mediawiki/extensions/GraphQL: REL1_43 (log #1604916)

sourcepatches

This run took 6 seconds.

$ date
--- stdout ---
Thu Nov 14 05:52:13 UTC 2024

--- end ---
$ git clone file:///srv/git/mediawiki-extensions-GraphQL.git repo --depth=1 -b REL1_43
--- stderr ---
Cloning into 'repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/REL1_43
--- stdout ---
47f248928bcd2c3803d4a4727beb1665d7e06d96 refs/heads/REL1_43

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@babel/traverse": {
      "name": "@babel/traverse",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1096886,
          "name": "@babel/traverse",
          "dependency": "@babel/traverse",
          "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
          "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
          "severity": "critical",
          "cwe": [
            "CWE-184",
            "CWE-697"
          ],
          "cvss": {
            "score": 9.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
          },
          "range": "<7.23.2"
        }
      ],
      "effects": [],
      "range": "<7.23.2",
      "nodes": [
        "node_modules/@babel/traverse"
      ],
      "fixAvailable": true
    },
    "anymatch": {
      "name": "anymatch",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "micromatch"
      ],
      "effects": [
        "chokidar"
      ],
      "range": "1.2.0 - 2.0.0",
      "nodes": [
        "node_modules/watchpack-chokidar2/node_modules/anymatch"
      ],
      "fixAvailable": true
    },
    "braces": {
      "name": "braces",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1098094,
          "name": "braces",
          "dependency": "braces",
          "title": "Uncontrolled resource consumption in braces",
          "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg",
          "severity": "high",
          "cwe": [
            "CWE-400",
            "CWE-1050"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.0.3"
        }
      ],
      "effects": [
        "chokidar",
        "micromatch"
      ],
      "range": "<3.0.3",
      "nodes": [
        "node_modules/braces",
        "node_modules/chokidar/node_modules/braces",
        "node_modules/fast-glob/node_modules/braces",
        "node_modules/findup-sync/node_modules/braces",
        "node_modules/liftup/node_modules/braces"
      ],
      "fixAvailable": {
        "name": "webpack",
        "version": "5.96.1",
        "isSemVerMajor": true
      }
    },
    "browserify-sign": {
      "name": "browserify-sign",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1096644,
          "name": "browserify-sign",
          "dependency": "browserify-sign",
          "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
          "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
          "severity": "high",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=2.6.0 <=4.2.1"
        }
      ],
      "effects": [],
      "range": "2.6.0 - 4.2.1",
      "nodes": [
        "node_modules/browserify-sign"
      ],
      "fixAvailable": true
    },
    "chokidar": {
      "name": "chokidar",
      "severity": "high",
      "isDirect": false,
      "via": [
        "anymatch",
        "braces",
        "readdirp"
      ],
      "effects": [
        "watchpack-chokidar2"
      ],
      "range": "1.3.0 - 2.1.8",
      "nodes": [
        "node_modules/watchpack-chokidar2/node_modules/chokidar"
      ],
      "fixAvailable": true
    },
    "codemirror-graphql": {
      "name": "codemirror-graphql",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-language-service-interface"
      ],
      "effects": [
        "graphiql"
      ],
      "range": "0.6.12 - 0.8.3",
      "nodes": [
        "node_modules/codemirror-graphql"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "cross-fetch": {
      "name": "cross-fetch",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1088709,
          "name": "cross-fetch",
          "dependency": "cross-fetch",
          "title": "Incorrect Authorization in cross-fetch",
          "url": "https://github.com/advisories/GHSA-7gc6-qh9x-w6h8",
          "severity": "moderate",
          "cwe": [
            "CWE-359",
            "CWE-863"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<2.2.6"
        },
        "node-fetch"
      ],
      "effects": [
        "graphql-request"
      ],
      "range": "<=2.2.5 || 3.0.0 - 3.0.5",
      "nodes": [
        "node_modules/cross-fetch"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "css-loader": {
      "name": "css-loader",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "icss-utils",
        "postcss",
        "postcss-modules-extract-imports",
        "postcss-modules-local-by-default",
        "postcss-modules-scope",
        "postcss-modules-values"
      ],
      "effects": [],
      "range": "0.15.0 - 4.3.0",
      "nodes": [
        "node_modules/css-loader"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.2",
        "isSemVerMajor": true
      }
    },
    "dset": {
      "name": "dset",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1099553,
          "name": "dset",
          "dependency": "dset",
          "title": "dset Prototype Pollution vulnerability",
          "url": "https://github.com/advisories/GHSA-f6v4-cf5j-vf3w",
          "severity": "high",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 8.2,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
          },
          "range": "<3.1.4"
        }
      ],
      "effects": [],
      "range": "<3.1.4",
      "nodes": [
        "node_modules/dset"
      ],
      "fixAvailable": true
    },
    "elliptic": {
      "name": "elliptic",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1098593,
          "name": "elliptic",
          "dependency": "elliptic",
          "title": "Elliptic's EDDSA missing signature length check",
          "url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p",
          "severity": "low",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
          },
          "range": ">=4.0.0 <=6.5.6"
        },
        {
          "source": 1098594,
          "name": "elliptic",
          "dependency": "elliptic",
          "title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
          "url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw",
          "severity": "low",
          "cwe": [
            "CWE-130"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
          },
          "range": ">=2.0.0 <=6.5.6"
        },
        {
          "source": 1098595,
          "name": "elliptic",
          "dependency": "elliptic",
          "title": "Elliptic allows BER-encoded signatures",
          "url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m",
          "severity": "low",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
          },
          "range": ">=5.2.1 <=6.5.6"
        },
        {
          "source": 1100075,
          "name": "elliptic",
          "dependency": "elliptic",
          "title": "Elliptic's verify function omits uniqueness validation",
          "url": "https://github.com/advisories/GHSA-434g-2637-qmqr",
          "severity": "low",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<6.5.6"
        },
        {
          "source": 1100263,
          "name": "elliptic",
          "dependency": "elliptic",
          "title": "Valid ECDSA signatures erroneously rejected in Elliptic",
          "url": "https://github.com/advisories/GHSA-fc9h-whq2-v747",
          "severity": "low",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<6.6.0"
        }
      ],
      "effects": [],
      "range": "<=6.5.7",
      "nodes": [
        "node_modules/elliptic"
      ],
      "fixAvailable": true
    },
    "eslint-plugin-compat": {
      "name": "eslint-plugin-compat",
      "severity": "high",
      "isDirect": false,
      "via": [
        "semver"
      ],
      "effects": [],
      "range": "3.6.0-0 - 4.1.4",
      "nodes": [
        "node_modules/eslint-plugin-compat"
      ],
      "fixAvailable": true
    },
    "findup-sync": {
      "name": "findup-sync",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "micromatch"
      ],
      "effects": [
        "webpack-cli"
      ],
      "range": "0.4.0 - 3.0.0",
      "nodes": [
        "node_modules/webpack-cli/node_modules/findup-sync"
      ],
      "fixAvailable": {
        "name": "webpack-cli",
        "version": "5.1.4",
        "isSemVerMajor": true
      }
    },
    "graphiql": {
      "name": "graphiql",
      "severity": "high",
      "isDirect": true,
      "via": [
        {
          "source": 1089589,
          "name": "graphiql",
          "dependency": "graphiql",
          "title": "GraphiQL introspection schema template injection attack",
          "url": "https://github.com/advisories/GHSA-x4r7-m2q9-69c8",
          "severity": "high",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 7.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L"
          },
          "range": ">=0.5.0 <1.4.7"
        },
        "codemirror-graphql",
        "markdown-it"
      ],
      "effects": [],
      "range": "0.5.0 - 1.4.7-canary-85a66743.0",
      "nodes": [
        "node_modules/graphiql"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "graphql-config": {
      "name": "graphql-config",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-request"
      ],
      "effects": [
        "graphql-language-service-interface",
        "graphql-language-service-utils"
      ],
      "range": "0.0.0-experimental.0 || 1.0.8 - 3.0.0-rc.3",
      "nodes": [
        "node_modules/graphql-config"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "graphql-language-service-interface": {
      "name": "graphql-language-service-interface",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-config",
        "graphql-language-service-utils"
      ],
      "effects": [
        "codemirror-graphql"
      ],
      "range": "1.0.16 - 2.4.0-alpha.11",
      "nodes": [
        "node_modules/graphql-language-service-interface"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "graphql-language-service-utils": {
      "name": "graphql-language-service-utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-config"
      ],
      "effects": [
        "graphql-language-service-interface"
      ],
      "range": "1.0.16 - 2.4.0-alpha.9",
      "nodes": [
        "node_modules/graphql-language-service-utils"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "graphql-request": {
      "name": "graphql-request",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "cross-fetch"
      ],
      "effects": [
        "graphql-config"
      ],
      "range": "1.4.0 - 1.8.2",
      "nodes": [
        "node_modules/graphql-request"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "icss-utils": {
      "name": "icss-utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [
        "css-loader"
      ],
      "range": "<=4.1.1",
      "nodes": [
        "node_modules/icss-utils"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.2",
        "isSemVerMajor": true
      }
    },
    "markdown-it": {
      "name": "markdown-it",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1092663,
          "name": "markdown-it",
          "dependency": "markdown-it",
          "title": "Uncontrolled Resource Consumption in markdown-it",
          "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
          "severity": "moderate",
          "cwe": [
            "CWE-400",
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<12.3.2"
        }
      ],
      "effects": [
        "graphiql"
      ],
      "range": "<12.3.2",
      "nodes": [
        "node_modules/markdown-it"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "micromatch": {
      "name": "micromatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1098681,
          "name": "micromatch",
          "dependency": "micromatch",
          "title": "Regular Expression Denial of Service (ReDoS) in micromatch",
          "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<4.0.8"
        },
        "braces"
      ],
      "effects": [
        "anymatch",
        "findup-sync",
        "readdirp",
        "webpack"
      ],
      "range": "<=4.0.7",
      "nodes": [
        "node_modules/fast-glob/node_modules/micromatch",
        "node_modules/findup-sync/node_modules/micromatch",
        "node_modules/liftup/node_modules/micromatch",
        "node_modules/micromatch"
      ],
      "fixAvailable": {
        "name": "webpack",
        "version": "5.96.1",
        "isSemVerMajor": true
      }
    },
    "node-fetch": {
      "name": "node-fetch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1095073,
          "name": "node-fetch",
          "dependency": "node-fetch",
          "title": "node-fetch forwards secure headers to untrusted sites",
          "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
          "severity": "high",
          "cwe": [
            "CWE-173",
            "CWE-200",
            "CWE-601"
          ],
          "cvss": {
            "score": 8.8,
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": "<2.6.7"
        },
        {
          "source": 1098225,
          "name": "node-fetch",
          "dependency": "node-fetch",
          "title": "The `size` option isn't honored after following a redirect in node-fetch",
          "url": "https://github.com/advisories/GHSA-w7rc-rwvf-8q5r",
          "severity": "low",
          "cwe": [
            "CWE-20",
            "CWE-770"
          ],
          "cvss": {
            "score": 2.6,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L"
          },
          "range": ">=2.0.0 <2.6.1"
        }
      ],
      "effects": [
        "cross-fetch"
      ],
      "range": "<=2.6.6",
      "nodes": [
        "node_modules/node-fetch"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.7.2",
        "isSemVerMajor": true
      }
    },
    "postcss": {
      "name": "postcss",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1094544,
          "name": "postcss",
          "dependency": "postcss",
          "title": "PostCSS line return parsing error",
          "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
          "severity": "moderate",
          "cwe": [
            "CWE-74",
            "CWE-144"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<8.4.31"
        }
      ],
      "effects": [
        "css-loader",
        "icss-utils",
        "postcss-modules-extract-imports",
        "postcss-modules-local-by-default",
        "postcss-modules-scope",
        "postcss-modules-values"
      ],
      "range": "<8.4.31",
      "nodes": [
        "node_modules/postcss"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.2",
        "isSemVerMajor": true
      }
    },
    "postcss-modules-extract-imports": {
      "name": "postcss-modules-extract-imports",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [],
      "range": "<=2.0.0",
      "nodes": [
        "node_modules/postcss-modules-extract-imports"
      ],
      "fixAvailable": true
    },
    "postcss-modules-local-by-default": {
      "name": "postcss-modules-local-by-default",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [],
      "range": "<=3.0.3",
      "nodes": [
        "node_modules/postcss-modules-local-by-default"
      ],
      "fixAvailable": true
    },
    "postcss-modules-scope": {
      "name": "postcss-modules-scope",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [],
      "range": "<=2.2.0",
      "nodes": [
        "node_modules/postcss-modules-scope"
      ],
      "fixAvailable": true
    },
    "postcss-modules-values": {
      "name": "postcss-modules-values",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [
        "css-loader"
      ],
      "range": "<=3.0.0",
      "nodes": [
        "node_modules/postcss-modules-values"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.2",
        "isSemVerMajor": true
      }
    },
    "readdirp": {
      "name": "readdirp",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "micromatch"
      ],
      "effects": [
        "chokidar"
      ],
      "range": "2.2.0 - 2.2.1",
      "nodes": [
        "node_modules/watchpack-chokidar2/node_modules/readdirp"
      ],
      "fixAvailable": true
    },
    "semver": {
      "name": "semver",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1098562,
          "name": "semver",
          "dependency": "semver",
          "title": "semver vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.5.2"
        },
        {
          "source": 1098563,
          "name": "semver",
          "dependency": "semver",
          "title": "semver vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<5.7.2"
        },
        {
          "source": 1098564,
          "name": "semver",
          "dependency": "semver",
          "title": "semver vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=6.0.0 <6.3.1"
        }
      ],
      "effects": [
        "eslint-plugin-compat"
      ],
      "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
      "nodes": [
        "node_modules/core-js-compat/node_modules/semver",
        "node_modules/eslint-plugin-compat/node_modules/semver",
        "node_modules/eslint-plugin-jsdoc/node_modules/semver",
        "node_modules/eslint-plugin-node/node_modules/semver",
        "node_modules/eslint-plugin-unicorn/node_modules/semver",
        "node_modules/eslint-plugin-vue/node_modules/semver",
        "node_modules/semver",
        "node_modules/vue-eslint-parser/node_modules/semver"
      ],
      "fixAvailable": true
    },
    "undici": {
      "name": "undici",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1096502,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
          "url": "https://github.com/advisories/GHSA-wqq4-5wpv-mx2g",
          "severity": "low",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 3.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<5.26.2"
        },
        {
          "source": 1097109,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
          "url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7",
          "severity": "low",
          "cwe": [
            "CWE-200",
            "CWE-285"
          ],
          "cvss": {
            "score": 3.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<5.28.4"
        },
        {
          "source": 1097200,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
          "url": "https://github.com/advisories/GHSA-9qxr-qj54-h672",
          "severity": "low",
          "cwe": [
            "CWE-284"
          ],
          "cvss": {
            "score": 2.6,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"
          },
          "range": "<5.28.4"
        },
        {
          "source": 1097221,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici proxy-authorization header not cleared on cross-origin redirect in fetch",
          "url": "https://github.com/advisories/GHSA-3787-6prv-h9w3",
          "severity": "low",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 3.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<=5.28.2"
        }
      ],
      "effects": [],
      "range": "<=5.28.3",
      "nodes": [
        "node_modules/undici"
      ],
      "fixAvailable": true
    },
    "watchpack": {
      "name": "watchpack",
      "severity": "high",
      "isDirect": false,
      "via": [
        "watchpack-chokidar2"
      ],
      "effects": [],
      "range": "1.7.2 - 1.7.5",
      "nodes": [
        "node_modules/watchpack"
      ],
      "fixAvailable": true
    },
    "watchpack-chokidar2": {
      "name": "watchpack-chokidar2",
      "severity": "high",
      "isDirect": false,
      "via": [
        "chokidar"
      ],
      "effects": [
        "watchpack"
      ],
      "range": "*",
      "nodes": [
        "node_modules/watchpack-chokidar2"
      ],
      "fixAvailable": true
    },
    "webpack": {
      "name": "webpack",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "micromatch"
      ],
      "effects": [
        "webpack-cli"
      ],
      "range": "4.0.0-alpha.0 - 5.0.0-rc.6",
      "nodes": [
        "node_modules/webpack"
      ],
      "fixAvailable": {
        "name": "webpack",
        "version": "5.96.1",
        "isSemVerMajor": true
      }
    },
    "webpack-cli": {
      "name": "webpack-cli",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "findup-sync",
        "webpack"
      ],
      "effects": [],
      "range": "<=0.0.8-development || 2.0.11 - 4.0.0-rc.1",
      "nodes": [
        "node_modules/webpack-cli"
      ],
      "fixAvailable": {
        "name": "webpack-cli",
        "version": "5.1.4",
        "isSemVerMajor": true
      }
    },
    "word-wrap": {
      "name": "word-wrap",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1097681,
          "name": "word-wrap",
          "dependency": "word-wrap",
          "title": "word-wrap vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<1.2.4"
        }
      ],
      "effects": [],
      "range": "<1.2.4",
      "nodes": [
        "node_modules/word-wrap"
      ],
      "fixAvailable": true
    },
    "ws": {
      "name": "ws",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1098392,
          "name": "ws",
          "dependency": "ws",
          "title": "ws affected by a DoS when handling a request with many HTTP headers",
          "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
          "severity": "high",
          "cwe": [
            "CWE-476"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=8.0.0 <8.17.1"
        }
      ],
      "effects": [],
      "range": "8.0.0 - 8.17.0",
      "nodes": [
        "node_modules/ws"
      ],
      "fixAvailable": true
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 2,
      "moderate": 20,
      "high": 12,
      "critical": 1,
      "total": 35
    },
    "dependencies": {
      "prod": 167,
      "dev": 747,
      "optional": 26,
      "peer": 1,
      "peerOptional": 0,
      "total": 914
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - overblog/dataloader-php[v0.5.2, ..., v0.5.3] require php ^5.5|^7.0 -> your php version (8.2.20) does not satisfy that requirement.
    - Root composer.json requires overblog/dataloader-php ^0.5.2 -> satisfiable by overblog/dataloader-php[v0.5.2, v0.5.3].
--- stdout ---

--- end ---
Traceback (most recent call last):
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main
    libup.run(args.repo, args.output, args.branch)
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1788, in run
    "composer": self.composer_audit(),
                ^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 183, in composer_audit
    self.ensure_composer_lock()
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 142, in ensure_composer_lock
    self.check_call(["composer", "install"])
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 59, in check_call
    res.check_returncode()
  File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode
    raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['/usr/bin/composer', 'install']' returned non-zero exit status 2.
Source code is licensed under the AGPL.