This run took 88 seconds.
$ date --- stdout --- Thu Nov 14 18:00:56 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-services-kartotherian.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- 75780584339d1ce773d1ebf23ef950ecdee4a2e2 refs/heads/master --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@kartotherian/abaculus": { "name": "@kartotherian/abaculus", "severity": "moderate", "isDirect": true, "via": [ "@kartotherian/tilelive-bridge" ], "effects": [], "range": ">=3.0.3-alpha.0", "nodes": [ "node_modules/@kartotherian/abaculus" ], "fixAvailable": { "name": "@kartotherian/abaculus", "version": "3.0.1", "isSemVerMajor": true } }, "@kartotherian/blend": { "name": "@kartotherian/blend", "severity": "moderate", "isDirect": false, "via": [ "@kartotherian/mapnik" ], "effects": [ "@wikimedia/geojson-mapnikify", "@wikimedia/makizushi" ], "range": "*", "nodes": [ "node_modules/@kartotherian/blend" ], "fixAvailable": { "name": "@wikimedia/geojson-mapnikify", "version": "4.0.0", "isSemVerMajor": true } }, "@kartotherian/mapnik": { "name": "@kartotherian/mapnik", "severity": "moderate", "isDirect": true, "via": [ "node-pre-gyp" ], "effects": [ "@kartotherian/blend", "@kartotherian/tilelive-bridge" ], "range": "*", "nodes": [ "node_modules/@kartotherian/mapnik" ], "fixAvailable": { "name": "@wikimedia/geojson-mapnikify", "version": "4.0.0", "isSemVerMajor": true } }, "@kartotherian/tilelive-bridge": { "name": "@kartotherian/tilelive-bridge", "severity": "moderate", "isDirect": true, "via": [ "@kartotherian/mapnik" ], "effects": [ "@kartotherian/abaculus" ], "range": "*", "nodes": [ "node_modules/@kartotherian/tilelive-bridge" ], "fixAvailable": { "name": "@kartotherian/abaculus", "version": "3.0.1", "isSemVerMajor": true } }, "@kartotherian/tilelive-vector": { "name": "@kartotherian/tilelive-vector", "severity": "critical", "isDirect": true, "via": [ "request", "tar", "underscore" ], "effects": [], "range": "*", "nodes": [ "node_modules/@kartotherian/tilelive-vector" ], "fixAvailable": false }, "@mapbox/tilejson": { "name": "@mapbox/tilejson", "severity": "high", "isDirect": true, "via": [ "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/@mapbox/tilejson" ], "fixAvailable": false }, "@wikimedia/geojson-mapnikify": { "name": "@wikimedia/geojson-mapnikify", "severity": "moderate", "isDirect": true, "via": [ "@kartotherian/blend" ], "effects": [ "@wikimedia/tilelive-overlay" ], "range": "3.0.1", "nodes": [ "node_modules/@wikimedia/geojson-mapnikify" ], "fixAvailable": { "name": "@wikimedia/geojson-mapnikify", "version": "4.0.0", "isSemVerMajor": true } }, "@wikimedia/makizushi": { "name": "@wikimedia/makizushi", "severity": "moderate", "isDirect": true, "via": [ "@kartotherian/blend" ], "effects": [], "range": "4.0.0", "nodes": [ "node_modules/@wikimedia/makizushi" ], "fixAvailable": { "name": "@wikimedia/makizushi", "version": "4.1.0", "isSemVerMajor": false } }, "@wikimedia/tilelive-overlay": { "name": "@wikimedia/tilelive-overlay", "severity": "moderate", "isDirect": true, "via": [ "@wikimedia/geojson-mapnikify" ], "effects": [], "range": "2.3.0", "nodes": [ "node_modules/@wikimedia/tilelive-overlay" ], "fixAvailable": { "name": "@wikimedia/tilelive-overlay", "version": "2.4.0", "isSemVerMajor": false } }, "ajv": { "name": "ajv", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097685, "name": "ajv", "dependency": "ajv", "title": "Prototype Pollution in Ajv", "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw", "severity": "moderate", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<6.12.3" } ], "effects": [ "har-validator" ], "range": "<6.12.3", "nodes": [ "node_modules/har-validator/node_modules/ajv" ], "fixAvailable": false }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "aws-sdk": { "name": "aws-sdk", "severity": "moderate", "isDirect": false, "via": [ "xml2js" ], "effects": [], "range": "<=2.1353.0", "nodes": [ "node_modules/aws-sdk" ], "fixAvailable": true }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": true, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "boom": { "name": "boom", "severity": "high", "isDirect": false, "via": [ "hoek" ], "effects": [ "cryptiles", "hawk" ], "range": "*", "nodes": [ "node_modules/boom", "node_modules/cryptiles/node_modules/boom" ], "fixAvailable": false }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [], "range": "<3.0.3", "nodes": [ "node_modules/braces" ], "fixAvailable": true }, "browserify-sign": { "name": "browserify-sign", "severity": "high", "isDirect": false, "via": [ { "source": 1096644, "name": "browserify-sign", "dependency": "browserify-sign", "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": ">=2.6.0 <=4.2.1" } ], "effects": [], "range": "2.6.0 - 4.2.1", "nodes": [ "node_modules/browserify-sign" ], "fixAvailable": true }, "carto": { "name": "carto", "severity": "high", "isDirect": false, "via": [ "js-yaml", "semver", "yargs" ], "effects": [ "tilelive-tmstyle" ], "range": ">=0.17.2", "nodes": [ "node_modules/carto" ], "fixAvailable": false }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": true }, "cryptiles": { "name": "cryptiles", "severity": "critical", "isDirect": false, "via": [ { "source": 1095034, "name": "cryptiles", "dependency": "cryptiles", "title": "Insufficient Entropy in cryptiles", "url": "https://github.com/advisories/GHSA-rq8g-5pc5-wrhr", "severity": "critical", "cwe": [ "CWE-331" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=3.1.0 <4.1.2" }, "boom" ], "effects": [], "range": "*", "nodes": [ "node_modules/cryptiles" ], "fixAvailable": true }, "elliptic": { "name": "elliptic", "severity": "low", "isDirect": false, "via": [ { "source": 1098593, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's EDDSA missing signature length check", "url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=4.0.0 <=6.5.6" }, { "source": 1098594, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero", "url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw", "severity": "low", "cwe": [ "CWE-130" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=2.0.0 <=6.5.6" }, { "source": 1098595, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic allows BER-encoded signatures", "url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=5.2.1 <=6.5.6" }, { "source": 1100075, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's verify function omits uniqueness validation", "url": "https://github.com/advisories/GHSA-434g-2637-qmqr", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<6.5.6" }, { "source": 1100394, "name": "elliptic", "dependency": "elliptic", "title": "Valid ECDSA signatures erroneously rejected in Elliptic", "url": "https://github.com/advisories/GHSA-fc9h-whq2-v747", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": "<6.6.0" } ], "effects": [], "range": "<=6.5.7", "nodes": [ "node_modules/elliptic" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "high", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": true, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, { "source": 1099529, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "get-func-name": { "name": "get-func-name", "severity": "high", "isDirect": false, "via": [ { "source": 1094574, "name": "get-func-name", "dependency": "get-func-name", "title": "Chaijs/get-func-name vulnerable to ReDoS", "url": "https://github.com/advisories/GHSA-4q6p-r6v2-jvc5", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.0.1" } ], "effects": [], "range": "<2.0.1", "nodes": [ "node_modules/get-func-name" ], "fixAvailable": true }, "har-validator": { "name": "har-validator", "severity": "moderate", "isDirect": false, "via": [ "ajv" ], "effects": [ "request" ], "range": "3.3.0 - 5.1.0", "nodes": [ "node_modules/har-validator" ], "fixAvailable": false }, "hawk": { "name": "hawk", "severity": "high", "isDirect": false, "via": [ { "source": 1095062, "name": "hawk", "dependency": "hawk", "title": "Uncontrolled Resource Consumption in Hawk", "url": "https://github.com/advisories/GHSA-44pw-h2cw-w3vq", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H" }, "range": "<9.0.1" }, "boom", "hoek", "sntp" ], "effects": [ "request" ], "range": "<=9.0.0", "nodes": [ "node_modules/hawk" ], "fixAvailable": false }, "hoek": { "name": "hoek", "severity": "high", "isDirect": false, "via": [ { "source": 1096410, "name": "hoek", "dependency": "hoek", "title": "hoek subject to prototype pollution via the clone function.", "url": "https://github.com/advisories/GHSA-c429-5p7v-vgjp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=6.1.3" } ], "effects": [ "boom", "hawk", "sntp" ], "range": "*", "nodes": [ "node_modules/hoek" ], "fixAvailable": false }, "js-yaml": { "name": "js-yaml", "severity": "high", "isDirect": false, "via": [ { "source": 1085724, "name": "js-yaml", "dependency": "js-yaml", "title": "Denial of Service in js-yaml", "url": "https://github.com/advisories/GHSA-2pr6-76vf-7546", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.13.0" }, { "source": 1095058, "name": "js-yaml", "dependency": "js-yaml", "title": "Code Injection in js-yaml", "url": "https://github.com/advisories/GHSA-8j8c-7jfh-h6hx", "severity": "high", "cwe": [ "CWE-94" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.13.1" } ], "effects": [], "range": "<=3.13.0", "nodes": [ "node_modules/carto/node_modules/js-yaml" ], "fixAvailable": true }, "libxmljs": { "name": "libxmljs", "severity": "high", "isDirect": true, "via": [ { "source": 1093040, "name": "libxmljs", "dependency": "libxmljs", "title": "Denial of service vulnerability exists in libxmljs", "url": "https://github.com/advisories/GHSA-773h-w45w-f2f9", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.19.8" }, { "source": 1098365, "name": "libxmljs", "dependency": "libxmljs", "title": "libxmljs vulnerable to type confusion when parsing specially crafted XML ", "url": "https://github.com/advisories/GHSA-mg49-jqgw-gcj6", "severity": "high", "cwe": [ "CWE-843" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=1.0.11" }, { "source": 1098438, "name": "libxmljs", "dependency": "libxmljs", "title": "libxmljs vulnerable to type confusion when parsing specially crafted XML", "url": "https://github.com/advisories/GHSA-6433-x5p4-8jc7", "severity": "high", "cwe": [ "CWE-843" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=1.0.11" }, "node-pre-gyp" ], "effects": [], "range": "*", "nodes": [ "node_modules/libxmljs" ], "fixAvailable": false }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "wikimedia-kad-fork" ], "effects": [ "service-runner" ], "range": ">=0.2.3", "nodes": [ "node_modules/limitation" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "mem": { "name": "mem", "severity": "moderate", "isDirect": false, "via": [ { "source": 1085685, "name": "mem", "dependency": "mem", "title": "Denial of Service in mem", "url": "https://github.com/advisories/GHSA-4xcv-9jjx-gfj3", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 5.1, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<4.0.0" } ], "effects": [ "os-locale" ], "range": "<4.0.0", "nodes": [ "node_modules/mem" ], "fixAvailable": false }, "micromatch": { "name": "micromatch", "severity": "moderate", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" } ], "effects": [], "range": "<4.0.8", "nodes": [ "node_modules/micromatch" ], "fixAvailable": true }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1097677, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.2.4" }, { "source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "<0.2.4 || >=1.0.0 <1.2.6", "nodes": [ "node_modules/@kartotherian/mapnik/node_modules/minimist", "node_modules/minimist" ], "fixAvailable": true }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "wikimedia-kad-fork" ], "range": "<2.0.0", "nodes": [ "node_modules/wikimedia-kad-fork/node_modules/ms" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "mwapi": { "name": "mwapi", "severity": "moderate", "isDirect": true, "via": [ "preq" ], "effects": [], "range": "*", "nodes": [ "node_modules/mwapi" ], "fixAvailable": false }, "node-pre-gyp": { "name": "node-pre-gyp", "severity": "moderate", "isDirect": false, "via": [ "tar" ], "effects": [ "@kartotherian/mapnik", "libxmljs" ], "range": "*", "nodes": [ "node_modules/@kartotherian/mapnik/node_modules/node-pre-gyp", "node_modules/libxmljs/node_modules/node-pre-gyp" ], "fixAvailable": { "name": "@wikimedia/geojson-mapnikify", "version": "4.0.0", "isSemVerMajor": true } }, "os-locale": { "name": "os-locale", "severity": "moderate", "isDirect": false, "via": [ "mem" ], "effects": [ "yargs" ], "range": "2.0.0 - 3.0.0", "nodes": [ "node_modules/os-locale" ], "fixAvailable": false }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<0.1.10", "nodes": [ "node_modules/path-to-regexp" ], "fixAvailable": true }, "pg": { "name": "pg", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [ "pg-promise" ], "range": "4.0.0-beta2 - 8.3.3", "nodes": [ "node_modules/pg" ], "fixAvailable": { "name": "pg-promise", "version": "11.10.2", "isSemVerMajor": true } }, "pg-promise": { "name": "pg-promise", "severity": "high", "isDirect": true, "via": [ "pg" ], "effects": [], "range": "0.6.4 - 2.9.5 || 3.0.3 - 10.6.2", "nodes": [ "node_modules/pg-promise" ], "fixAvailable": { "name": "pg-promise", "version": "11.10.2", "isSemVerMajor": true } }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "autoprefixer", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [ "mwapi" ], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "request": { "name": "request", "severity": "high", "isDirect": true, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "har-validator", "hawk", "tough-cookie" ], "effects": [ "preq", "requestretry", "tilelive-http" ], "range": "*", "nodes": [ "node_modules/@kartotherian/tilelive-vector/node_modules/request", "node_modules/request" ], "fixAvailable": false }, "request-promise": { "name": "request-promise", "severity": "moderate", "isDirect": true, "via": [ "tough-cookie" ], "effects": [], "range": ">=4.2.3", "nodes": [ "node_modules/request-promise" ], "fixAvailable": true }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "@mapbox/tilejson", "preq" ], "range": "*", "nodes": [ "node_modules/preq/node_modules/requestretry", "node_modules/requestretry" ], "fixAvailable": false }, "semver": { "name": "semver", "severity": "high", "isDirect": false, "via": [ { "source": 1098562, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1098563, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.7.2" }, { "source": 1098564, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "carto", "eslint-plugin-compat", "pg" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/core/node_modules/semver", "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@kartotherian/mapnik/node_modules/semver", "node_modules/@mapbox/node-pre-gyp/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/jest-snapshot/node_modules/semver", "node_modules/make-dir/node_modules/semver", "node_modules/meow/node_modules/read-pkg/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/pg/node_modules/semver", "node_modules/semver", "node_modules/service-runner/node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": false }, "send": { "name": "send", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099525, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099527, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "service-runner": { "name": "service-runner", "severity": "moderate", "isDirect": true, "via": [ "limitation", "tar" ], "effects": [], "range": ">=3.0.0", "nodes": [ "node_modules/service-runner" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "sntp": { "name": "sntp", "severity": "high", "isDirect": false, "via": [ "hoek" ], "effects": [ "hawk" ], "range": "0.0.0 || >=0.1.1", "nodes": [ "node_modules/sntp" ], "fixAvailable": false }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": true, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint", "version": "16.10.0", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": true }, "tar": { "name": "tar", "severity": "high", "isDirect": false, "via": [ { "source": 1089685, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": "<3.2.2" }, { "source": 1095117, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": "<4.4.18" }, { "source": 1097493, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [ "@kartotherian/tilelive-vector", "node-pre-gyp", "service-runner" ], "range": "<=6.2.0", "nodes": [ "node_modules/@kartotherian/mapnik/node_modules/tar", "node_modules/@mapbox/node-pre-gyp/node_modules/tar", "node_modules/libxmljs/node_modules/tar", "node_modules/service-runner/node_modules/tar", "node_modules/tar" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "tilelive-http": { "name": "tilelive-http", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "*", "nodes": [ "node_modules/tilelive-http" ], "fixAvailable": false }, "tilelive-tmstyle": { "name": "tilelive-tmstyle", "severity": "critical", "isDirect": true, "via": [ "carto", "underscore" ], "effects": [], "range": "*", "nodes": [ "node_modules/tilelive-tmstyle" ], "fixAvailable": false }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request", "request-promise" ], "range": "<4.1.3", "nodes": [ "node_modules/jsdom/node_modules/tough-cookie", "node_modules/request/node_modules/tough-cookie", "node_modules/tough-cookie" ], "fixAvailable": false }, "underscore": { "name": "underscore", "severity": "critical", "isDirect": false, "via": [ { "source": 1095097, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": [ "CWE-94" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.3.2 <1.12.1" } ], "effects": [ "tilelive-tmstyle" ], "range": "1.3.2 - 1.12.0", "nodes": [ "node_modules/@kartotherian/tilelive-vector/node_modules/underscore", "node_modules/tilelive-tmstyle/node_modules/underscore" ], "fixAvailable": false }, "wikimedia-kad-fork": { "name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": [ "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/wikimedia-kad-fork" ], "fixAvailable": { "name": "service-runner", "version": "6.0.0", "isSemVerMajor": true } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097681, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098393, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.10" } ], "effects": [], "range": "7.0.0 - 7.5.9", "nodes": [ "node_modules/ws" ], "fixAvailable": true }, "xml2js": { "name": "xml2js", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096693, "name": "xml2js", "dependency": "xml2js", "title": "xml2js is vulnerable to prototype pollution", "url": "https://github.com/advisories/GHSA-776f-qx25-q3cc", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<0.5.0" } ], "effects": [ "aws-sdk" ], "range": "<0.5.0", "nodes": [ "node_modules/xml2js" ], "fixAvailable": true }, "yargs": { "name": "yargs", "severity": "moderate", "isDirect": false, "via": [ "os-locale", "yargs-parser" ], "effects": [ "carto" ], "range": "8.0.0-candidate.0 - 12.0.5", "nodes": [ "node_modules/yargs" ], "fixAvailable": false }, "yargs-parser": { "name": "yargs-parser", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088811, "name": "yargs-parser", "dependency": "yargs-parser", "title": "yargs-parser Vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-p9pc-299p-vxgp", "severity": "moderate", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, "range": ">=6.0.0 <13.1.2" } ], "effects": [ "yargs" ], "range": "6.0.0 - 13.1.1", "nodes": [ "node_modules/yargs-parser" ], "fixAvailable": false } }, "metadata": { "vulnerabilities": { "info": 0, "low": 2, "moderate": 37, "high": 24, "critical": 6, "total": 69 }, "dependencies": { "prod": 763, "dev": 653, "optional": 17, "peer": 0, "peerOptional": 0, "total": 1430 } } } --- end --- Upgrading n:eslint from ^7.32.0 -> 8.57.0 Upgrading n:eslint-config-wikimedia from ^0.20.0 -> 0.28.2 Upgrading n:stylelint from ^13.13.1 -> 16.2.0 Upgrading n:stylelint-config-wikimedia from ^0.11.1 -> 0.17.2 $ /usr/bin/npm install --- stderr --- npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN deprecated osenv@0.1.5: This package is no longer supported. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated s3signed@0.1.0: This module is no longer maintained. It is provided as is. npm WARN deprecated npmlog@5.0.1: This package is no longer supported. npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported npm WARN deprecated cryptiles@3.1.4: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated sntp@2.1.0: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. npm WARN deprecated har-validator@5.0.3: this library is no longer supported npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated npmlog@4.1.2: This package is no longer supported. npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated boom@4.3.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated boom@5.2.0: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated hoek@4.2.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated are-we-there-yet@2.0.0: This package is no longer supported. npm WARN deprecated are-we-there-yet@1.1.7: This package is no longer supported. npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated queue-async@1.0.7: renamed to d3-queue npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported npm WARN deprecated domexception@2.0.1: Use your platform's native DOMException instead npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin. npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated gauge@3.0.2: This package is no longer supported. npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated hawk@6.0.2: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. npm WARN deprecated gauge@2.7.4: This package is no longer supported. npm WARN deprecated loupe@2.3.6: Please upgrade to 2.3.7 which fixes GHSA-4q6p-r6v2-jvc5 npm WARN deprecated protozero@1.5.1: protozero should no longer be used via npm, install instead via https://github.com/mapbox/mason npm WARN deprecated request@2.83.0: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated fstream@1.0.12: This package is no longer supported. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future npm WARN deprecated pg-promise@9.3.6: This version of pg-promise is obsolete. You should update to a newer version. npm WARN deprecated tar@2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap. npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options. npm WARN cleanup Failed to remove some directories [ npm WARN cleanup [ npm WARN cleanup '/src/repo/node_modules/unix-dgram', npm WARN cleanup [Error: ENOTEMPTY: directory not empty, rmdir '/src/repo/node_modules/unix-dgram'] { npm WARN cleanup errno: -39, npm WARN cleanup code: 'ENOTEMPTY', npm WARN cleanup syscall: 'rmdir', npm WARN cleanup path: '/src/repo/node_modules/unix-dgram' npm WARN cleanup } npm WARN cleanup ] npm WARN cleanup ] npm ERR! code 1 npm ERR! path /src/repo/node_modules/@kartotherian/mapnik npm ERR! command failed npm ERR! command sh -c node-pre-gyp install --build-from-source npm ERR! Failed to execute '/usr/bin/node /usr/share/nodejs/node-gyp/bin/node-gyp.js configure --build-from-source --module=/src/repo/node_modules/@kartotherian/mapnik/lib/binding/mapnik.node --module_name=mapnik --module_path=/src/repo/node_modules/@kartotherian/mapnik/lib/binding --napi_version=9 --node_abi_napi=napi' (1) npm ERR! node-pre-gyp info it worked if it ends with ok npm ERR! node-pre-gyp info using node-pre-gyp@0.10.3 npm ERR! node-pre-gyp info using node@18.19.0 | linux | x64 npm ERR! node-pre-gyp WARN Using request for node-pre-gyp https download npm ERR! node-pre-gyp info build requesting source compile npm ERR! gyp info it worked if it ends with ok npm ERR! gyp info using node-gyp@9.3.0 npm ERR! gyp info using node@18.19.0 | linux | x64 npm ERR! gyp info ok npm ERR! gyp info it worked if it ends with ok npm ERR! gyp info using node-gyp@9.3.0 npm ERR! gyp info using node@18.19.0 | linux | x64 npm ERR! gyp info find Python using Python version 3.11.2 found at "/usr/bin/python3" npm ERR! gyp info spawn /usr/bin/python3 npm ERR! gyp info spawn args [ npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/gyp/gyp_main.py', npm ERR! gyp info spawn args 'binding.gyp', npm ERR! gyp info spawn args '-f', npm ERR! gyp info spawn args 'make', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/src/repo/node_modules/@kartotherian/mapnik/build/config.gypi', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/src/repo/node_modules/@kartotherian/mapnik/common.gypi', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/addon.gypi', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/usr/include/nodejs/common.gypi', npm ERR! gyp info spawn args '-Dlibrary=shared_library', npm ERR! gyp info spawn args '-Dvisibility=default', npm ERR! gyp info spawn args '-Dnode_root_dir=/usr/include/nodejs', npm ERR! gyp info spawn args '-Dnode_gyp_dir=/usr/share/nodejs/node-gyp', npm ERR! gyp info spawn args '-Dnode_lib_file=/usr/include/nodejs/<(target_arch)/node.lib', npm ERR! gyp info spawn args '-Dmodule_root_dir=/src/repo/node_modules/@kartotherian/mapnik', npm ERR! gyp info spawn args '-Dnode_engine=v8', npm ERR! gyp info spawn args '--depth=.', npm ERR! gyp info spawn args '--no-parallel', npm ERR! gyp info spawn args '--generator-output', npm ERR! gyp info spawn args 'build', npm ERR! gyp info spawn args '-Goutput_dir=.' npm ERR! gyp info spawn args ] npm ERR! /bin/sh: 1: mapnik-config: not found npm ERR! gyp: Call to 'mapnik-config --cflags' returned exit status 127 while in binding.gyp. while trying to load binding.gyp npm ERR! gyp ERR! configure error npm ERR! gyp ERR! stack Error: `gyp` failed with exit code: 1 npm ERR! gyp ERR! stack at ChildProcess.onCpExit (/usr/share/nodejs/node-gyp/lib/configure.js:329:16) npm ERR! gyp ERR! stack at ChildProcess.emit (node:events:517:28) npm ERR! gyp ERR! stack at ChildProcess._handle.onexit (node:internal/child_process:292:12) npm ERR! gyp ERR! System Linux 6.1.0-25-cloud-amd64 npm ERR! gyp ERR! command "/usr/bin/node" "/usr/share/nodejs/node-gyp/bin/node-gyp.js" "configure" "--build-from-source" "--module=/src/repo/node_modules/@kartotherian/mapnik/lib/binding/mapnik.node" "--module_name=mapnik" "--module_path=/src/repo/node_modules/@kartotherian/mapnik/lib/binding" "--napi_version=9" "--node_abi_napi=napi" npm ERR! gyp ERR! cwd /src/repo/node_modules/@kartotherian/mapnik npm ERR! gyp ERR! node -v v18.19.0 npm ERR! gyp ERR! node-gyp -v v9.3.0 npm ERR! gyp ERR! not ok npm ERR! node-pre-gyp ERR! build error npm ERR! node-pre-gyp ERR! stack Error: Failed to execute '/usr/bin/node /usr/share/nodejs/node-gyp/bin/node-gyp.js configure --build-from-source --module=/src/repo/node_modules/@kartotherian/mapnik/lib/binding/mapnik.node --module_name=mapnik --module_path=/src/repo/node_modules/@kartotherian/mapnik/lib/binding --napi_version=9 --node_abi_napi=napi' (1) npm ERR! node-pre-gyp ERR! stack at ChildProcess.<anonymous> (/src/repo/node_modules/@kartotherian/mapnik/node_modules/node-pre-gyp/lib/util/compile.js:83:29) npm ERR! node-pre-gyp ERR! stack at ChildProcess.emit (node:events:517:28) npm ERR! node-pre-gyp ERR! stack at maybeClose (node:internal/child_process:1098:16) npm ERR! node-pre-gyp ERR! stack at ChildProcess._handle.onexit (node:internal/child_process:303:5) npm ERR! node-pre-gyp ERR! System Linux 6.1.0-25-cloud-amd64 npm ERR! node-pre-gyp ERR! command "/usr/bin/node" "/src/repo/node_modules/@kartotherian/mapnik/node_modules/.bin/node-pre-gyp" "install" "--build-from-source" npm ERR! node-pre-gyp ERR! cwd /src/repo/node_modules/@kartotherian/mapnik npm ERR! node-pre-gyp ERR! node -v v18.19.0 npm ERR! node-pre-gyp ERR! node-pre-gyp -v v0.10.3 npm ERR! node-pre-gyp ERR! not ok npm ERR! A complete log of this run can be found in: npm ERR! /cache/_logs/2024-11-14T18_01_09_125Z-debug-0.log --- stdout --- --- end --- $ rm -rf package-lock.json node_modules --- stdout --- --- end --- $ /usr/bin/npm install --- stderr --- npm WARN deprecated osenv@0.1.5: This package is no longer supported. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated s3signed@0.1.0: This module is no longer maintained. It is provided as is. npm WARN deprecated npmlog@5.0.1: This package is no longer supported. npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm WARN deprecated cryptiles@3.2.1: This module has moved and is now available at @hapi/cryptiles. Please update your dependencies as this version is no longer maintained and may contain bugs and security issues. npm WARN deprecated boom@5.3.3: This module has moved and is now available at @hapi/boom. Please update your dependencies as this version is no longer maintained and may contain bugs and security issues. npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported npm WARN deprecated sntp@2.1.0: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated npmlog@4.1.2: This package is no longer supported. npm WARN deprecated har-validator@5.0.3: this library is no longer supported npm WARN deprecated har-validator@5.0.3: this library is no longer supported npm WARN deprecated boom@4.3.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated are-we-there-yet@2.0.0: This package is no longer supported. npm WARN deprecated are-we-there-yet@1.1.7: This package is no longer supported. npm WARN deprecated hoek@4.3.1: This module has moved and is now available at @hapi/hoek. Please update your dependencies as this version is no longer maintained an may contain bugs and security issues. npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated queue-async@1.0.7: renamed to d3-queue npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported npm WARN deprecated domexception@2.0.1: Use your platform's native DOMException instead npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin. npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated gauge@3.0.2: This package is no longer supported. npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) npm WARN deprecated hawk@6.0.2: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated gauge@2.7.4: This package is no longer supported. npm WARN deprecated protozero@1.5.1: protozero should no longer be used via npm, install instead via https://github.com/mapbox/mason npm WARN deprecated request@2.83.0: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated request@2.83.0: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated fstream@1.0.12: This package is no longer supported. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future npm WARN deprecated pg-promise@9.3.6: This version of pg-promise is obsolete. You should update to a newer version. npm WARN deprecated tar@2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap. npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options. npm WARN cleanup Failed to remove some directories [ npm WARN cleanup [ npm WARN cleanup '/src/repo/node_modules', npm WARN cleanup [Error: ENOTEMPTY: directory not empty, rmdir '/src/repo/node_modules/unix-dgram'] { npm WARN cleanup errno: -39, npm WARN cleanup code: 'ENOTEMPTY', npm WARN cleanup syscall: 'rmdir', npm WARN cleanup path: '/src/repo/node_modules/unix-dgram' npm WARN cleanup } npm WARN cleanup ], npm WARN cleanup [ npm WARN cleanup '/src/repo/node_modules/unix-dgram', npm WARN cleanup [Error: ENOTEMPTY: directory not empty, rmdir '/src/repo/node_modules/unix-dgram'] { npm WARN cleanup errno: -39, npm WARN cleanup code: 'ENOTEMPTY', npm WARN cleanup syscall: 'rmdir', npm WARN cleanup path: '/src/repo/node_modules/unix-dgram' npm WARN cleanup } npm WARN cleanup ], npm WARN cleanup [ npm WARN cleanup '/src/repo/node_modules/mapnik', npm WARN cleanup [Error: ENOTEMPTY: directory not empty, rmdir '/src/repo/node_modules/mapnik/lib/binding'] { npm WARN cleanup errno: -39, npm WARN cleanup code: 'ENOTEMPTY', npm WARN cleanup syscall: 'rmdir', npm WARN cleanup path: '/src/repo/node_modules/mapnik/lib/binding' npm WARN cleanup } npm WARN cleanup ] npm WARN cleanup ] npm ERR! code 1 npm ERR! path /src/repo/node_modules/@kartotherian/mapnik npm ERR! command failed npm ERR! command sh -c node-pre-gyp install --build-from-source npm ERR! Failed to execute '/usr/bin/node /usr/share/nodejs/node-gyp/bin/node-gyp.js configure --build-from-source --module=/src/repo/node_modules/@kartotherian/mapnik/lib/binding/mapnik.node --module_name=mapnik --module_path=/src/repo/node_modules/@kartotherian/mapnik/lib/binding --napi_version=9 --node_abi_napi=napi' (1) npm ERR! node-pre-gyp info it worked if it ends with ok npm ERR! node-pre-gyp info using node-pre-gyp@0.10.3 npm ERR! node-pre-gyp info using node@18.19.0 | linux | x64 npm ERR! node-pre-gyp WARN Using request for node-pre-gyp https download npm ERR! node-pre-gyp info build requesting source compile npm ERR! gyp info it worked if it ends with ok npm ERR! gyp info using node-gyp@9.3.0 npm ERR! gyp info using node@18.19.0 | linux | x64 npm ERR! gyp info ok npm ERR! gyp info it worked if it ends with ok npm ERR! gyp info using node-gyp@9.3.0 npm ERR! gyp info using node@18.19.0 | linux | x64 npm ERR! gyp info find Python using Python version 3.11.2 found at "/usr/bin/python3" npm ERR! gyp info spawn /usr/bin/python3 npm ERR! gyp info spawn args [ npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/gyp/gyp_main.py', npm ERR! gyp info spawn args 'binding.gyp', npm ERR! gyp info spawn args '-f', npm ERR! gyp info spawn args 'make', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/src/repo/node_modules/@kartotherian/mapnik/build/config.gypi', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/src/repo/node_modules/@kartotherian/mapnik/common.gypi', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/addon.gypi', npm ERR! gyp info spawn args '-I', npm ERR! gyp info spawn args '/usr/include/nodejs/common.gypi', npm ERR! gyp info spawn args '-Dlibrary=shared_library', npm ERR! gyp info spawn args '-Dvisibility=default', npm ERR! gyp info spawn args '-Dnode_root_dir=/usr/include/nodejs', npm ERR! gyp info spawn args '-Dnode_gyp_dir=/usr/share/nodejs/node-gyp', npm ERR! gyp info spawn args '-Dnode_lib_file=/usr/include/nodejs/<(target_arch)/node.lib', npm ERR! gyp info spawn args '-Dmodule_root_dir=/src/repo/node_modules/@kartotherian/mapnik', npm ERR! gyp info spawn args '-Dnode_engine=v8', npm ERR! gyp info spawn args '--depth=.', npm ERR! gyp info spawn args '--no-parallel', npm ERR! gyp info spawn args '--generator-output', npm ERR! gyp info spawn args 'build', npm ERR! gyp info spawn args '-Goutput_dir=.' npm ERR! gyp info spawn args ] npm ERR! /bin/sh: 1: mapnik-config: not found npm ERR! gyp: Call to 'mapnik-config --cflags' returned exit status 127 while in binding.gyp. while trying to load binding.gyp npm ERR! gyp ERR! configure error npm ERR! gyp ERR! stack Error: `gyp` failed with exit code: 1 npm ERR! gyp ERR! stack at ChildProcess.onCpExit (/usr/share/nodejs/node-gyp/lib/configure.js:329:16) npm ERR! gyp ERR! stack at ChildProcess.emit (node:events:517:28) npm ERR! gyp ERR! stack at ChildProcess._handle.onexit (node:internal/child_process:292:12) npm ERR! gyp ERR! System Linux 6.1.0-25-cloud-amd64 npm ERR! gyp ERR! command "/usr/bin/node" "/usr/share/nodejs/node-gyp/bin/node-gyp.js" "configure" "--build-from-source" "--module=/src/repo/node_modules/@kartotherian/mapnik/lib/binding/mapnik.node" "--module_name=mapnik" "--module_path=/src/repo/node_modules/@kartotherian/mapnik/lib/binding" "--napi_version=9" "--node_abi_napi=napi" npm ERR! gyp ERR! cwd /src/repo/node_modules/@kartotherian/mapnik npm ERR! gyp ERR! node -v v18.19.0 npm ERR! gyp ERR! node-gyp -v v9.3.0 npm ERR! gyp ERR! not ok npm ERR! node-pre-gyp ERR! build error npm ERR! node-pre-gyp ERR! stack Error: Failed to execute '/usr/bin/node /usr/share/nodejs/node-gyp/bin/node-gyp.js configure --build-from-source --module=/src/repo/node_modules/@kartotherian/mapnik/lib/binding/mapnik.node --module_name=mapnik --module_path=/src/repo/node_modules/@kartotherian/mapnik/lib/binding --napi_version=9 --node_abi_napi=napi' (1) npm ERR! node-pre-gyp ERR! stack at ChildProcess.<anonymous> (/src/repo/node_modules/@kartotherian/mapnik/node_modules/node-pre-gyp/lib/util/compile.js:83:29) npm ERR! node-pre-gyp ERR! stack at ChildProcess.emit (node:events:517:28) npm ERR! node-pre-gyp ERR! stack at maybeClose (node:internal/child_process:1098:16) npm ERR! node-pre-gyp ERR! stack at ChildProcess._handle.onexit (node:internal/child_process:303:5) npm ERR! node-pre-gyp ERR! System Linux 6.1.0-25-cloud-amd64 npm ERR! node-pre-gyp ERR! command "/usr/bin/node" "/src/repo/node_modules/@kartotherian/mapnik/node_modules/.bin/node-pre-gyp" "install" "--build-from-source" npm ERR! node-pre-gyp ERR! cwd /src/repo/node_modules/@kartotherian/mapnik npm ERR! node-pre-gyp ERR! node -v v18.19.0 npm ERR! node-pre-gyp ERR! node-pre-gyp -v v0.10.3 npm ERR! node-pre-gyp ERR! not ok npm ERR! A complete log of this run can be found in: npm ERR! /cache/_logs/2024-11-14T18_01_48_315Z-debug-0.log --- stdout --- --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1178, in npm_upgrade self.check_call(["npm", "install"]) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 59, in check_call res.check_returncode() File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode raise CalledProcessError(self.returncode, self.args, self.stdout, subprocess.CalledProcessError: Command '['/usr/bin/npm', 'install']' returned non-zero exit status 1. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1803, in run self.npm_upgrade(plan) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1181, in npm_upgrade self.check_call(["npm", "install"]) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 59, in check_call res.check_returncode() File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode raise CalledProcessError(self.returncode, self.args, self.stdout, subprocess.CalledProcessError: Command '['/usr/bin/npm', 'install']' returned non-zero exit status 1.