wikidata/query-builder: main (log #1609020)

sourcepatches

This run took 91 seconds.

$ date
--- stdout ---
Fri Nov 15 04:43:48 UTC 2024

--- end ---
$ git clone file:///srv/git/wikidata-query-builder.git repo --depth=1 -b master
--- stderr ---
Cloning into 'repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/master
--- stdout ---
041c3ae0539963ec5b480aec371bc324a392897a refs/heads/master

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@vitejs/plugin-vue": {
      "name": "@vitejs/plugin-vue",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "vite"
      ],
      "effects": [],
      "range": "1.8.0 - 2.3.4",
      "nodes": [
        "node_modules/@vitejs/plugin-vue"
      ],
      "fixAvailable": {
        "name": "@vitejs/plugin-vue",
        "version": "5.2.0",
        "isSemVerMajor": true
      }
    },
    "@vue/composition-api": {
      "name": "@vue/composition-api",
      "severity": "low",
      "isDirect": false,
      "via": [
        "vue"
      ],
      "effects": [
        "@wmde/wikit-vue-components"
      ],
      "range": "*",
      "nodes": [
        "node_modules/@wmde/wikit-vue-components/node_modules/@vue/composition-api"
      ],
      "fixAvailable": false
    },
    "@wmde/wikit-vue-components": {
      "name": "@wmde/wikit-vue-components",
      "severity": "low",
      "isDirect": true,
      "via": [
        "@vue/composition-api",
        "vue"
      ],
      "effects": [],
      "range": "<=2.1.0-alpha.16",
      "nodes": [
        "node_modules/@wmde/wikit-vue-components"
      ],
      "fixAvailable": false
    },
    "body-parser": {
      "name": "body-parser",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1099520,
          "name": "body-parser",
          "dependency": "body-parser",
          "title": "body-parser vulnerable to denial of service when url encoding is enabled",
          "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7",
          "severity": "high",
          "cwe": [
            "CWE-405"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<1.20.3"
        }
      ],
      "effects": [
        "express"
      ],
      "range": "<1.20.3",
      "nodes": [
        "node_modules/netlify-cli/node_modules/body-parser"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "cookie": {
      "name": "cookie",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1099846,
          "name": "cookie",
          "dependency": "cookie",
          "title": "cookie accepts cookie name, path, and domain with out of bounds characters",
          "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
          "severity": "low",
          "cwe": [
            "CWE-74"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<0.7.0"
        }
      ],
      "effects": [
        "express",
        "light-my-request",
        "netlify-cli"
      ],
      "range": "<0.7.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/cookie"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "express": {
      "name": "express",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1099529,
          "name": "express",
          "dependency": "express",
          "title": "express vulnerable to XSS via response.redirect()",
          "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx",
          "severity": "moderate",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 5,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<4.20.0"
        },
        "body-parser",
        "cookie",
        "path-to-regexp",
        "send",
        "serve-static"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/express"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "find-my-way": {
      "name": "find-my-way",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1099853,
          "name": "find-my-way",
          "dependency": "find-my-way",
          "title": "find-my-way has a ReDoS vulnerability in multiparametric routes",
          "url": "https://github.com/advisories/GHSA-rrr8-f88r-h8q6",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=5.5.0 <8.2.2"
        }
      ],
      "effects": [],
      "range": "5.5.0 - 8.2.1",
      "nodes": [
        "node_modules/netlify-cli/node_modules/find-my-way"
      ],
      "fixAvailable": true
    },
    "http-proxy-middleware": {
      "name": "http-proxy-middleware",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1100223,
          "name": "http-proxy-middleware",
          "dependency": "http-proxy-middleware",
          "title": "Denial of service in http-proxy-middleware",
          "url": "https://github.com/advisories/GHSA-c7qv-q95q-8v27",
          "severity": "high",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<2.0.7"
        }
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "<2.0.7",
      "nodes": [
        "node_modules/netlify-cli/node_modules/http-proxy-middleware"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "light-my-request": {
      "name": "light-my-request",
      "severity": "low",
      "isDirect": false,
      "via": [
        "cookie"
      ],
      "effects": [],
      "range": "3.7.0 - 5.13.0 || 6.0.0-pre.fv5.1 - 6.0.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/light-my-request"
      ],
      "fixAvailable": true
    },
    "micromatch": {
      "name": "micromatch",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1098681,
          "name": "micromatch",
          "dependency": "micromatch",
          "title": "Regular Expression Denial of Service (ReDoS) in micromatch",
          "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<4.0.8"
        }
      ],
      "effects": [],
      "range": "<4.0.8",
      "nodes": [
        "node_modules/micromatch",
        "node_modules/netlify-cli/node_modules/micromatch"
      ],
      "fixAvailable": true
    },
    "netlify-cli": {
      "name": "netlify-cli",
      "severity": "high",
      "isDirect": true,
      "via": [
        "cookie",
        "express",
        "http-proxy-middleware"
      ],
      "effects": [],
      "range": "2.14.0 - 17.37.0-rc-redirects.0",
      "nodes": [
        "node_modules/netlify-cli"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "path-to-regexp": {
      "name": "path-to-regexp",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1099562,
          "name": "path-to-regexp",
          "dependency": "path-to-regexp",
          "title": "path-to-regexp outputs backtracking regular expressions",
          "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<0.1.10"
        }
      ],
      "effects": [
        "express"
      ],
      "range": "<0.1.10",
      "nodes": [
        "node_modules/netlify-cli/node_modules/path-to-regexp"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "rollup": {
      "name": "rollup",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1099757,
          "name": "rollup",
          "dependency": "rollup",
          "title": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS",
          "url": "https://github.com/advisories/GHSA-gcx4-mw62-g8wm",
          "severity": "high",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 6.4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"
          },
          "range": "<2.79.2"
        },
        {
          "source": 1099764,
          "name": "rollup",
          "dependency": "rollup",
          "title": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS",
          "url": "https://github.com/advisories/GHSA-gcx4-mw62-g8wm",
          "severity": "high",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 6.4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"
          },
          "range": ">=4.0.0 <4.22.4"
        }
      ],
      "effects": [
        "vite"
      ],
      "range": "<2.79.2 || >=4.0.0 <4.22.4",
      "nodes": [
        "node_modules/rollup",
        "node_modules/vite/node_modules/rollup"
      ],
      "fixAvailable": {
        "name": "vite",
        "version": "5.4.11",
        "isSemVerMajor": true
      }
    },
    "send": {
      "name": "send",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1099525,
          "name": "send",
          "dependency": "send",
          "title": "send vulnerable to template injection that can lead to XSS",
          "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg",
          "severity": "moderate",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 5,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<0.19.0"
        }
      ],
      "effects": [
        "express",
        "serve-static"
      ],
      "range": "<0.19.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/send"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "17.37.2",
        "isSemVerMajor": false
      }
    },
    "serve-static": {
      "name": "serve-static",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1099527,
          "name": "serve-static",
          "dependency": "serve-static",
          "title": "serve-static vulnerable to template injection that can lead to XSS",
          "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p",
          "severity": "moderate",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 5,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<1.16.0"
        },
        "send"
      ],
      "effects": [],
      "range": "<=1.16.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/serve-static"
      ],
      "fixAvailable": true
    },
    "vite": {
      "name": "vite",
      "severity": "high",
      "isDirect": true,
      "via": [
        {
          "source": 1099690,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
          "url": "https://github.com/advisories/GHSA-64vr-g452-qvp3",
          "severity": "moderate",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 6.4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"
          },
          "range": "<3.2.11"
        },
        {
          "source": 1099695,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
          "url": "https://github.com/advisories/GHSA-9cwx-2883-4wfx",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
          },
          "range": "<=3.2.10"
        },
        "rollup"
      ],
      "effects": [
        "@vitejs/plugin-vue"
      ],
      "range": "<=3.2.10",
      "nodes": [
        "node_modules/vite"
      ],
      "fixAvailable": {
        "name": "vite",
        "version": "5.4.11",
        "isSemVerMajor": true
      }
    },
    "vue": {
      "name": "vue",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1100238,
          "name": "vue",
          "dependency": "vue",
          "title": "ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function",
          "url": "https://github.com/advisories/GHSA-5j4c-8p2g-v4jx",
          "severity": "low",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 3.7,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=2.0.0-alpha.1 <3.0.0-alpha.0"
        }
      ],
      "effects": [
        "@vue/composition-api",
        "@wmde/wikit-vue-components"
      ],
      "range": "2.0.0-alpha.1 - 2.7.16",
      "nodes": [
        "node_modules/@wmde/wikit-vue-components/node_modules/vue"
      ],
      "fixAvailable": false
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 5,
      "moderate": 4,
      "high": 8,
      "critical": 0,
      "total": 17
    },
    "dependencies": {
      "prod": 127,
      "dev": 2447,
      "optional": 127,
      "peer": 78,
      "peerOptional": 0,
      "total": 2591
    }
  }
}

--- end ---
Upgrading n:@wmde/eslint-config-wikimedia-typescript from ^0.2.9 -> 0.2.12
$ /usr/bin/npm install
--- stderr ---
npm WARN deprecated rdf-js@4.0.2: Use @types/rdf-js instead. See https://github.com/rdfjs/types?tab=readme-ov-file#what-about-typesrdf-js
npm WARN deprecated @types/rdf-js@4.0.2: This is a stub types definition. rdf-js provides its own type definitions, so you do not need this installed.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated vue@2.6.14: Vue 2 has reached EOL and is no longer actively maintained. See https://v2.vuejs.org/eol/ for more details.
--- stdout ---

added 2488 packages, and audited 2491 packages in 53s

404 packages are looking for funding
  run `npm fund` for details

17 vulnerabilities (5 low, 4 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
node_modules/netlify-cli/tools/lint-rules@unknown: Neither "resolved" nor "version" are present

--- end ---
Traceback (most recent call last):
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main
    libup.run(args.repo, args.output, args.branch)
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1803, in run
    self.npm_upgrade(plan)
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1186, in npm_upgrade
    self.check_package_lock()
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 335, in check_package_lock
    self.check_call(["package-lock-lint", "package-lock.json"])
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 59, in check_call
    res.check_returncode()
  File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode
    raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['package-lock-lint', 'package-lock.json']' returned non-zero exit status 1.
Source code is licensed under the AGPL.