severity": "high", "isDirect": false, "via": [ { "source": 1096302, "name": "lodash.set", "dependency": "lodash.set", "title": "Prototype Pollution in lodash", "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw", "severity": "high", "cwe": [ "CWE-770", "CWE-1321" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, "range": ">=3.7.0 <=4.3.2" } ], "effects": [ "lighthouse" ], "range": "*", "nodes": [ "node_modules/lodash.set" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "meow": { "name": "meow", "severity": "high", "isDirect": false, "via": [ "trim-newlines" ], "effects": [ "speedline" ], "range": "3.4.0 - 5.0.0", "nodes": [ "node_modules/meow" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "mwbot": { "name": "mwbot", "severity": "moderate", "isDirect": false, "via": [ "request" ], "effects": [ "wdio-mediawiki" ], "range": ">=0.1.6", "nodes": [ "node_modules/mwbot" ], "fixAvailable": false }, "package-json": { "name": "package-json", "severity": "moderate", "isDirect": false, "via": [ "got" ], "effects": [ "latest-version" ], "range": "<=6.5.0", "nodes": [ "node_modules/package-json" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "puppeteer-core": { "name": "puppeteer-core", "severity": "high", "isDirect": false, "via": [ "ws" ], "effects": [ "@wdio/devtools-service", "devtools", "webdriverio" ], "range": "11.0.0 - 22.11.1", "nodes": [ "node_modules/puppeteer-core" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "raven": { "name": "raven", "severity": "low", "isDirect": false, "via": [ "cookie" ], "effects": [ "lighthouse" ], "range": ">=0.6.1", "nodes": [ "node_modules/raven" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "mwbot" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "speedline": { "name": "speedline", "severity": "high", "isDirect": false, "via": [ "meow" ], "effects": [ "@wdio/devtools-service" ], "range": "*", "nodes": [ "node_modules/speedline" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/request/node_modules/tough-cookie" ], "fixAvailable": false }, "trim-newlines": { "name": "trim-newlines", "severity": "high", "isDirect": false, "via": [ { "source": 1095100, "name": "trim-newlines", "dependency": "trim-newlines", "title": "Uncontrolled Resource Consumption in trim-newlines", "url": "https://github.com/advisories/GHSA-7p7h-4mm5-852v", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.1" } ], "effects": [ "meow" ], "range": "<3.0.1", "nodes": [ "node_modules/trim-newlines" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "update-notifier": { "name": "update-notifier", "severity": "moderate", "isDirect": false, "via": [ "latest-version" ], "effects": [ "lighthouse" ], "range": "0.2.0 - 5.1.0", "nodes": [ "node_modules/update-notifier" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "wdio-mediawiki": { "name": "wdio-mediawiki", "severity": "moderate", "isDirect": true, "via": [ "mwbot" ], "effects": [], "range": "*", "nodes": [ "node_modules/wdio-mediawiki" ], "fixAvailable": false }, "webdriverio": { "name": "webdriverio", "severity": "high", "isDirect": false, "via": [ "devtools", "puppeteer-core" ], "effects": [ "@wdio/cli", "@wdio/devtools-service", "@wdio/runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/webdriverio" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" } ], "effects": [ "puppeteer-core" ], "range": "8.0.0 - 8.17.0", "nodes": [ "node_modules/puppeteer-core/node_modules/ws" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 2, "moderate": 8, "high": 15, "critical": 4, "total": 29 }, "dependencies": { "prod": 1, "dev": 1739, "optional": 4, "peer": 1, "peerOptional": 0, "total": 1739 } } } --- end --- Attempting to npm audit fix $ /usr/bin/npm audit fix --dry-run --only=dev --json --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'wdio-mediawiki@2.5.0', npm WARN EBADENGINE required: { node: '>=18.17.0', npm: '>=9.6.7' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } --- stdout --- { "added": 1739, "removed": 0, "changed": 0, "audited": 1740, "funding": 190, "audit": { "auditReportVersion": 2, "vulnerabilities": { "@wdio/cli": { "name": "@wdio/cli", "severity": "high", "isDirect": true, "via": [ "webdriverio" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/cli" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.2.10", "isSemVerMajor": true } }, "@wdio/devtools-service": { "name": "@wdio/devtools-service", "severity": "high", "isDirect": true, "via": [ "lighthouse", "puppeteer-core", "speedline", "webdriverio" ], "effects": [], "range": "*", "nodes": [ "node_modules/@wdio/devtools-service" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "@wdio/local-runner": { "name": "@wdio/local-runner", "severity": "high", "isDirect": true, "via": [ "@wdio/runner" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/local-runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true } }, "@wdio/runner": { "name": "@wdio/runner", "severity": "high", "isDirect": false, "via": [ "webdriverio" ], "effects": [ "@wdio/local-runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true } }, "babel-core": { "name": "babel-core", "severity": "critical", "isDirect": true, "via": [ "babel-helpers", "babel-register", "babel-template", "babel-traverse", "json5" ], "effects": [ "babel-register" ], "range": "5.8.20 - 7.0.0-beta.3", "nodes": [ "node_modules/babel-core" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-helpers": { "name": "babel-helpers", "severity": "critical", "isDirect": false, "via": [ "babel-template" ], "effects": [], "range": "*", "nodes": [ "node_modules/babel-helpers" ], "fixAvailable": true }, "babel-register": { "name": "babel-register", "severity": "high", "isDirect": false, "via": [ "babel-core" ], "effects": [ "babel-core" ], "range": "*", "nodes": [ "node_modules/babel-register" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-template": { "name": "babel-template", "severity": "critical", "isDirect": false, "via": [ "babel-traverse" ], "effects": [ "babel-helpers" ], "range": "*", "nodes": [ "node_modules/babel-template" ], "fixAvailable": true }, "babel-traverse": { "name": "babel-traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096879, "name": "babel-traverse", "dependency": "babel-traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [ "babel-core", "babel-template" ], "range": "*", "nodes": [ "node_modules/babel-traverse" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "raven" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "devtools": { "name": "devtools", "severity": "high", "isDirect": false, "via": [ "puppeteer-core" ], "effects": [], "range": ">=7.16.5", "nodes": [ "node_modules/devtools" ], "fixAvailable": true }, "got": { "name": "got", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" } ], "effects": [ "package-json" ], "range": "<11.8.5", "nodes": [ "node_modules/package-json/node_modules/got" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" } ], "effects": [ "babel-core" ], "range": "<1.0.2", "nodes": [ "node_modules/babel-core/node_modules/json5" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "latest-version": { "name": "latest-version", "severity": "moderate", "isDirect": false, "via": [ "package-json" ], "effects": [ "update-notifier" ], "range": "0.2.0 - 5.1.0", "nodes": [ "node_modules/latest-version" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "lighthouse": { "name": "lighthouse", "severity": "high", "isDirect": false, "via": [ "lodash.set", "raven", "update-notifier" ], "effects": [ "@wdio/devtools-service" ], "range": "1.6.5 - 9.4.0", "nodes": [ "node_modules/lighthouse" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "lodash.set": { "name": "lodash.set", "severity": "high", "isDirect": false, "via": [ { "source": 1096302, "name": "lodash.set", "dependency": "lodash.set", "title": "Prototype Pollution in lodash", "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw", "severity": "high", "cwe": [ "CWE-770", "CWE-1321" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, "range": ">=3.7.0 <=4.3.2" } ], "effects": [ "lighthouse" ], "range": "*", "nodes": [ "node_modules/lodash.set" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "meow": { "name": "meow", "severity": "high", "isDirect": false, "via": [ "trim-newlines" ], "effects": [ "speedline" ], "range": "3.4.0 - 5.0.0", "nodes": [ "node_modules/meow" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "mwbot": { "name": "mwbot", "severity": "moderate", "isDirect": false, "via": [ "request" ], "effects": [ "wdio-mediawiki" ], "range": ">=0.1.6", "nodes": [ "node_modules/mwbot" ], "fixAvailable": false }, "package-json": { "name": "package-json", "severity": "moderate", "isDirect": false, "via": [ "got" ], "effects": [ "latest-version" ], "range": "<=6.5.0", "nodes": [ "node_modules/package-json" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "puppeteer-core": { "name": "puppeteer-core", "severity": "high", "isDirect": false, "via": [ "ws" ], "effects": [ "@wdio/devtools-service", "devtools", "webdriverio" ], "range": "11.0.0 - 22.11.1", "nodes": [ "node_modules/puppeteer-core" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "raven": { "name": "raven", "severity": "low", "isDirect": false, "via": [ "cookie" ], "effects": [ "lighthouse" ], "range": ">=0.6.1", "nodes": [ "node_modules/raven" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "mwbot" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "speedline": { "name": "speedline", "severity": "high", "isDirect": false, "via": [ "meow" ], "effects": [ "@wdio/devtools-service" ], "range": "*", "nodes": [ "node_modules/speedline" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/request/node_modules/tough-cookie" ], "fixAvailable": false }, "trim-newlines": { "name": "trim-newlines", "severity": "high", "isDirect": false, "via": [ { "source": 1095100, "name": "trim-newlines", "dependency": "trim-newlines", "title": "Uncontrolled Resource Consumption in trim-newlines", "url": "https://github.com/advisories/GHSA-7p7h-4mm5-852v", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.1" } ], "effects": [ "meow" ], "range": "<3.0.1", "nodes": [ "node_modules/trim-newlines" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "update-notifier": { "name": "update-notifier", "severity": "moderate", "isDirect": false, "via": [ "latest-version" ], "effects": [ "lighthouse" ], "range": "0.2.0 - 5.1.0", "nodes": [ "node_modules/update-notifier" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "wdio-mediawiki": { "name": "wdio-mediawiki", "severity": "moderate", "isDirect": true, "via": [ "mwbot" ], "effects": [], "range": "*", "nodes": [ "node_modules/wdio-mediawiki" ], "fixAvailable": false }, "webdriverio": { "name": "webdriverio", "severity": "high", "isDirect": false, "via": [ "devtools", "puppeteer-core" ], "effects": [ "@wdio/cli", "@wdio/devtools-service", "@wdio/runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/webdriverio" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" } ], "effects": [ "puppeteer-core" ], "range": "8.0.0 - 8.17.0", "nodes": [ "node_modules/puppeteer-core/node_modules/ws" ], "fixAvailable": { "name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 2, "moderate": 8, "high": 15, "critical": 4, "total": 29 }, "dependencies": { "prod": 1, "dev": 1739, "optional": 4, "peer": 1, "peerOptional": 0, "total": 1739 } } } } --- end --- {"added": 1739, "removed": 0, "changed": 0, "audited": 1740, "funding": 190, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@wdio/cli": {"name": "@wdio/cli", "severity": "high", "isDirect": true, "via": ["webdriverio"], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": ["node_modules/@wdio/cli"], "fixAvailable": {"name": "@wdio/cli", "version": "9.2.10", "isSemVerMajor": true}}, "@wdio/devtools-service": {"name": "@wdio/devtools-service", "severity": "high", "isDirect": true, "via": ["lighthouse", "puppeteer-core", "speedline", "webdriverio"], "effects": [], "range": "*", "nodes": ["node_modules/@wdio/devtools-service"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "@wdio/local-runner": {"name": "@wdio/local-runner", "severity": "high", "isDirect": true, "via": ["@wdio/runner"], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": ["node_modules/@wdio/local-runner"], "fixAvailable": {"name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true}}, "@wdio/runner": {"name": "@wdio/runner", "severity": "high", "isDirect": false, "via": ["webdriverio"], "effects": ["@wdio/local-runner"], "range": "7.16.5 - 8.40.6", "nodes": ["node_modules/@wdio/runner"], "fixAvailable": {"name": "@wdio/local-runner", "version": "9.2.8", "isSemVerMajor": true}}, "babel-core": {"name": "babel-core", "severity": "critical", "isDirect": true, "via": ["babel-helpers", "babel-register", "babel-template", "babel-traverse", "json5"], "effects": ["babel-register"], "range": "5.8.20 - 7.0.0-beta.3", "nodes": ["node_modules/babel-core"], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "babel-helpers": {"name": "babel-helpers", "severity": "critical", "isDirect": false, "via": ["babel-template"], "effects": [], "range": "*", "nodes": ["node_modules/babel-helpers"], "fixAvailable": true}, "babel-register": {"name": "babel-register", "severity": "high", "isDirect": false, "via": ["babel-core"], "effects": ["babel-core"], "range": "*", "nodes": ["node_modules/babel-register"], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "babel-template": {"name": "babel-template", "severity": "critical", "isDirect": false, "via": ["babel-traverse"], "effects": ["babel-helpers"], "range": "*", "nodes": ["node_modules/babel-template"], "fixAvailable": true}, "babel-traverse": {"name": "babel-traverse", "severity": "critical", "isDirect": false, "via": [{"source": 1096879, "name": "babel-traverse", "dependency": "babel-traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": ["CWE-184", "CWE-697"], "cvss": {"score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "range": "<7.23.2"}], "effects": ["babel-core", "babel-template"], "range": "*", "nodes": ["node_modules/babel-traverse"], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "cookie": {"name": "cookie", "severity": "low", "isDirect": false, "via": [{"source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": ["CWE-74"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.7.0"}], "effects": ["raven"], "range": "<0.7.0", "nodes": ["node_modules/cookie"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "devtools": {"name": "devtools", "severity": "high", "isDirect": false, "via": ["puppeteer-core"], "effects": [], "range": ">=7.16.5", "nodes": ["node_modules/devtools"], "fixAvailable": true}, "got": {"name": "got", "severity": "moderate", "isDirect": false, "via": [{"source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<11.8.5"}], "effects": ["package-json"], "range": "<11.8.5", "nodes": ["node_modules/package-json/node_modules/got"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "json5": {"name": "json5", "severity": "high", "isDirect": false, "via": [{"source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": "<1.0.2"}], "effects": ["babel-core"], "range": "<1.0.2", "nodes": ["node_modules/babel-core/node_modules/json5"], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "latest-version": {"name": "latest-version", "severity": "moderate", "isDirect": false, "via": ["package-json"], "effects": ["update-notifier"], "range": "0.2.0 - 5.1.0", "nodes": ["node_modules/latest-version"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "lighthouse": {"name": "lighthouse", "severity": "high", "isDirect": false, "via": ["lodash.set", "raven", "update-notifier"], "effects": ["@wdio/devtools-service"], "range": "1.6.5 - 9.4.0", "nodes": ["node_modules/lighthouse"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "lodash.set": {"name": "lodash.set", "severity": "high", "isDirect": false, "via": [{"source": 1096302, "name": "lodash.set", "dependency": "lodash.set", "title": "Prototype Pollution in lodash", "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw", "severity": "high", "cwe": ["CWE-770", "CWE-1321"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "range": ">=3.7.0 <=4.3.2"}], "effects": ["lighthouse"], "range": "*", "nodes": ["node_modules/lodash.set"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "meow": {"name": "meow", "severity": "high", "isDirect": false, "via": ["trim-newlines"], "effects": ["speedline"], "range": "3.4.0 - 5.0.0", "nodes": ["node_modules/meow"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "mwbot": {"name": "mwbot", "severity": "moderate", "isDirect": false, "via": ["request"], "effects": ["wdio-mediawiki"], "range": ">=0.1.6", "nodes": ["node_modules/mwbot"], "fixAvailable": false}, "package-json": {"name": "package-json", "severity": "moderate", "isDirect": false, "via": ["got"], "effects": ["latest-version"], "range": "<=6.5.0", "nodes": ["node_modules/package-json"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "puppeteer-core": {"name": "puppeteer-core", "severity": "high", "isDirect": false, "via": ["ws"], "effects": ["@wdio/devtools-service", "devtools", "webdriverio"], "range": "11.0.0 - 22.11.1", "nodes": ["node_modules/puppeteer-core"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "raven": {"name": "raven", "severity": "low", "isDirect": false, "via": ["cookie"], "effects": ["lighthouse"], "range": ">=0.6.1", "nodes": ["node_modules/raven"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "request": {"name": "request", "severity": "moderate", "isDirect": false, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "tough-cookie"], "effects": ["mwbot"], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": false}, "speedline": {"name": "speedline", "severity": "high", "isDirect": false, "via": ["meow"], "effects": ["@wdio/devtools-service"], "range": "*", "nodes": ["node_modules/speedline"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/request/node_modules/tough-cookie"], "fixAvailable": false}, "trim-newlines": {"name": "trim-newlines", "severity": "high", "isDirect": false, "via": [{"source": 1095100, "name": "trim-newlines", "dependency": "trim-newlines", "title": "Uncontrolled Resource Consumption in trim-newlines", "url": "https://github.com/advisories/GHSA-7p7h-4mm5-852v", "severity": "high", "cwe": ["CWE-400"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.0.1"}], "effects": ["meow"], "range": "<3.0.1", "nodes": ["node_modules/trim-newlines"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "update-notifier": {"name": "update-notifier", "severity": "moderate", "isDirect": false, "via": ["latest-version"], "effects": ["lighthouse"], "range": "0.2.0 - 5.1.0", "nodes": ["node_modules/update-notifier"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "wdio-mediawiki": {"name": "wdio-mediawiki", "severity": "moderate", "isDirect": true, "via": ["mwbot"], "effects": [], "range": "*", "nodes": ["node_modules/wdio-mediawiki"], "fixAvailable": false}, "webdriverio": {"name": "webdriverio", "severity": "high", "isDirect": false, "via": ["devtools", "puppeteer-core"], "effects": ["@wdio/cli", "@wdio/devtools-service", "@wdio/runner"], "range": "7.16.5 - 8.40.6", "nodes": ["node_modules/webdriverio"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}, "ws": {"name": "ws", "severity": "high", "isDirect": false, "via": [{"source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": ["CWE-476"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=8.0.0 <8.17.1"}], "effects": ["puppeteer-core"], "range": "8.0.0 - 8.17.0", "nodes": ["node_modules/puppeteer-core/node_modules/ws"], "fixAvailable": {"name": "@wdio/devtools-service", "version": "6.3.0", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 2, "moderate": 8, "high": 15, "critical": 4, "total": 29}, "dependencies": {"prod": 1, "dev": 1739, "optional": 4, "peer": 1, "peerOptional": 0, "total": 1739}}}} $ /usr/bin/npm audit fix --only=dev --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'wdio-mediawiki@2.5.0', npm WARN EBADENGINE required: { node: '>=18.17.0', npm: '>=9.6.7' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN deprecated osenv@0.1.5: This package is no longer supported. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated @babel/plugin-proposal-unicode-property-regex@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-unicode-property-regex instead. npm WARN deprecated @babel/plugin-proposal-private-methods@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-methods instead. npm WARN deprecated @babel/plugin-proposal-optional-catch-binding@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-catch-binding instead. npm WARN deprecated @babel/plugin-proposal-numeric-separator@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-numeric-separator instead. npm WARN deprecated @babel/plugin-proposal-nullish-coalescing-operator@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead. npm WARN deprecated @babel/plugin-proposal-export-namespace-from@7.18.9: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-export-namespace-from instead. npm WARN deprecated @babel/plugin-proposal-json-strings@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-json-strings instead. npm WARN deprecated @babel/plugin-proposal-dynamic-import@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-dynamic-import instead. npm WARN deprecated @babel/plugin-proposal-class-properties@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead. npm WARN deprecated @babel/plugin-proposal-logical-assignment-operators@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-logical-assignment-operators instead. npm WARN deprecated @babel/plugin-proposal-class-static-block@7.21.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-static-block instead. npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead npm WARN deprecated @babel/plugin-proposal-optional-chaining@7.21.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead. npm WARN deprecated @babel/plugin-proposal-private-property-in-object@7.21.11: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-property-in-object instead. npm WARN deprecated @babel/plugin-proposal-async-generator-functions@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-async-generator-functions instead. npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated domexception@2.0.1: Use your platform's native DOMException instead npm WARN deprecated @babel/plugin-proposal-object-rest-spread@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-spread instead. npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin. npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau npm WARN deprecated intl-messageformat-parser@1.8.1: We've written a new parser that's 6x faster and is backwards compatible. Please use @formatjs/icu-messageformat-parser npm WARN deprecated raven@2.6.4: Please upgrade to @sentry/node. See the migration guide https://bit.ly/3ybOlo7 npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated superagent@6.1.0: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@3.22.8: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 1738 packages, and audited 1739 packages in 46s 190 packages are looking for funding run `npm fund` for details # npm audit report babel-traverse * Severity: critical Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92 fix available via `npm audit fix --force` Will install babel-core@4.7.16, which is a breaking change node_modules/babel-traverse babel-core 5.8.20 - 7.0.0-beta.3 Depends on vulnerable versions of babel-helpers Depends on vulnerable versions of babel-register Depends on vulnerable versions of babel-template Depends on vulnerable versions of babel-traverse Depends on vulnerable versions of json5 node_modules/babel-core babel-register * Depends on vulnerable versions of babel-core node_modules/babel-register babel-template * Depends on vulnerable versions of babel-traverse node_modules/babel-template babel-helpers * Depends on vulnerable versions of babel-template node_modules/babel-helpers cookie <0.7.0 cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x fix available via `npm audit fix --force` Will install @wdio/devtools-service@6.3.0, which is a breaking change node_modules/cookie raven >=0.6.1 Depends on vulnerable versions of cookie node_modules/raven lighthouse 1.6.5 - 9.4.0 Depends on vulnerable versions of lodash.set Depends on vulnerable versions of raven Depends on vulnerable versions of update-notifier node_modules/lighthouse @wdio/devtools-service * Depends on vulnerable versions of lighthouse Depends on vulnerable versions of puppeteer-core Depends on vulnerable versions of speedline Depends on vulnerable versions of webdriverio node_modules/@wdio/devtools-service got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via `npm audit fix --force` Will install @wdio/devtools-service@6.3.0, which is a breaking change node_modules/package-json/node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier json5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via `npm audit fix --force` Will install babel-core@4.7.16, which is a breaking change node_modules/babel-core/node_modules/json5 lodash.set * Severity: high Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw fix available via `npm audit fix --force` Will install @wdio/devtools-service@6.3.0, which is a breaking change node_modules/lodash.set request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request mwbot >=0.1.6 Depends on vulnerable versions of request node_modules/mwbot wdio-mediawiki * Depends on vulnerable versions of mwbot node_modules/wdio-mediawiki tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/request/node_modules/tough-cookie trim-newlines <3.0.1 Severity: high Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via `npm audit fix --force` Will install @wdio/devtools-service@6.3.0, which is a breaking change node_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines node_modules/meow speedline * Depends on vulnerable versions of meow node_modules/speedline ws 8.0.0 - 8.17.0 Severity: high ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q fix available via `npm audit fix --force` Will install @wdio/devtools-service@6.3.0, which is a breaking change node_modules/puppeteer-core/node_modules/ws puppeteer-core 11.0.0 - 22.11.1 Depends on vulnerable versions of ws node_modules/puppeteer-core devtools >=7.16.5 Depends on vulnerable versions of puppeteer-core node_modules/devtools webdriverio 7.16.5 - 8.40.6 Depends on vulnerable versions of devtools Depends on vulnerable versions of puppeteer-core node_modules/webdriverio @wdio/cli 7.16.5 - 8.40.6 Depends on vulnerable versions of webdriverio node_modules/@wdio/cli @wdio/runner 7.16.5 - 8.40.6 Depends on vulnerable versions of webdriverio node_modules/@wdio/runner @wdio/local-runner 7.16.5 - 8.40.6 Depends on vulnerable versions of @wdio/runner node_modules/@wdio/local-runner 29 vulnerabilities (2 low, 8 moderate, 15 high, 4 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. --- end --- Verifying that tests still pass $ /usr/bin/npm ci --- stderr --- npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'wdio-mediawiki@2.5.0', npm WARN EBADENGINE required: { node: '>=18.17.0', npm: '>=9.6.7' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN deprecated osenv@0.1.5: This package is no longer supported. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated @babel/plugin-proposal-unicode-property-regex@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-unicode-property-regex instead. npm WARN deprecated @babel/plugin-proposal-nullish-coalescing-operator@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead. npm WARN deprecated @babel/plugin-proposal-private-methods@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-methods instead. npm WARN deprecated @babel/plugin-proposal-optional-catch-binding@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-catch-binding instead. npm WARN deprecated @babel/plugin-proposal-numeric-separator@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-numeric-separator instead. npm WARN deprecated @babel/plugin-proposal-json-strings@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-json-strings instead. npm WARN deprecated @babel/plugin-proposal-export-namespace-from@7.18.9: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-export-namespace-from instead. npm WARN deprecated @babel/plugin-proposal-class-properties@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead. npm WARN deprecated @babel/plugin-proposal-dynamic-import@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-dynamic-import instead. npm WARN deprecated @babel/plugin-proposal-class-static-block@7.21.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-static-block instead. npm WARN deprecated @babel/plugin-proposal-logical-assignment-operators@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-logical-assignment-operators instead. npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead npm WARN deprecated @babel/plugin-proposal-private-property-in-object@7.21.11: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-property-in-object instead. npm WARN deprecated @babel/plugin-proposal-optional-chaining@7.21.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead. npm WARN deprecated @babel/plugin-proposal-async-generator-functions@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-async-generator-functions instead. npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated domexception@2.0.1: Use your platform's native DOMException instead npm WARN deprecated @babel/plugin-proposal-object-rest-spread@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-spread instead. npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin. npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau npm WARN deprecated intl-messageformat-parser@1.8.1: We've written a new parser that's 6x faster and is backwards compatible. Please use @formatjs/icu-messageformat-parser npm WARN deprecated raven@2.6.4: Please upgrade to @sentry/node. See the migration guide https://bit.ly/3ybOlo7 npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated superagent@6.1.0: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@3.22.8: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 1738 packages, and audited 1739 packages in 39s 190 packages are looking for funding run `npm fund` for details 29 vulnerabilities (2 low, 8 moderate, 15 high, 4 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ /usr/bin/npm test --- stderr --- PASS modules/ext.growthExperiments.MentorDashboard/store/modules/mentees.test.js PASS modules/ext.growthExperiments.Homepage.Impact/components/NoEditsDisplay.test.js PASS modules/ext.growthExperiments.DataStore/NewcomerTasksStore.test.js PASS modules/ext.growthExperiments.MentorDashboard/components/MenteeOverview/MenteeOverview.test.js PASS modules/ext.growthExperiments.Homepage.Impact/components/ImpactVue.test.js PASS modules/ext.growthExperiments.Homepage.Impact/components/TrendChart.test.js PASS modules/vue-components/CScoreCards.test.js PASS modules/vue-components/CPopover.test.js PASS modules/ext.growthExperiments.MentorDashboard/components/PersonalizedPraise/PersonalizedPraise.test.js PASS modules/vue-components/CPopper.test.js PASS modules/vue-components/CText.test.js PASS modules/vue-components/CScoreCard.test.js PASS modules/ext.growthExperiments.Homepage.Impact/components/ErrorDisplay.test.js PASS modules/ext.growthExperiments.MentorDashboard/components/DataTable/DataTableCellValue.test.js PASS modules/ext.growthExperiments.Homepage.Impact/composables/useUserImpact.test.js PASS modules/ext.growthExperiments.MentorDashboard/components/PersonalizedPraise/PersonalizedPraiseSettingsForm.test.js PASS modules/ext.growthExperiments.MentorDashboard/components/MenteeOverview/MenteeFiltersForm.test.js Test Suites: 17 passed, 17 total Tests: 47 passed, 47 total Snapshots: 20 passed, 20 total Time: 10.147 s Ran all test suites. npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: @vue/server-renderer@3.3.4 npm WARN Found: vue@3.2.37 npm WARN node_modules/vue npm WARN dev vue@"3.2.37" from the root project npm WARN 9 more (vue-demi, @vitejs/plugin-vue, @vue/server-renderer, ...) npm WARN npm WARN Could not resolve dependency: npm WARN peer vue@"3.3.4" from @vue/server-renderer@3.3.4 npm WARN node_modules/@vue/test-utils/node_modules/@vue/server-renderer npm WARN optional @vue/server-renderer@"^3.0.1" from @vue/test-utils@2.3.2 npm WARN node_modules/@vue/test-utils npm WARN npm WARN Conflicting peer dependency: vue@3.3.4 npm WARN node_modules/vue npm WARN peer vue@"3.3.4" from @vue/server-renderer@3.3.4 npm WARN node_modules/@vue/test-utils/node_modules/@vue/server-renderer npm WARN optional @vue/server-renderer@"^3.0.1" from @vue/test-utils@2.3.2 npm WARN node_modules/@vue/test-utils npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x. npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 --- stdout --- > test > grunt test && npm run test:jest && npm run test:doc Running "eslint:all" (eslint) task Running "banana:docs" (banana) task >> The "se" translation has 6 translations with trailing whitespace: >> * growthexperiments-homepage-email-text-noemail >> * growthexperiments-homepage-startediting-dialog-difficulty-header >> * growthexperiments-homepage-impact-unactivated-subheader-text >> * growthexperiments-homepage-suggestededits-select-other-topic-mode-cta >> * growthexperiments-homepage-suggestededits-topic-name-comics-and-anime >> * growthexperiments-homepage-suggestededits-topic-name-central-america >> The "se" translation has 1 translation with trailing whitespace: >> * growthexperiments-mentor-dashboard-mentor-tools-away-dialog-away-for >> 10 message directories checked. Running "stylelint:all" (stylelint) task >> Linted 151 files without errors Done. > test:jest > jest ---------------------------------------------------------------------|---------|----------|---------|---------|--------------------------------------------------------------------------------------- File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s ---------------------------------------------------------------------|---------|----------|---------|---------|--------------------------------------------------------------------------------------- All files | 52.35 | 41.44 | 36.77 | 52.88 | ext.growthExperiments.Homepage.Impact | 4 | 0 | 0 | 4.04 | App.vue | 0 | 0 | 0 | 0 | 3-100 constants.js | 100 | 100 | 100 | 100 | init.js | 0 | 0 | 0 | 0 | 1-163 ext.growthExperiments.Homepage.Impact/components | 73.52 | 72.28 | 69.47 | 73.84 | ArticlesList.vue | 67.39 | 0 | 12.5 | 70.45 | 40,83-165 ErrorDisplay.vue | 100 | 100 | 100 | 100 | ErrorDisplaySummary.vue | 0 | 100 | 0 | 0 | 3-61 Impact.vue | 97.43 | 86.36 | 92.3 | 97.43 | 115 ImpactSummary.vue | 0 | 0 | 0 | 0 | 1-51 InfoBoxes.vue | 0 | 0 | 0 | 0 | 1-86 LayoutWrapper.vue | 0 | 100 | 0 | 0 | 8-37 NoEditsDisplay.vue | 96.22 | 88.57 | 100 | 96.22 | 62-63 RecentActivity.vue | 97.14 | 50 | 100 | 97.14 | 66 StreakGraph.vue | 95.23 | 100 | 87.5 | 95.23 | 28 TrendChart.vue | 100 | 100 | 100 | 100 | ext.growthExperiments.Homepage.Impact/composables | 73.21 | 72.72 | 78.94 | 71.69 | useMWRestApi.js | 0 | 0 | 0 | 0 | 1-35 useUserImpact.js | 97.61 | 88.88 | 100 | 97.43 | 93 ext.growthExperiments.MentorDashboard | 0 | 0 | 0 | 0 | Discovery.js | 0 | 0 | 0 | 0 | 2-12 PersonalizedPraisePostEdit.js | 0 | 0 | 0 | 0 | 1-18 init.js | 0 | 0 | 0 | 0 | 1-53 ext.growthExperiments.MentorDashboard/MentorTools | 0 | 0 | 0 | 0 | AwaySettingsDialog.js | 0 | 0 | 0 | 0 | 1-106 MentorMessageChangeDialog.js | 0 | 0 | 0 | 0 | 10-103 MentorTools.js | 0 | 0 | 0 | 0 | 2-223 MentorToolsEllipsisMenu.js | 0 | 0 | 0 | 0 | 1-63 ext.growthExperiments.MentorDashboard/components/CNumberInput | 66.66 | 55.55 | 23.07 | 65.51 | CNumberInput.vue | 66.66 | 55.55 | 23.07 | 65.51 | 102,105,108,111,132,151-167 ext.growthExperiments.MentorDashboard/components/DataTable | 47 | 0 | 5.26 | 52.38 | DataTable.vue | 32.25 | 0 | 0 | 39.21 | 40-92,103-106,124-167 DataTableCellLink.vue | 75 | 100 | 0 | 75 | 39-44 DataTableCellValue.vue | 100 | 100 | 100 | 100 | DataTableLimit.vue | 50 | 0 | 0 | 53.33 | 27-34,52-58 DataTablePagination.vue | 50 | 0 | 0 | 50 | 34-41,56-82 ext.growthExperiments.MentorDashboard/components/HorizontalDivider | 100 | 100 | 100 | 100 | HorizontalDivider.vue | 100 | 100 | 100 | 100 | ext.growthExperiments.MentorDashboard/components/MenteeOverview | 66.23 | 38.15 | 37.07 | 66.52 | DataTableCellMentee.vue | 60.86 | 0 | 0 | 60.86 | 30-48,77-85 LegendBox.vue | 73.33 | 100 | 0 | 73.33 | 24,46-48 MenteeFilters.vue | 40.74 | 0 | 0 | 40.74 | 31-67,85-92 MenteeFiltersForm.vue | 75.47 | 50 | 56.52 | 75.47 | 90-108,163-178,194,209,222 MenteeOverview.vue | 71.79 | 53.57 | 52.63 | 72.72 | 25-97,177-184,216-228,307-323 MenteeSearch.vue | 45.45 | 0 | 0 | 45.45 | 25-46,63-69 NoResults.vue | 84.61 | 0 | 0 | 84.61 | 56-57 ext.growthExperiments.MentorDashboard/components/PersonalizedPraise | 57.32 | 43.1 | 26.19 | 58.07 | NoResults.vue | 100 | 100 | 100 | 100 | PersonalizedPraise.vue | 84.78 | 100 | 66.66 | 84.78 | 62-77,142 PersonalizedPraisePagination.vue | 45.45 | 0 | 0 | 45.45 | 36-46,61-95 PersonalizedPraiseSettings.vue | 68.96 | 50 | 33.33 | 68.96 | 47-57,81,93-102 PersonalizedPraiseSettingsForm.vue | 70.73 | 68.18 | 44.44 | 70.73 | 70-73,91,147-167,183-188,203,221 SkipMenteeDialog.vue | 26.31 | 0 | 0 | 28.57 | 37-73,90-139 UserCard.vue | 34.04 | 0 | 0 | 34.04 | 36-126,150-175 ext.growthExperiments.MentorDashboard/logger | 0 | 0 | 0 | 0 | Logger.js | 0 | 0 | 0 | 0 | 5-41 ext.growthExperiments.MentorDashboard/plugins | 0 | 0 | 0 | 0 | logger.js | 0 | 0 | 0 | 0 | 9-15 ext.growthExperiments.MentorDashboard/store | 26.66 | 0 | 6.89 | 26.96 | MenteeOverviewApi.js | 28.91 | 0 | 6.89 | 29.26 | 32,37-52,56-71,83,87,91,95,99,103-110,115-118,122-128,134-145,150-161,167-178,185-186 index.js | 0 | 100 | 100 | 0 | 1-16 ext.growthExperiments.MentorDashboard/store/modules | 44.56 | 49.23 | 25.39 | 44 | mentees-search.js | 0 | 0 | 0 | 0 | 2-50 mentees.js | 66.36 | 67.39 | 41.66 | 66.01 | 31,61-63,71-74,107,121,128,144,147,150,200-201,217,226,235-243,253-286 praiseworthy-mentees.js | 0 | 0 | 0 | 0 | 1-101 user-preferences.js | 52.94 | 50 | 20 | 52.94 | 12,21,27-32,41 ext.growthExperiments.MentorDashboard/validators | 100 | 100 | 100 | 100 | align-text.validator.js | 100 | 100 | 100 | 100 | vue-components | 78.51 | 64.7 | 67.14 | 79.62 | CList.vue | 53.33 | 0 | 33.33 | 53.33 | 25-33 CListItem.vue | 85.71 | 100 | 0 | 85.71 | 24 CPopover.vue | 97.56 | 83.33 | 90 | 97.5 | 107 CPopper.vue | 96.77 | 75 | 100 | 96.77 | 64 CScoreCard.vue | 96.42 | 100 | 87.5 | 96.42 | 127 CScoreCards.vue | 54.02 | 54.16 | 54.83 | 54.02 | 95-98,104,109,127-190,196,259-289,334-341 CSparkline.vue | 81.08 | 50 | 50 | 90.9 | 66-70,79 CText.vue | 100 | 100 | 100 | 100 | vue-components/directives | 58.33 | 0 | 33.33 | 70 | click-outside.directive.js | 58.33 | 0 | 33.33 | 70 | 3-5,25 vue-components/plugins | 0 | 100 | 0 | 0 | logger.js | 0 | 100 | 0 | 0 | 9-17 ---------------------------------------------------------------------|---------|----------|---------|---------|--------------------------------------------------------------------------------------- > test:doc > cd documentation/frontend && npm ci && npm run test added 319 packages, and audited 320 packages in 4s 34 packages are looking for funding run `npm fund` for details 10 vulnerabilities (5 moderate, 5 high) To address issues that do not require attention, run: npm audit fix To address all issues, run: npm audit fix --force Run `npm audit` for details. > growthexperiments-docs@1.0.0 test > npm run lint && vitest run --coverage > growthexperiments-docs@1.0.0 lint > eslint . RUN v0.32.0 /src/repo/documentation/frontend Coverage enabled with v8 ✓ components/MultiPane.test.js (10 tests) 191ms ✓ components/FilterDialog.test.js (5 tests) 222ms ✓ components/OnboardingDialog.test.js (14 tests) 504ms ✓ components/OnboardingStepper.test.js (5 tests) 90ms ✓ components/AddLinkDialog.test.js (4 tests) 267ms ✓ component-demos/example-component/ExampleComponent.test.js (2 tests) 70ms ✓ store/example-store/counter.test.js (1 test) 8ms Test Files 7 passed (7) Tests 41 passed (41) Start at 05:55:28 Duration 5.19s (transform 276ms, setup 375ms, collect 2.38s, tests 1.35s, environment 4.33s, prepare 979ms) % Coverage report from v8 -------------------|---------|----------|---------|---------|------------------- File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s -------------------|---------|----------|---------|---------|------------------- All files | 78.1 | 91.17 | 63.88 | 78.1 | ...mageDialog.vue | 0 | 0 | 0 | 0 | 1-292 AddLinkDialog.vue | 100 | 100 | 20 | 100 | FilterDialog.vue | 100 | 100 | 60 | 100 | MultiPane.vue | 97.77 | 87.87 | 100 | 97.77 | 105,112,120-121 ...dingDialog.vue | 98.58 | 95.45 | 57.14 | 98.58 | 215-216,247-249 ...ingStepper.vue | 100 | 100 | 100 | 100 | -------------------|---------|----------|---------|---------|------------------- --- end --- {} {} {} $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- [DNM] there are no updates $ git add . --- stdout --- --- end --- $ git commit -F /tmp/tmpjm0zmgic --- stdout --- On branch REL1_43 Your branch is up to date with 'origin/REL1_43'. nothing to commit, working tree clean --- end ---