This run took 47 seconds.
$ date --- stdout --- Mon Nov 11 03:49:23 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-services-chromium-render.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- b6a9ad2bb645a8ab916b0eec5686f3444a901d2e refs/heads/master --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "body-parser": { "name": "body-parser", "severity": "high", "isDirect": true, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/body-parser", "node_modules/express/node_modules/body-parser" ], "fixAvailable": true }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [], "range": "<3.0.3", "nodes": [ "node_modules/braces" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": true }, "express": { "name": "express", "severity": "high", "isDirect": true, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, { "source": 1099529, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "ip": { "name": "ip", "severity": "high", "isDirect": false, "via": [ { "source": 1097720, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" }, { "source": 1097721, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "=2.0.0" }, { "source": 1099357, "name": "ip", "dependency": "ip", "title": "ip SSRF improper categorization in isPublic", "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=2.0.1" } ], "effects": [], "range": "*", "nodes": [ "node_modules/ip", "node_modules/socks/node_modules/ip" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "wikimedia-kad-fork" ], "effects": [ "service-runner" ], "range": ">=0.2.3", "nodes": [ "node_modules/limitation" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "micromatch": { "name": "micromatch", "severity": "moderate", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" } ], "effects": [], "range": "<4.0.8", "nodes": [ "node_modules/micromatch" ], "fixAvailable": true }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "wikimedia-kad-fork" ], "range": "<2.0.0", "nodes": [ "node_modules/wikimedia-kad-fork/node_modules/ms" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<0.1.10", "nodes": [ "node_modules/path-to-regexp" ], "fixAvailable": true }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "puppeteer-core": { "name": "puppeteer-core", "severity": "high", "isDirect": true, "via": [ "ws" ], "effects": [], "range": "11.0.0 - 22.11.1", "nodes": [ "node_modules/puppeteer-core" ], "fixAvailable": { "name": "puppeteer-core", "version": "23.7.1", "isSemVerMajor": true } }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "send": { "name": "send", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099525, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099527, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "service-runner": { "name": "service-runner", "severity": "moderate", "isDirect": true, "via": [ "limitation", "tar" ], "effects": [], "range": ">=3.0.0", "nodes": [ "node_modules/service-runner" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "tar": { "name": "tar", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097493, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [ "service-runner" ], "range": "<6.2.1", "nodes": [ "node_modules/tar" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "wikimedia-kad-fork": { "name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": [ "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/wikimedia-kad-fork" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" } ], "effects": [ "puppeteer-core" ], "range": "8.0.0 - 8.17.0", "nodes": [ "node_modules/ws" ], "fixAvailable": { "name": "puppeteer-core", "version": "23.7.1", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 10, "high": 9, "critical": 0, "total": 20 }, "dependencies": { "prod": 291, "dev": 415, "optional": 14, "peer": 1, "peerOptional": 0, "total": 718 } } } --- end --- $ /usr/bin/npm install --- stderr --- npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated json-schema-ref-parser@5.1.3: Please switch to @apidevtools/json-schema-ref-parser npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options. --- stdout --- added 677 packages, and audited 678 packages in 23s 90 packages are looking for funding run `npm fund` for details 11 vulnerabilities (7 moderate, 4 high) To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- Upgrading n:eslint from ^8.56.0 -> 8.57.0 Upgrading n:eslint-config-wikimedia from ^0.26.0 -> 0.28.2 $ /usr/bin/npm install --- stderr --- npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options. --- stdout --- added 22 packages, removed 15 packages, changed 22 packages, and audited 685 packages in 4s 96 packages are looking for funding run `npm fund` for details 11 vulnerabilities (7 moderate, 4 high) To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ ./node_modules/.bin/eslint . --fix --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.0 ESLint couldn't find the plugin "eslint-plugin-json". (The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".) It's likely that the plugin isn't installed correctly. Try reinstalling by running the following: npm install eslint-plugin-json@latest --save-dev The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json". If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team. --- stdout --- --- end --- $ ./node_modules/.bin/eslint . -f json --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.0 ESLint couldn't find the plugin "eslint-plugin-json". (The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".) It's likely that the plugin isn't installed correctly. Try reinstalling by running the following: npm install eslint-plugin-json@latest --save-dev The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json". If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team. --- stdout --- --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1803, in run self.npm_upgrade(plan) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1197, in npm_upgrade hook(update) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1500, in _handle_eslint errors = json.loads( ^^^^^^^^^^^ File "/usr/lib/python3.11/json/__init__.py", line 346, in loads return _default_decoder.decode(s) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)