This run took 187 seconds.
$ date
--- stdout ---
Thu Dec 4 12:31:41 UTC 2025
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-MobileFrontend.git repo --depth=1 -b REL1_39
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_39
--- stdout ---
1cc2560d549b6de192f92fe25046a529ea5e5243 refs/heads/REL1_39
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/helpers": {
"name": "@babel/helpers",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104001,
"name": "@babel/helpers",
"dependency": "@babel/helpers",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
"node_modules/@babel/helpers"
],
"fixAvailable": true
},
"@babel/runtime": {
"name": "@babel/runtime",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104000,
"name": "@babel/runtime",
"dependency": "@babel/runtime",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
"node_modules/@babel/runtime"
],
"fixAvailable": true
},
"@babel/traverse": {
"name": "@babel/traverse",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096886,
"name": "@babel/traverse",
"dependency": "@babel/traverse",
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
"severity": "critical",
"cwe": [
"CWE-184",
"CWE-697"
],
"cvss": {
"score": 9.4,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"range": "<7.23.2"
}
],
"effects": [],
"range": "<7.23.2",
"nodes": [
"node_modules/@babel/traverse"
],
"fixAvailable": true
},
"@storybook/addon-actions": {
"name": "@storybook/addon-actions",
"severity": "moderate",
"isDirect": true,
"via": [
"@storybook/components"
],
"effects": [],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/addon-actions"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"@storybook/builder-webpack4": {
"name": "@storybook/builder-webpack4",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/components",
"@storybook/core-common",
"@storybook/ui",
"autoprefixer",
"css-loader",
"fork-ts-checker-webpack-plugin",
"postcss",
"postcss-flexbugs-fixes",
"react-dev-utils",
"webpack",
"webpack-dev-middleware"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@storybook/builder-webpack4"
],
"fixAvailable": true
},
"@storybook/components": {
"name": "@storybook/components",
"severity": "moderate",
"isDirect": false,
"via": [
"react-syntax-highlighter"
],
"effects": [
"@storybook/addon-actions",
"@storybook/builder-webpack4",
"@storybook/ui"
],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/components"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"@storybook/core": {
"name": "@storybook/core",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-client",
"@storybook/core-server"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core"
],
"fixAvailable": true
},
"@storybook/core-client": {
"name": "@storybook/core-client",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/ui"
],
"effects": [
"@storybook/core",
"@storybook/core-server"
],
"range": "<=6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core-client"
],
"fixAvailable": true
},
"@storybook/core-common": {
"name": "@storybook/core-common",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"@storybook/html"
],
"range": "<=6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core-common"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "10.1.4",
"isSemVerMajor": true
}
},
"@storybook/core-server": {
"name": "@storybook/core-server",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/builder-webpack4",
"@storybook/core-client",
"@storybook/core-common",
"@storybook/ui",
"cpy",
"css-loader",
"ip",
"webpack",
"webpack-dev-middleware"
],
"effects": [
"@storybook/core"
],
"range": "<=7.6.19 || 8.0.0-alpha.0 - 8.1.5 || 8.2.0-alpha.0 - 8.2.0-beta.3",
"nodes": [
"node_modules/@storybook/core-server"
],
"fixAvailable": true
},
"@storybook/html": {
"name": "@storybook/html",
"severity": "high",
"isDirect": true,
"via": [
"@storybook/core",
"@storybook/core-common"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/html"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "10.1.4",
"isSemVerMajor": true
}
},
"@storybook/ui": {
"name": "@storybook/ui",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/components",
"markdown-to-jsx"
],
"effects": [
"@storybook/builder-webpack4",
"@storybook/core-client"
],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/ui"
],
"fixAvailable": true
},
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint-config-wikimedia",
"jsdom",
"qunit"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"ansi-regex": {
"name": "ansi-regex",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094091,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": "Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "high",
"cwe": [
"CWE-697",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex",
"node_modules/webpack-cli/node_modules/ansi-regex"
],
"fixAvailable": true
},
"anymatch": {
"name": "anymatch",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar",
"sane"
],
"range": "1.2.0 - 2.0.0",
"nodes": [
"node_modules/sane/node_modules/anymatch",
"node_modules/watchpack-chokidar2/node_modules/anymatch"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"autoprefixer": {
"name": "autoprefixer",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "1.0.20131222 - 9.8.8",
"nodes": [
"node_modules/autoprefixer"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1108262,
"name": "axios",
"dependency": "axios",
"title": "Axios is vulnerable to DoS attack through lack of data size check",
"url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.30.2"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
}
],
"effects": [
"bundlesize",
"github-build"
],
"range": "<=0.30.1",
"nodes": [
"node_modules/axios",
"node_modules/github-build/node_modules/axios"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"body-parser": {
"name": "body-parser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099520,
"name": "body-parser",
"dependency": "body-parser",
"title": "body-parser vulnerable to denial of service when url encoding is enabled",
"url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7",
"severity": "high",
"cwe": [
"CWE-405"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.20.3"
},
"qs"
],
"effects": [
"express"
],
"range": "<=1.20.2",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
}
],
"effects": [],
"range": "1.0.0 - 1.1.11",
"nodes": [
"node_modules/brace-expansion"
],
"fixAvailable": true
},
"braces": {
"name": "braces",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098094,
"name": "braces",
"dependency": "braces",
"title": "Uncontrolled resource consumption in braces",
"url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1050"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.3"
}
],
"effects": [
"chokidar",
"micromatch"
],
"range": "<3.0.3",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/braces",
"node_modules/braces",
"node_modules/fast-glob/node_modules/braces",
"node_modules/findup-sync/node_modules/braces",
"node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces",
"node_modules/sane/node_modules/braces",
"node_modules/watchpack-chokidar2/node_modules/braces",
"node_modules/webpack-cli/node_modules/braces",
"node_modules/webpack/node_modules/braces"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"browserify-sign": {
"name": "browserify-sign",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1102445,
"name": "browserify-sign",
"dependency": "browserify-sign",
"title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
"url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.6.0 <=4.2.1"
}
],
"effects": [],
"range": "2.6.0 - 4.2.1",
"nodes": [
"node_modules/browserify-sign"
],
"fixAvailable": true
},
"browserslist": {
"name": "browserslist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1093035,
"name": "browserslist",
"dependency": "browserslist",
"title": "Regular Expression Denial of Service in browserslist",
"url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <4.16.5"
}
],
"effects": [
"react-dev-utils"
],
"range": "4.0.0 - 4.16.4",
"nodes": [
"node_modules/react-dev-utils/node_modules/browserslist"
],
"fixAvailable": true
},
"bundlesize": {
"name": "bundlesize",
"severity": "high",
"isDirect": true,
"via": [
"axios"
],
"effects": [],
"range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1",
"nodes": [
"node_modules/bundlesize"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"anymatch",
"braces",
"readdirp"
],
"effects": [
"watchpack-chokidar2"
],
"range": "1.3.0 - 2.1.8",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/chokidar"
],
"fixAvailable": true
},
"cipher-base": {
"name": "cipher-base",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109536,
"name": "cipher-base",
"dependency": "cipher-base",
"title": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data",
"url": "https://github.com/advisories/GHSA-cpq7-6gpm-g9rc",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<=1.0.4"
}
],
"effects": [],
"range": "<=1.0.4",
"nodes": [
"node_modules/cipher-base"
],
"fixAvailable": true
},
"cookie": {
"name": "cookie",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1103907,
"name": "cookie",
"dependency": "cookie",
"title": "cookie accepts cookie name, path, and domain with out of bounds characters",
"url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
"severity": "low",
"cwe": [
"CWE-74"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.7.0"
}
],
"effects": [
"express"
],
"range": "<0.7.0",
"nodes": [
"node_modules/cookie"
],
"fixAvailable": true
},
"core-js-compat": {
"name": "core-js-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [],
"range": "3.6.0 - 3.25.0",
"nodes": [
"node_modules/core-js-compat"
],
"fixAvailable": true
},
"cpy": {
"name": "cpy",
"severity": "moderate",
"isDirect": false,
"via": [
"globby"
],
"effects": [
"@storybook/core-server"
],
"range": "7.0.0 - 8.1.2",
"nodes": [
"node_modules/cpy"
],
"fixAvailable": true
},
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
},
{
"source": 1104664,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.0.5"
}
],
"effects": [
"pre-commit",
"react-dev-utils",
"webpack-cli"
],
"range": "<6.0.6 || >=7.0.0 <7.0.5",
"nodes": [
"node_modules/cross-spawn",
"node_modules/eslint/node_modules/cross-spawn",
"node_modules/foreground-child/node_modules/cross-spawn",
"node_modules/istanbul-lib-processinfo/node_modules/cross-spawn",
"node_modules/pre-commit/node_modules/cross-spawn",
"node_modules/react-dev-utils/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"css-loader": {
"name": "css-loader",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"effects": [],
"range": "0.15.0 - 4.3.0",
"nodes": [
"node_modules/css-loader"
],
"fixAvailable": true
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094087,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"elliptic": {
"name": "elliptic",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1102901,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)",
"url": "https://github.com/advisories/GHSA-vjh7-7g9h-fjfh",
"severity": "critical",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.6.0"
},
{
"source": 1109566,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's EDDSA missing signature length check",
"url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=4.0.0 <=6.5.6"
},
{
"source": 1109567,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
"url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw",
"severity": "low",
"cwe": [
"CWE-130"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=2.0.0 <=6.5.6"
},
{
"source": 1109568,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic allows BER-encoded signatures",
"url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=5.2.1 <=6.5.6"
},
{
"source": 1111036,
"name": "elliptic",
"dependency": "elliptic",
"title": "Valid ECDSA signatures erroneously rejected in Elliptic",
"url": "https://github.com/advisories/GHSA-fc9h-whq2-v747",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<6.6.0"
},
{
"source": 1111037,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's verify function omits uniqueness validation",
"url": "https://github.com/advisories/GHSA-434g-2637-qmqr",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.5.6"
}
],
"effects": [],
"range": "<=6.6.0",
"nodes": [
"node_modules/elliptic"
],
"fixAvailable": true
},
"eslint": {
"name": "eslint",
"severity": "low",
"isDirect": false,
"via": [
"inquirer"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "4.0.0-alpha.0 - 7.2.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/eslint"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "high",
"isDirect": true,
"via": [
"eslint",
"eslint-plugin-compat"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.18.0 - 0.21.0 || 0.9.0 - 0.15.3",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/eslint-config-wikimedia",
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-plugin-compat": {
"name": "eslint-plugin-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "3.6.0-0 - 4.1.4",
"nodes": [
"node_modules/eslint-plugin-compat"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"express": {
"name": "express",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096820,
"name": "express",
"dependency": "express",
"title": "Express.js Open Redirect in malformed URLs",
"url": "https://github.com/advisories/GHSA-rv95-896h-c2vc",
"severity": "moderate",
"cwe": [
"CWE-601",
"CWE-1286"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<4.19.2"
},
{
"source": 1100530,
"name": "express",
"dependency": "express",
"title": "express vulnerable to XSS via response.redirect()",
"url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<4.20.0"
},
"body-parser",
"cookie",
"path-to-regexp",
"qs",
"send",
"serve-static"
],
"effects": [],
"range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0",
"nodes": [
"node_modules/express"
],
"fixAvailable": true
},
"external-editor": {
"name": "external-editor",
"severity": "low",
"isDirect": false,
"via": [
"tmp"
],
"effects": [
"inquirer"
],
"range": ">=1.1.1",
"nodes": [
"node_modules/external-editor"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"fast-glob": {
"name": "fast-glob",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"globby"
],
"range": "<=2.2.7",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": true
},
"findup-sync": {
"name": "findup-sync",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"qunit",
"webpack-cli"
],
"range": "0.4.0 - 3.0.0",
"nodes": [
"node_modules/findup-sync",
"node_modules/webpack-cli/node_modules/findup-sync"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1092623,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",
"url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-212"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<1.14.8"
},
{
"source": 1096856,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects' Proxy-Authorization header kept across hosts",
"url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=1.15.5"
},
{
"source": 1102323,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of sensitive information in follow-redirects",
"url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q",
"severity": "high",
"cwe": [
"CWE-359"
],
"cvss": {
"score": 8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
},
"range": "<1.14.7"
},
{
"source": 1109569,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Follow Redirects improperly handles URLs in the url.parse() function",
"url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc",
"severity": "moderate",
"cwe": [
"CWE-20",
"CWE-601"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<1.15.4"
}
],
"effects": [],
"range": "<=1.15.5",
"nodes": [
"node_modules/follow-redirects"
],
"fixAvailable": true
},
"fork-ts-checker-webpack-plugin": {
"name": "fork-ts-checker-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"react-dev-utils"
],
"range": "0.4.14 - 4.1.6",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin",
"node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin"
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109539,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=3.0.0 <3.0.4"
},
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": ">=3.0.0 <3.0.4 || <2.5.4",
"nodes": [
"node_modules/form-data",
"node_modules/request/node_modules/form-data"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"github-build": {
"name": "github-build",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [],
"range": "<=1.2.3",
"nodes": [
"node_modules/github-build"
],
"fixAvailable": true
},
"globby": {
"name": "globby",
"severity": "moderate",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"cpy"
],
"range": "8.0.0 - 9.2.0",
"nodes": [
"node_modules/globby"
],
"fixAvailable": true
},
"icss-utils": {
"name": "icss-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader",
"postcss-modules-local-by-default",
"postcss-modules-values"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/icss-utils"
],
"fixAvailable": true
},
"immer": {
"name": "immer",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097196,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx",
"severity": "high",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <9.0.6"
},
{
"source": 1097209,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-33f9-j839-rf8h",
"severity": "critical",
"cwe": [
"CWE-843",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=7.0.0 <9.0.6"
}
],
"effects": [],
"range": "7.0.0 - 9.0.5",
"nodes": [
"node_modules/immer"
],
"fixAvailable": true
},
"inquirer": {
"name": "inquirer",
"severity": "low",
"isDirect": false,
"via": [
"external-editor"
],
"effects": [
"eslint"
],
"range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/inquirer"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"ip": {
"name": "ip",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097720,
"name": "ip",
"dependency": "ip",
"title": "NPM IP package incorrectly identifies some private IP addresses as public",
"url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<1.1.9"
},
{
"source": 1101851,
"name": "ip",
"dependency": "ip",
"title": "ip SSRF improper categorization in isPublic",
"url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=2.0.1"
}
],
"effects": [
"@storybook/core-server"
],
"range": "*",
"nodes": [
"node_modules/ip"
],
"fixAvailable": true
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109801,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.14.2"
}
],
"effects": [],
"range": "<3.14.2",
"nodes": [
"node_modules/js-yaml"
],
"fixAvailable": true
},
"jsdoc": {
"name": "jsdoc",
"severity": "high",
"isDirect": true,
"via": [
"markdown-it",
"marked",
"taffydb"
],
"effects": [],
"range": "3.2.0-dev - 3.6.11",
"nodes": [
"node_modules/jsdoc"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": true,
"via": [
"request",
"request-promise-native",
"tough-cookie"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.1.20 || 0.2.0 - 16.5.3",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"json-schema": {
"name": "json-schema",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1101855,
"name": "json-schema",
"dependency": "json-schema",
"title": "json-schema is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-896r-f27r-55mw",
"severity": "critical",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<0.4.0"
}
],
"effects": [
"jsprim"
],
"range": "<0.4.0",
"nodes": [
"node_modules/json-schema"
],
"fixAvailable": true
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096543,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1096544,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"node_modules/json5",
"node_modules/loader-utils/node_modules/json5",
"node_modules/webpack-cli/node_modules/json5"
],
"fixAvailable": true
},
"jsprim": {
"name": "jsprim",
"severity": "critical",
"isDirect": false,
"via": [
"json-schema"
],
"effects": [],
"range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1",
"nodes": [
"node_modules/jsprim"
],
"fixAvailable": true
},
"less": {
"name": "less",
"severity": "moderate",
"isDirect": true,
"via": [
"request"
],
"effects": [],
"range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3",
"nodes": [
"node_modules/less"
],
"fixAvailable": {
"name": "less",
"version": "3.13.1",
"isSemVerMajor": false
}
},
"loader-utils": {
"name": "loader-utils",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1094088,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.4.1"
},
{
"source": 1094089,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1095054,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1095055,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
},
{
"source": 1109587,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1109588,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
}
],
"effects": [
"react-dev-utils",
"webpack-cli"
],
"range": "<=1.4.1 || 2.0.0 - 2.0.3",
"nodes": [
"node_modules/file-loader/node_modules/loader-utils",
"node_modules/html-loader/node_modules/loader-utils",
"node_modules/loader-utils",
"node_modules/postcss-loader/node_modules/loader-utils",
"node_modules/raw-loader/node_modules/loader-utils",
"node_modules/react-dev-utils/node_modules/loader-utils",
"node_modules/style-loader/node_modules/loader-utils",
"node_modules/url-loader/node_modules/loader-utils",
"node_modules/webpack-cli/node_modules/loader-utils"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1092663,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "Uncontrolled Resource Consumption in markdown-it",
"url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<12.3.2"
}
],
"effects": [
"jsdoc"
],
"range": "<12.3.2",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"markdown-to-jsx": {
"name": "markdown-to-jsx",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1100074,
"name": "markdown-to-jsx",
"dependency": "markdown-to-jsx",
"title": "Cross site scripting in markdown-to-jsx",
"url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<7.4.0"
}
],
"effects": [
"@storybook/ui"
],
"range": "<7.4.0",
"nodes": [
"node_modules/@storybook/ui/node_modules/markdown-to-jsx",
"node_modules/markdown-to-jsx"
],
"fixAvailable": true
},
"marked": {
"name": "marked",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095051,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
},
{
"source": 1095052,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
}
],
"effects": [
"jsdoc"
],
"range": "<=4.0.9",
"nodes": [
"node_modules/marked"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
},
"braces"
],
"effects": [
"anymatch",
"fast-glob",
"findup-sync",
"fork-ts-checker-webpack-plugin",
"readdirp",
"sane",
"webpack"
],
"range": "<=4.0.7",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/micromatch",
"node_modules/fast-glob/node_modules/micromatch",
"node_modules/findup-sync/node_modules/micromatch",
"node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/fast-glob/node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/micromatch",
"node_modules/sane/node_modules/micromatch",
"node_modules/watchpack-chokidar2/node_modules/micromatch",
"node_modules/webpack-cli/node_modules/micromatch",
"node_modules/webpack/node_modules/micromatch"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"min-document": {
"name": "min-document",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109626,
"name": "min-document",
"dependency": "min-document",
"title": "min-document vulnerable to prototype pollution",
"url": "https://github.com/advisories/GHSA-rx8g-88g5-qh64",
"severity": "low",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=2.19.0"
}
],
"effects": [],
"range": "<=2.19.0",
"nodes": [
"node_modules/min-document"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"recursive-readdir"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097678,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
"node_modules/minimist"
],
"fixAvailable": true
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
},
{
"source": 1109578,
"name": "nanoid",
"dependency": "nanoid",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
"url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-704"
],
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.31"
}
],
"effects": [],
"range": "<=3.3.7",
"nodes": [
"node_modules/doiuse/node_modules/nanoid",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid"
],
"fixAvailable": true
},
"node-fetch": {
"name": "node-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095073,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "node-fetch forwards secure headers to untrusted sites",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
"severity": "high",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.6.7"
}
],
"effects": [],
"range": "<2.6.7",
"nodes": [
"node_modules/node-fetch"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1101849,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=0.2.0 <1.9.0"
},
{
"source": 1101850,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.10"
},
{
"source": 1105199,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp contains a ReDoS",
"url": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.12"
}
],
"effects": [
"express"
],
"range": "<=0.1.11 || 0.2.0 - 1.8.0",
"nodes": [
"node_modules/nise/node_modules/path-to-regexp",
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"pbkdf2": {
"name": "pbkdf2",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1105691,
"name": "pbkdf2",
"dependency": "pbkdf2",
"title": "pbkdf2 silently disregards Uint8Array input, returning static keys",
"url": "https://github.com/advisories/GHSA-v62p-rq8g-8h59",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.1.2"
},
{
"source": 1105692,
"name": "pbkdf2",
"dependency": "pbkdf2",
"title": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos",
"url": "https://github.com/advisories/GHSA-h7cp-r72f-jxh6",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=3.0.10 <=3.1.2"
}
],
"effects": [],
"range": "<=3.1.2",
"nodes": [
"node_modules/pbkdf2"
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109574,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"@storybook/builder-webpack4",
"autoprefixer",
"css-loader",
"icss-utils",
"postcss-flexbugs-fixes",
"postcss-less",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"stylelint",
"sugarss"
],
"range": "<8.4.31",
"nodes": [
"node_modules/doiuse/node_modules/postcss",
"node_modules/postcss",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-flexbugs-fixes": {
"name": "postcss-flexbugs-fixes",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=4.2.1",
"nodes": [
"node_modules/postcss-flexbugs-fixes"
],
"fixAvailable": true
},
"postcss-less": {
"name": "postcss-less",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=3.1.4",
"nodes": [
"node_modules/postcss-less"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-modules-extract-imports": {
"name": "postcss-modules-extract-imports",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-modules-extract-imports"
],
"fixAvailable": true
},
"postcss-modules-local-by-default": {
"name": "postcss-modules-local-by-default",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [],
"range": "<=4.0.0-rc.4",
"nodes": [
"node_modules/postcss-modules-local-by-default"
],
"fixAvailable": true
},
"postcss-modules-scope": {
"name": "postcss-modules-scope",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.2.0",
"nodes": [
"node_modules/postcss-modules-scope"
],
"fixAvailable": true
},
"postcss-modules-values": {
"name": "postcss-modules-values",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=4.0.0-rc.5",
"nodes": [
"node_modules/postcss-modules-values"
],
"fixAvailable": true
},
"postcss-safe-parser": {
"name": "postcss-safe-parser",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=4.0.2",
"nodes": [
"node_modules/postcss-safe-parser"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-sass": {
"name": "postcss-sass",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=0.4.4",
"nodes": [
"node_modules/postcss-sass"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-scss": {
"name": "postcss-scss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=2.1.1",
"nodes": [
"node_modules/postcss-scss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"pre-commit": {
"name": "pre-commit",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn"
],
"effects": [],
"range": ">=1.1.0",
"nodes": [
"node_modules/pre-commit"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"prismjs": {
"name": "prismjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090424,
"name": "prismjs",
"dependency": "prismjs",
"title": "Cross-site Scripting in Prism",
"url": "https://github.com/advisories/GHSA-3949-f494-cm99",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"
},
"range": ">=1.14.0 <1.27.0"
},
{
"source": 1105770,
"name": "prismjs",
"dependency": "prismjs",
"title": "PrismJS DOM Clobbering vulnerability",
"url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-94"
],
"cvss": {
"score": 4.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<1.30.0"
}
],
"effects": [
"refractor"
],
"range": "<=1.29.0",
"nodes": [
"node_modules/prismjs"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"qs": {
"name": "qs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104118,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.5.0 <6.5.3"
},
{
"source": 1104120,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.7.0 <6.7.3"
},
{
"source": 1104123,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.10.0 <6.10.3"
}
],
"effects": [
"body-parser",
"express"
],
"range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2",
"nodes": [
"node_modules/body-parser/node_modules/qs",
"node_modules/express/node_modules/qs",
"node_modules/qs",
"node_modules/request/node_modules/qs"
],
"fixAvailable": true
},
"qunit": {
"name": "qunit",
"severity": "moderate",
"isDirect": false,
"via": [
"findup-sync",
"sane"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "2.4.1 - 2.8.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"react-dev-utils": {
"name": "react-dev-utils",
"severity": "critical",
"isDirect": false,
"via": [
"browserslist",
"cross-spawn",
"fork-ts-checker-webpack-plugin",
"immer",
"loader-utils",
"recursive-readdir",
"shell-quote"
],
"effects": [
"@storybook/builder-webpack4"
],
"range": "0.5.2 - 12.0.0-next.60",
"nodes": [
"node_modules/react-dev-utils"
],
"fixAvailable": true
},
"react-syntax-highlighter": {
"name": "react-syntax-highlighter",
"severity": "moderate",
"isDirect": false,
"via": [
"refractor"
],
"effects": [
"@storybook/components"
],
"range": "6.0.0 - 15.6.6",
"nodes": [
"node_modules/react-syntax-highlighter"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"readdirp": {
"name": "readdirp",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar"
],
"range": "2.2.0 - 2.2.1",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/readdirp"
],
"fixAvailable": true
},
"recursive-readdir": {
"name": "recursive-readdir",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"react-dev-utils"
],
"range": "1.2.0 - 2.2.2",
"nodes": [
"node_modules/recursive-readdir"
],
"fixAvailable": true
},
"refractor": {
"name": "refractor",
"severity": "moderate",
"isDirect": false,
"via": [
"prismjs"
],
"effects": [
"react-syntax-highlighter"
],
"range": "<=4.6.0",
"nodes": [
"node_modules/refractor"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"tough-cookie"
],
"effects": [
"jsdom",
"less",
"request-promise-core",
"request-promise-native"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"request-promise-core": {
"name": "request-promise-core",
"severity": "moderate",
"isDirect": false,
"via": [
"request"
],
"effects": [
"request-promise-native"
],
"range": "*",
"nodes": [
"node_modules/request-promise-core"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"request-promise-native": {
"name": "request-promise-native",
"severity": "moderate",
"isDirect": false,
"via": [
"request",
"request-promise-core",
"tough-cookie"
],
"effects": [
"jsdom"
],
"range": ">=1.0.0",
"nodes": [
"node_modules/request-promise-native"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"sane": {
"name": "sane",
"severity": "moderate",
"isDirect": false,
"via": [
"anymatch",
"micromatch"
],
"effects": [
"qunit"
],
"range": "1.5.0 - 4.1.0",
"nodes": [
"node_modules/sane"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"semver": {
"name": "semver",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1101088,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.5.2"
},
{
"source": 1101089,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.7.2"
},
{
"source": 1101090,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.3.1"
}
],
"effects": [
"core-js-compat",
"eslint-plugin-compat"
],
"range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
"nodes": [
"node_modules/@babel/helper-compilation-targets/node_modules/semver",
"node_modules/@npmcli/fs/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/semver",
"node_modules/@storybook/core-server/node_modules/semver",
"node_modules/@stylelint/postcss-css-in-js/node_modules/semver",
"node_modules/@wikimedia/mw-node-qunit/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs2/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs3/node_modules/semver",
"node_modules/babel-plugin-polyfill-regenerator/node_modules/semver",
"node_modules/core-js-compat/node_modules/semver",
"node_modules/css-loader/node_modules/semver",
"node_modules/eslint-plugin-compat/node_modules/semver",
"node_modules/eslint-plugin-jsdoc/node_modules/semver",
"node_modules/eslint-plugin-mediawiki/node_modules/semver",
"node_modules/eslint-plugin-node/node_modules/semver",
"node_modules/eslint-plugin-unicorn/node_modules/semver",
"node_modules/eslint-plugin-vue/node_modules/semver",
"node_modules/eslint-template-visitor/node_modules/semver",
"node_modules/eslint/node_modules/semver",
"node_modules/fork-ts-checker-webpack-plugin/node_modules/semver",
"node_modules/istanbul-lib-instrument/node_modules/semver",
"node_modules/make-dir/node_modules/semver",
"node_modules/meow/node_modules/semver",
"node_modules/nyc/node_modules/semver",
"node_modules/postcss-loader/node_modules/semver",
"node_modules/semver",
"node_modules/vue-eslint-parser/node_modules/semver"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"send": {
"name": "send",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109556,
"name": "send",
"dependency": "send",
"title": "send vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<0.19.0"
}
],
"effects": [
"express",
"serve-static"
],
"range": "<0.19.0",
"nodes": [
"node_modules/send"
],
"fixAvailable": true
},
"serve-static": {
"name": "serve-static",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1100528,
"name": "serve-static",
"dependency": "serve-static",
"title": "serve-static vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-cm22-4g7w-348p",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<1.16.0"
},
"send"
],
"effects": [],
"range": "<=1.16.0",
"nodes": [
"node_modules/serve-static"
],
"fixAvailable": true
},
"sha.js": {
"name": "sha.js",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109535,
"name": "sha.js",
"dependency": "sha.js",
"title": "sha.js is missing type checks leading to hash rewind and passing on crafted data",
"url": "https://github.com/advisories/GHSA-95m3-7q98-8xr5",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<=2.4.11"
}
],
"effects": [],
"range": "<=2.4.11",
"nodes": [
"node_modules/sha.js"
],
"fixAvailable": true
},
"shell-quote": {
"name": "shell-quote",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1107366,
"name": "shell-quote",
"dependency": "shell-quote",
"title": "Improper Neutralization of Special Elements used in a Command in Shell-quote",
"url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7",
"severity": "critical",
"cwe": [
"CWE-77"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.6.3 <=1.7.2"
}
],
"effects": [
"react-dev-utils"
],
"range": "1.6.3 - 1.7.2",
"nodes": [
"node_modules/shell-quote"
],
"fixAvailable": true
},
"simple-get": {
"name": "simple-get",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090445,
"name": "simple-get",
"dependency": "simple-get",
"title": "Exposure of Sensitive Information in simple-get",
"url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.1"
}
],
"effects": [],
"range": "3.0.0 - 3.1.0",
"nodes": [
"node_modules/simple-get"
],
"fixAvailable": true
},
"store2": {
"name": "store2",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1101527,
"name": "store2",
"dependency": "store2",
"title": "Cross Site Scripting vulnerability in store2",
"url": "https://github.com/advisories/GHSA-w5hq-hm5m-4548",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<2.14.4"
}
],
"effects": [],
"range": "<2.14.4",
"nodes": [
"node_modules/store2"
],
"fixAvailable": true
},
"stylelint": {
"name": "stylelint",
"severity": "moderate",
"isDirect": false,
"via": [
"autoprefixer",
"postcss",
"postcss-less",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"sugarss"
],
"effects": [
"stylelint-config-wikimedia"
],
"range": "0.1.0 - 13.13.1",
"nodes": [
"node_modules/stylelint"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"stylelint-config-wikimedia": {
"name": "stylelint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"stylelint"
],
"effects": [],
"range": "<=0.11.1",
"nodes": [
"node_modules/stylelint-config-wikimedia"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"sugarss": {
"name": "sugarss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/sugarss"
],
"fixAvailable": true
},
"taffydb": {
"name": "taffydb",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1089386,
"name": "taffydb",
"dependency": "taffydb",
"title": "TaffyDB can allow access to any data items in the DB",
"url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-668"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=2.7.3"
}
],
"effects": [
"jsdoc"
],
"range": "*",
"nodes": [
"node_modules/taffydb"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"tar": {
"name": "tar",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
}
],
"effects": [],
"range": "<6.2.1",
"nodes": [
"node_modules/tar"
],
"fixAvailable": true
},
"tar-fs": {
"name": "tar-fs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1109532,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball",
"url": "https://github.com/advisories/GHSA-vj76-c3g6-qr5v",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-61"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=2.0.0 <2.1.4"
},
{
"source": 1109543,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs can extract outside the specified dir with a specific tarball",
"url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=2.0.0 <2.1.3"
},
{
"source": 1109552,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
"url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.0.0 <2.1.2"
}
],
"effects": [],
"range": "2.0.0 - 2.1.3",
"nodes": [
"node_modules/tar-fs"
],
"fixAvailable": true
},
"terser": {
"name": "terser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091691,
"name": "terser",
"dependency": "terser",
"title": "Terser insecure use of regular expressions leads to ReDoS",
"url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.8.1"
}
],
"effects": [],
"range": "<4.8.1",
"nodes": [
"node_modules/terser"
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"webpack"
],
"range": "<=2.2.1",
"nodes": [
"node_modules/webpack/node_modules/terser-webpack-plugin"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"tmp": {
"name": "tmp",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109537,
"name": "tmp",
"dependency": "tmp",
"title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
"url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
"severity": "low",
"cwe": [
"CWE-59"
],
"cvss": {
"score": 2.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.2.3"
}
],
"effects": [
"external-editor"
],
"range": "<=0.2.3",
"nodes": [
"node_modules/external-editor/node_modules/tmp"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"jsdom",
"request",
"request-promise-native"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"watchpack": {
"name": "watchpack",
"severity": "high",
"isDirect": false,
"via": [
"watchpack-chokidar2"
],
"effects": [],
"range": "1.7.2 - 1.7.5",
"nodes": [
"node_modules/watchpack"
],
"fixAvailable": true
},
"watchpack-chokidar2": {
"name": "watchpack-chokidar2",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [
"watchpack"
],
"range": "*",
"nodes": [
"node_modules/watchpack-chokidar2"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "moderate",
"isDirect": true,
"via": [
"micromatch",
"terser-webpack-plugin"
],
"effects": [
"@storybook/core-common",
"@storybook/core-server",
"terser-webpack-plugin",
"webpack-cli"
],
"range": "4.0.0-alpha.0 - 5.0.0-rc.6",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"webpack-cli": {
"name": "webpack-cli",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn",
"findup-sync",
"loader-utils",
"webpack"
],
"effects": [],
"range": "<=0.0.8-development || 1.3.0 - 2.0.9 || 2.0.11 - 4.0.0-rc.1",
"nodes": [
"node_modules/webpack-cli"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"webpack-dev-middleware": {
"name": "webpack-dev-middleware",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096729,
"name": "webpack-dev-middleware",
"dependency": "webpack-dev-middleware",
"title": "Path traversal in webpack-dev-middleware",
"url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
},
"range": "<=5.3.3"
}
],
"effects": [
"@storybook/core-server"
],
"range": "<=5.3.3",
"nodes": [
"node_modules/webpack-dev-middleware"
],
"fixAvailable": true
},
"word-wrap": {
"name": "word-wrap",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102444,
"name": "word-wrap",
"dependency": "word-wrap",
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<1.2.4"
}
],
"effects": [],
"range": "<1.2.4",
"nodes": [
"node_modules/word-wrap"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098394,
"name": "ws",
"dependency": "ws",
"title": "ws affected by a DoS when handling a request with many HTTP headers",
"url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
"severity": "high",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.2.3"
}
],
"effects": [],
"range": "6.0.0 - 6.2.2",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 9,
"moderate": 50,
"high": 41,
"critical": 14,
"total": 114
},
"dependencies": {
"prod": 2,
"dev": 2059,
"optional": 31,
"peer": 1,
"peerOptional": 0,
"total": 2060
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 36 installs, 0 updates, 0 removals
- Locking composer/pcre (1.0.1)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.9)
- Locking composer/xdebug-handler (2.0.5)
- Locking doctrine/deprecations (1.1.5)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking mediawiki/mediawiki-codesniffer (v38.0.0)
- Locking mediawiki/mediawiki-phan-config (0.11.1)
- Locking mediawiki/minus-x (1.1.1)
- Locking mediawiki/phan-taint-check-plugin (3.3.2)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking netresearch/jsonmapper (v4.5.0)
- Locking phan/phan (5.2.0)
- Locking php-parallel-lint/php-console-color (v0.3)
- Locking php-parallel-lint/php-console-highlighter (v0.5)
- Locking php-parallel-lint/php-parallel-lint (v1.3.1)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.6.5)
- Locking phpdocumentor/type-resolver (1.12.0)
- Locking phpstan/phpdoc-parser (2.3.0)
- Locking psr/container (2.0.2)
- Locking psr/log (2.0.0)
- Locking sabre/event (5.1.7)
- Locking squizlabs/php_codesniffer (3.6.1)
- Locking symfony/console (v5.4.47)
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.33.0)
- Locking symfony/polyfill-intl-grapheme (v1.33.0)
- Locking symfony/polyfill-intl-normalizer (v1.33.0)
- Locking symfony/polyfill-mbstring (v1.33.0)
- Locking symfony/polyfill-php73 (v1.33.0)
- Locking symfony/polyfill-php80 (v1.33.0)
- Locking symfony/service-contracts (v3.6.1)
- Locking symfony/string (v6.4.26)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (1.12.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 36 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing composer/pcre (1.0.1): Extracting archive
- Installing squizlabs/php_codesniffer (3.6.1): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing composer/spdx-licenses (1.5.9): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-php80 (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.33.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing symfony/string (v6.4.26): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/polyfill-php73 (v1.33.0): Extracting archive
- Installing symfony/console (v5.4.47): Extracting archive
- Installing sabre/event (5.1.7): Extracting archive
- Installing netresearch/jsonmapper (v4.5.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (1.12.1): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.0): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.5): Extracting archive
- Installing phpdocumentor/type-resolver (1.12.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.6.5): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (2.0.0): Extracting archive
- Installing composer/xdebug-handler (2.0.5): Extracting archive
- Installing phan/phan (5.2.0): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive
- Installing mediawiki/minus-x (1.1.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v0.3): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive
0/36 [>---------------------------] 0%
18/36 [==============>-------------] 50%
35/36 [===========================>] 97%
36/36 [============================] 100%
3 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
15 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/helpers": {
"name": "@babel/helpers",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104001,
"name": "@babel/helpers",
"dependency": "@babel/helpers",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
"node_modules/@babel/helpers"
],
"fixAvailable": true
},
"@babel/runtime": {
"name": "@babel/runtime",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104000,
"name": "@babel/runtime",
"dependency": "@babel/runtime",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
"node_modules/@babel/runtime"
],
"fixAvailable": true
},
"@babel/traverse": {
"name": "@babel/traverse",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096886,
"name": "@babel/traverse",
"dependency": "@babel/traverse",
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
"severity": "critical",
"cwe": [
"CWE-184",
"CWE-697"
],
"cvss": {
"score": 9.4,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"range": "<7.23.2"
}
],
"effects": [],
"range": "<7.23.2",
"nodes": [
"node_modules/@babel/traverse"
],
"fixAvailable": true
},
"@storybook/addon-actions": {
"name": "@storybook/addon-actions",
"severity": "moderate",
"isDirect": true,
"via": [
"@storybook/components"
],
"effects": [],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/addon-actions"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"@storybook/builder-webpack4": {
"name": "@storybook/builder-webpack4",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/components",
"@storybook/core-common",
"@storybook/ui",
"autoprefixer",
"css-loader",
"fork-ts-checker-webpack-plugin",
"postcss",
"postcss-flexbugs-fixes",
"react-dev-utils",
"webpack",
"webpack-dev-middleware"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@storybook/builder-webpack4"
],
"fixAvailable": true
},
"@storybook/components": {
"name": "@storybook/components",
"severity": "moderate",
"isDirect": false,
"via": [
"react-syntax-highlighter"
],
"effects": [
"@storybook/addon-actions",
"@storybook/builder-webpack4",
"@storybook/ui"
],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/components"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"@storybook/core": {
"name": "@storybook/core",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-client",
"@storybook/core-server"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core"
],
"fixAvailable": true
},
"@storybook/core-client": {
"name": "@storybook/core-client",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/ui"
],
"effects": [
"@storybook/core",
"@storybook/core-server"
],
"range": "<=6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core-client"
],
"fixAvailable": true
},
"@storybook/core-common": {
"name": "@storybook/core-common",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"@storybook/html"
],
"range": "<=6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core-common"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "10.1.4",
"isSemVerMajor": true
}
},
"@storybook/core-server": {
"name": "@storybook/core-server",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/builder-webpack4",
"@storybook/core-client",
"@storybook/core-common",
"@storybook/ui",
"cpy",
"css-loader",
"ip",
"webpack",
"webpack-dev-middleware"
],
"effects": [
"@storybook/core"
],
"range": "<=7.6.19 || 8.0.0-alpha.0 - 8.1.5 || 8.2.0-alpha.0 - 8.2.0-beta.3",
"nodes": [
"node_modules/@storybook/core-server"
],
"fixAvailable": true
},
"@storybook/html": {
"name": "@storybook/html",
"severity": "high",
"isDirect": true,
"via": [
"@storybook/core",
"@storybook/core-common"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/html"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "10.1.4",
"isSemVerMajor": true
}
},
"@storybook/ui": {
"name": "@storybook/ui",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/components",
"markdown-to-jsx"
],
"effects": [
"@storybook/builder-webpack4",
"@storybook/core-client"
],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/ui"
],
"fixAvailable": true
},
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint-config-wikimedia",
"jsdom",
"qunit"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"ansi-regex": {
"name": "ansi-regex",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094091,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": "Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "high",
"cwe": [
"CWE-697",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex",
"node_modules/webpack-cli/node_modules/ansi-regex"
],
"fixAvailable": true
},
"anymatch": {
"name": "anymatch",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar",
"sane"
],
"range": "1.2.0 - 2.0.0",
"nodes": [
"node_modules/sane/node_modules/anymatch",
"node_modules/watchpack-chokidar2/node_modules/anymatch"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"autoprefixer": {
"name": "autoprefixer",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "1.0.20131222 - 9.8.8",
"nodes": [
"node_modules/autoprefixer"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1108262,
"name": "axios",
"dependency": "axios",
"title": "Axios is vulnerable to DoS attack through lack of data size check",
"url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.30.2"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
}
],
"effects": [
"bundlesize",
"github-build"
],
"range": "<=0.30.1",
"nodes": [
"node_modules/axios",
"node_modules/github-build/node_modules/axios"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"body-parser": {
"name": "body-parser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099520,
"name": "body-parser",
"dependency": "body-parser",
"title": "body-parser vulnerable to denial of service when url encoding is enabled",
"url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7",
"severity": "high",
"cwe": [
"CWE-405"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.20.3"
},
"qs"
],
"effects": [
"express"
],
"range": "<=1.20.2",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
}
],
"effects": [],
"range": "1.0.0 - 1.1.11",
"nodes": [
"node_modules/brace-expansion"
],
"fixAvailable": true
},
"braces": {
"name": "braces",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098094,
"name": "braces",
"dependency": "braces",
"title": "Uncontrolled resource consumption in braces",
"url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1050"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.3"
}
],
"effects": [
"chokidar",
"micromatch"
],
"range": "<3.0.3",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/braces",
"node_modules/braces",
"node_modules/fast-glob/node_modules/braces",
"node_modules/findup-sync/node_modules/braces",
"node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces",
"node_modules/sane/node_modules/braces",
"node_modules/watchpack-chokidar2/node_modules/braces",
"node_modules/webpack-cli/node_modules/braces",
"node_modules/webpack/node_modules/braces"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"browserify-sign": {
"name": "browserify-sign",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1102445,
"name": "browserify-sign",
"dependency": "browserify-sign",
"title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
"url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.6.0 <=4.2.1"
}
],
"effects": [],
"range": "2.6.0 - 4.2.1",
"nodes": [
"node_modules/browserify-sign"
],
"fixAvailable": true
},
"browserslist": {
"name": "browserslist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1093035,
"name": "browserslist",
"dependency": "browserslist",
"title": "Regular Expression Denial of Service in browserslist",
"url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <4.16.5"
}
],
"effects": [
"react-dev-utils"
],
"range": "4.0.0 - 4.16.4",
"nodes": [
"node_modules/react-dev-utils/node_modules/browserslist"
],
"fixAvailable": true
},
"bundlesize": {
"name": "bundlesize",
"severity": "high",
"isDirect": true,
"via": [
"axios"
],
"effects": [],
"range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1",
"nodes": [
"node_modules/bundlesize"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"anymatch",
"braces",
"readdirp"
],
"effects": [
"watchpack-chokidar2"
],
"range": "1.3.0 - 2.1.8",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/chokidar"
],
"fixAvailable": true
},
"cipher-base": {
"name": "cipher-base",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109536,
"name": "cipher-base",
"dependency": "cipher-base",
"title": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data",
"url": "https://github.com/advisories/GHSA-cpq7-6gpm-g9rc",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<=1.0.4"
}
],
"effects": [],
"range": "<=1.0.4",
"nodes": [
"node_modules/cipher-base"
],
"fixAvailable": true
},
"cookie": {
"name": "cookie",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1103907,
"name": "cookie",
"dependency": "cookie",
"title": "cookie accepts cookie name, path, and domain with out of bounds characters",
"url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
"severity": "low",
"cwe": [
"CWE-74"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.7.0"
}
],
"effects": [
"express"
],
"range": "<0.7.0",
"nodes": [
"node_modules/cookie"
],
"fixAvailable": true
},
"core-js-compat": {
"name": "core-js-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [],
"range": "3.6.0 - 3.25.0",
"nodes": [
"node_modules/core-js-compat"
],
"fixAvailable": true
},
"cpy": {
"name": "cpy",
"severity": "moderate",
"isDirect": false,
"via": [
"globby"
],
"effects": [
"@storybook/core-server"
],
"range": "7.0.0 - 8.1.2",
"nodes": [
"node_modules/cpy"
],
"fixAvailable": true
},
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
},
{
"source": 1104664,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.0.5"
}
],
"effects": [
"pre-commit",
"react-dev-utils",
"webpack-cli"
],
"range": "<6.0.6 || >=7.0.0 <7.0.5",
"nodes": [
"node_modules/cross-spawn",
"node_modules/eslint/node_modules/cross-spawn",
"node_modules/foreground-child/node_modules/cross-spawn",
"node_modules/istanbul-lib-processinfo/node_modules/cross-spawn",
"node_modules/pre-commit/node_modules/cross-spawn",
"node_modules/react-dev-utils/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"css-loader": {
"name": "css-loader",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"effects": [],
"range": "0.15.0 - 4.3.0",
"nodes": [
"node_modules/css-loader"
],
"fixAvailable": true
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094087,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"elliptic": {
"name": "elliptic",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1102901,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)",
"url": "https://github.com/advisories/GHSA-vjh7-7g9h-fjfh",
"severity": "critical",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.6.0"
},
{
"source": 1109566,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's EDDSA missing signature length check",
"url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=4.0.0 <=6.5.6"
},
{
"source": 1109567,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
"url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw",
"severity": "low",
"cwe": [
"CWE-130"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=2.0.0 <=6.5.6"
},
{
"source": 1109568,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic allows BER-encoded signatures",
"url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=5.2.1 <=6.5.6"
},
{
"source": 1111036,
"name": "elliptic",
"dependency": "elliptic",
"title": "Valid ECDSA signatures erroneously rejected in Elliptic",
"url": "https://github.com/advisories/GHSA-fc9h-whq2-v747",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<6.6.0"
},
{
"source": 1111037,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's verify function omits uniqueness validation",
"url": "https://github.com/advisories/GHSA-434g-2637-qmqr",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.5.6"
}
],
"effects": [],
"range": "<=6.6.0",
"nodes": [
"node_modules/elliptic"
],
"fixAvailable": true
},
"eslint": {
"name": "eslint",
"severity": "low",
"isDirect": false,
"via": [
"inquirer"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "4.0.0-alpha.0 - 7.2.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/eslint"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "high",
"isDirect": true,
"via": [
"eslint",
"eslint-plugin-compat"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.18.0 - 0.21.0 || 0.9.0 - 0.15.3",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/eslint-config-wikimedia",
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-plugin-compat": {
"name": "eslint-plugin-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "3.6.0-0 - 4.1.4",
"nodes": [
"node_modules/eslint-plugin-compat"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"express": {
"name": "express",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096820,
"name": "express",
"dependency": "express",
"title": "Express.js Open Redirect in malformed URLs",
"url": "https://github.com/advisories/GHSA-rv95-896h-c2vc",
"severity": "moderate",
"cwe": [
"CWE-601",
"CWE-1286"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<4.19.2"
},
{
"source": 1100530,
"name": "express",
"dependency": "express",
"title": "express vulnerable to XSS via response.redirect()",
"url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<4.20.0"
},
"body-parser",
"cookie",
"path-to-regexp",
"qs",
"send",
"serve-static"
],
"effects": [],
"range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0",
"nodes": [
"node_modules/express"
],
"fixAvailable": true
},
"external-editor": {
"name": "external-editor",
"severity": "low",
"isDirect": false,
"via": [
"tmp"
],
"effects": [
"inquirer"
],
"range": ">=1.1.1",
"nodes": [
"node_modules/external-editor"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"fast-glob": {
"name": "fast-glob",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"globby"
],
"range": "<=2.2.7",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": true
},
"findup-sync": {
"name": "findup-sync",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"qunit",
"webpack-cli"
],
"range": "0.4.0 - 3.0.0",
"nodes": [
"node_modules/findup-sync",
"node_modules/webpack-cli/node_modules/findup-sync"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1092623,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",
"url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-212"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<1.14.8"
},
{
"source": 1096856,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects' Proxy-Authorization header kept across hosts",
"url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=1.15.5"
},
{
"source": 1102323,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of sensitive information in follow-redirects",
"url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q",
"severity": "high",
"cwe": [
"CWE-359"
],
"cvss": {
"score": 8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
},
"range": "<1.14.7"
},
{
"source": 1109569,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Follow Redirects improperly handles URLs in the url.parse() function",
"url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc",
"severity": "moderate",
"cwe": [
"CWE-20",
"CWE-601"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<1.15.4"
}
],
"effects": [],
"range": "<=1.15.5",
"nodes": [
"node_modules/follow-redirects"
],
"fixAvailable": true
},
"fork-ts-checker-webpack-plugin": {
"name": "fork-ts-checker-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"react-dev-utils"
],
"range": "0.4.14 - 4.1.6",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin",
"node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin"
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109539,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=3.0.0 <3.0.4"
},
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": ">=3.0.0 <3.0.4 || <2.5.4",
"nodes": [
"node_modules/form-data",
"node_modules/request/node_modules/form-data"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"github-build": {
"name": "github-build",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [],
"range": "<=1.2.3",
"nodes": [
"node_modules/github-build"
],
"fixAvailable": true
},
"globby": {
"name": "globby",
"severity": "moderate",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"cpy"
],
"range": "8.0.0 - 9.2.0",
"nodes": [
"node_modules/globby"
],
"fixAvailable": true
},
"icss-utils": {
"name": "icss-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader",
"postcss-modules-local-by-default",
"postcss-modules-values"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/icss-utils"
],
"fixAvailable": true
},
"immer": {
"name": "immer",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097196,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx",
"severity": "high",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <9.0.6"
},
{
"source": 1097209,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-33f9-j839-rf8h",
"severity": "critical",
"cwe": [
"CWE-843",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=7.0.0 <9.0.6"
}
],
"effects": [],
"range": "7.0.0 - 9.0.5",
"nodes": [
"node_modules/immer"
],
"fixAvailable": true
},
"inquirer": {
"name": "inquirer",
"severity": "low",
"isDirect": false,
"via": [
"external-editor"
],
"effects": [
"eslint"
],
"range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/inquirer"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"ip": {
"name": "ip",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097720,
"name": "ip",
"dependency": "ip",
"title": "NPM IP package incorrectly identifies some private IP addresses as public",
"url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<1.1.9"
},
{
"source": 1101851,
"name": "ip",
"dependency": "ip",
"title": "ip SSRF improper categorization in isPublic",
"url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=2.0.1"
}
],
"effects": [
"@storybook/core-server"
],
"range": "*",
"nodes": [
"node_modules/ip"
],
"fixAvailable": true
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109801,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.14.2"
}
],
"effects": [],
"range": "<3.14.2",
"nodes": [
"node_modules/js-yaml"
],
"fixAvailable": true
},
"jsdoc": {
"name": "jsdoc",
"severity": "high",
"isDirect": true,
"via": [
"markdown-it",
"marked",
"taffydb"
],
"effects": [],
"range": "3.2.0-dev - 3.6.11",
"nodes": [
"node_modules/jsdoc"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": true,
"via": [
"request",
"request-promise-native",
"tough-cookie"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.1.20 || 0.2.0 - 16.5.3",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"json-schema": {
"name": "json-schema",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1101855,
"name": "json-schema",
"dependency": "json-schema",
"title": "json-schema is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-896r-f27r-55mw",
"severity": "critical",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<0.4.0"
}
],
"effects": [
"jsprim"
],
"range": "<0.4.0",
"nodes": [
"node_modules/json-schema"
],
"fixAvailable": true
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096543,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1096544,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"node_modules/json5",
"node_modules/loader-utils/node_modules/json5",
"node_modules/webpack-cli/node_modules/json5"
],
"fixAvailable": true
},
"jsprim": {
"name": "jsprim",
"severity": "critical",
"isDirect": false,
"via": [
"json-schema"
],
"effects": [],
"range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1",
"nodes": [
"node_modules/jsprim"
],
"fixAvailable": true
},
"less": {
"name": "less",
"severity": "moderate",
"isDirect": true,
"via": [
"request"
],
"effects": [],
"range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3",
"nodes": [
"node_modules/less"
],
"fixAvailable": {
"name": "less",
"version": "3.13.1",
"isSemVerMajor": false
}
},
"loader-utils": {
"name": "loader-utils",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1094088,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.4.1"
},
{
"source": 1094089,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1095054,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1095055,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
},
{
"source": 1109587,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1109588,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
}
],
"effects": [
"react-dev-utils",
"webpack-cli"
],
"range": "<=1.4.1 || 2.0.0 - 2.0.3",
"nodes": [
"node_modules/file-loader/node_modules/loader-utils",
"node_modules/html-loader/node_modules/loader-utils",
"node_modules/loader-utils",
"node_modules/postcss-loader/node_modules/loader-utils",
"node_modules/raw-loader/node_modules/loader-utils",
"node_modules/react-dev-utils/node_modules/loader-utils",
"node_modules/style-loader/node_modules/loader-utils",
"node_modules/url-loader/node_modules/loader-utils",
"node_modules/webpack-cli/node_modules/loader-utils"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1092663,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "Uncontrolled Resource Consumption in markdown-it",
"url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<12.3.2"
}
],
"effects": [
"jsdoc"
],
"range": "<12.3.2",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"markdown-to-jsx": {
"name": "markdown-to-jsx",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1100074,
"name": "markdown-to-jsx",
"dependency": "markdown-to-jsx",
"title": "Cross site scripting in markdown-to-jsx",
"url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<7.4.0"
}
],
"effects": [
"@storybook/ui"
],
"range": "<7.4.0",
"nodes": [
"node_modules/@storybook/ui/node_modules/markdown-to-jsx",
"node_modules/markdown-to-jsx"
],
"fixAvailable": true
},
"marked": {
"name": "marked",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095051,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
},
{
"source": 1095052,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
}
],
"effects": [
"jsdoc"
],
"range": "<=4.0.9",
"nodes": [
"node_modules/marked"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
},
"braces"
],
"effects": [
"anymatch",
"fast-glob",
"findup-sync",
"fork-ts-checker-webpack-plugin",
"readdirp",
"sane",
"webpack"
],
"range": "<=4.0.7",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/micromatch",
"node_modules/fast-glob/node_modules/micromatch",
"node_modules/findup-sync/node_modules/micromatch",
"node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/fast-glob/node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/micromatch",
"node_modules/sane/node_modules/micromatch",
"node_modules/watchpack-chokidar2/node_modules/micromatch",
"node_modules/webpack-cli/node_modules/micromatch",
"node_modules/webpack/node_modules/micromatch"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"min-document": {
"name": "min-document",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109626,
"name": "min-document",
"dependency": "min-document",
"title": "min-document vulnerable to prototype pollution",
"url": "https://github.com/advisories/GHSA-rx8g-88g5-qh64",
"severity": "low",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=2.19.0"
}
],
"effects": [],
"range": "<=2.19.0",
"nodes": [
"node_modules/min-document"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"recursive-readdir"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097678,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
"node_modules/minimist"
],
"fixAvailable": true
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
},
{
"source": 1109578,
"name": "nanoid",
"dependency": "nanoid",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
"url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-704"
],
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.31"
}
],
"effects": [],
"range": "<=3.3.7",
"nodes": [
"node_modules/doiuse/node_modules/nanoid",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid"
],
"fixAvailable": true
},
"node-fetch": {
"name": "node-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095073,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "node-fetch forwards secure headers to untrusted sites",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
"severity": "high",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.6.7"
}
],
"effects": [],
"range": "<2.6.7",
"nodes": [
"node_modules/node-fetch"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1101849,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=0.2.0 <1.9.0"
},
{
"source": 1101850,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.10"
},
{
"source": 1105199,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp contains a ReDoS",
"url": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.12"
}
],
"effects": [
"express"
],
"range": "<=0.1.11 || 0.2.0 - 1.8.0",
"nodes": [
"node_modules/nise/node_modules/path-to-regexp",
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"pbkdf2": {
"name": "pbkdf2",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1105691,
"name": "pbkdf2",
"dependency": "pbkdf2",
"title": "pbkdf2 silently disregards Uint8Array input, returning static keys",
"url": "https://github.com/advisories/GHSA-v62p-rq8g-8h59",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.1.2"
},
{
"source": 1105692,
"name": "pbkdf2",
"dependency": "pbkdf2",
"title": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos",
"url": "https://github.com/advisories/GHSA-h7cp-r72f-jxh6",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=3.0.10 <=3.1.2"
}
],
"effects": [],
"range": "<=3.1.2",
"nodes": [
"node_modules/pbkdf2"
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109574,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"@storybook/builder-webpack4",
"autoprefixer",
"css-loader",
"icss-utils",
"postcss-flexbugs-fixes",
"postcss-less",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"stylelint",
"sugarss"
],
"range": "<8.4.31",
"nodes": [
"node_modules/doiuse/node_modules/postcss",
"node_modules/postcss",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-flexbugs-fixes": {
"name": "postcss-flexbugs-fixes",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=4.2.1",
"nodes": [
"node_modules/postcss-flexbugs-fixes"
],
"fixAvailable": true
},
"postcss-less": {
"name": "postcss-less",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=3.1.4",
"nodes": [
"node_modules/postcss-less"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-modules-extract-imports": {
"name": "postcss-modules-extract-imports",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-modules-extract-imports"
],
"fixAvailable": true
},
"postcss-modules-local-by-default": {
"name": "postcss-modules-local-by-default",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [],
"range": "<=4.0.0-rc.4",
"nodes": [
"node_modules/postcss-modules-local-by-default"
],
"fixAvailable": true
},
"postcss-modules-scope": {
"name": "postcss-modules-scope",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.2.0",
"nodes": [
"node_modules/postcss-modules-scope"
],
"fixAvailable": true
},
"postcss-modules-values": {
"name": "postcss-modules-values",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=4.0.0-rc.5",
"nodes": [
"node_modules/postcss-modules-values"
],
"fixAvailable": true
},
"postcss-safe-parser": {
"name": "postcss-safe-parser",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=4.0.2",
"nodes": [
"node_modules/postcss-safe-parser"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-sass": {
"name": "postcss-sass",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=0.4.4",
"nodes": [
"node_modules/postcss-sass"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-scss": {
"name": "postcss-scss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=2.1.1",
"nodes": [
"node_modules/postcss-scss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"pre-commit": {
"name": "pre-commit",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn"
],
"effects": [],
"range": ">=1.1.0",
"nodes": [
"node_modules/pre-commit"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"prismjs": {
"name": "prismjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090424,
"name": "prismjs",
"dependency": "prismjs",
"title": "Cross-site Scripting in Prism",
"url": "https://github.com/advisories/GHSA-3949-f494-cm99",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"
},
"range": ">=1.14.0 <1.27.0"
},
{
"source": 1105770,
"name": "prismjs",
"dependency": "prismjs",
"title": "PrismJS DOM Clobbering vulnerability",
"url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-94"
],
"cvss": {
"score": 4.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<1.30.0"
}
],
"effects": [
"refractor"
],
"range": "<=1.29.0",
"nodes": [
"node_modules/prismjs"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"qs": {
"name": "qs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104118,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.5.0 <6.5.3"
},
{
"source": 1104120,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.7.0 <6.7.3"
},
{
"source": 1104123,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.10.0 <6.10.3"
}
],
"effects": [
"body-parser",
"express"
],
"range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2",
"nodes": [
"node_modules/body-parser/node_modules/qs",
"node_modules/express/node_modules/qs",
"node_modules/qs",
"node_modules/request/node_modules/qs"
],
"fixAvailable": true
},
"qunit": {
"name": "qunit",
"severity": "moderate",
"isDirect": false,
"via": [
"findup-sync",
"sane"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "2.4.1 - 2.8.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"react-dev-utils": {
"name": "react-dev-utils",
"severity": "critical",
"isDirect": false,
"via": [
"browserslist",
"cross-spawn",
"fork-ts-checker-webpack-plugin",
"immer",
"loader-utils",
"recursive-readdir",
"shell-quote"
],
"effects": [
"@storybook/builder-webpack4"
],
"range": "0.5.2 - 12.0.0-next.60",
"nodes": [
"node_modules/react-dev-utils"
],
"fixAvailable": true
},
"react-syntax-highlighter": {
"name": "react-syntax-highlighter",
"severity": "moderate",
"isDirect": false,
"via": [
"refractor"
],
"effects": [
"@storybook/components"
],
"range": "6.0.0 - 15.6.6",
"nodes": [
"node_modules/react-syntax-highlighter"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"readdirp": {
"name": "readdirp",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar"
],
"range": "2.2.0 - 2.2.1",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/readdirp"
],
"fixAvailable": true
},
"recursive-readdir": {
"name": "recursive-readdir",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"react-dev-utils"
],
"range": "1.2.0 - 2.2.2",
"nodes": [
"node_modules/recursive-readdir"
],
"fixAvailable": true
},
"refractor": {
"name": "refractor",
"severity": "moderate",
"isDirect": false,
"via": [
"prismjs"
],
"effects": [
"react-syntax-highlighter"
],
"range": "<=4.6.0",
"nodes": [
"node_modules/refractor"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"tough-cookie"
],
"effects": [
"jsdom",
"less",
"request-promise-core",
"request-promise-native"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"request-promise-core": {
"name": "request-promise-core",
"severity": "moderate",
"isDirect": false,
"via": [
"request"
],
"effects": [
"request-promise-native"
],
"range": "*",
"nodes": [
"node_modules/request-promise-core"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"request-promise-native": {
"name": "request-promise-native",
"severity": "moderate",
"isDirect": false,
"via": [
"request",
"request-promise-core",
"tough-cookie"
],
"effects": [
"jsdom"
],
"range": ">=1.0.0",
"nodes": [
"node_modules/request-promise-native"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"sane": {
"name": "sane",
"severity": "moderate",
"isDirect": false,
"via": [
"anymatch",
"micromatch"
],
"effects": [
"qunit"
],
"range": "1.5.0 - 4.1.0",
"nodes": [
"node_modules/sane"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"semver": {
"name": "semver",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1101088,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.5.2"
},
{
"source": 1101089,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.7.2"
},
{
"source": 1101090,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.3.1"
}
],
"effects": [
"core-js-compat",
"eslint-plugin-compat"
],
"range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
"nodes": [
"node_modules/@babel/helper-compilation-targets/node_modules/semver",
"node_modules/@npmcli/fs/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/semver",
"node_modules/@storybook/core-server/node_modules/semver",
"node_modules/@stylelint/postcss-css-in-js/node_modules/semver",
"node_modules/@wikimedia/mw-node-qunit/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs2/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs3/node_modules/semver",
"node_modules/babel-plugin-polyfill-regenerator/node_modules/semver",
"node_modules/core-js-compat/node_modules/semver",
"node_modules/css-loader/node_modules/semver",
"node_modules/eslint-plugin-compat/node_modules/semver",
"node_modules/eslint-plugin-jsdoc/node_modules/semver",
"node_modules/eslint-plugin-mediawiki/node_modules/semver",
"node_modules/eslint-plugin-node/node_modules/semver",
"node_modules/eslint-plugin-unicorn/node_modules/semver",
"node_modules/eslint-plugin-vue/node_modules/semver",
"node_modules/eslint-template-visitor/node_modules/semver",
"node_modules/eslint/node_modules/semver",
"node_modules/fork-ts-checker-webpack-plugin/node_modules/semver",
"node_modules/istanbul-lib-instrument/node_modules/semver",
"node_modules/make-dir/node_modules/semver",
"node_modules/meow/node_modules/semver",
"node_modules/nyc/node_modules/semver",
"node_modules/postcss-loader/node_modules/semver",
"node_modules/semver",
"node_modules/vue-eslint-parser/node_modules/semver"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"send": {
"name": "send",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109556,
"name": "send",
"dependency": "send",
"title": "send vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<0.19.0"
}
],
"effects": [
"express",
"serve-static"
],
"range": "<0.19.0",
"nodes": [
"node_modules/send"
],
"fixAvailable": true
},
"serve-static": {
"name": "serve-static",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1100528,
"name": "serve-static",
"dependency": "serve-static",
"title": "serve-static vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-cm22-4g7w-348p",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<1.16.0"
},
"send"
],
"effects": [],
"range": "<=1.16.0",
"nodes": [
"node_modules/serve-static"
],
"fixAvailable": true
},
"sha.js": {
"name": "sha.js",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109535,
"name": "sha.js",
"dependency": "sha.js",
"title": "sha.js is missing type checks leading to hash rewind and passing on crafted data",
"url": "https://github.com/advisories/GHSA-95m3-7q98-8xr5",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<=2.4.11"
}
],
"effects": [],
"range": "<=2.4.11",
"nodes": [
"node_modules/sha.js"
],
"fixAvailable": true
},
"shell-quote": {
"name": "shell-quote",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1107366,
"name": "shell-quote",
"dependency": "shell-quote",
"title": "Improper Neutralization of Special Elements used in a Command in Shell-quote",
"url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7",
"severity": "critical",
"cwe": [
"CWE-77"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.6.3 <=1.7.2"
}
],
"effects": [
"react-dev-utils"
],
"range": "1.6.3 - 1.7.2",
"nodes": [
"node_modules/shell-quote"
],
"fixAvailable": true
},
"simple-get": {
"name": "simple-get",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090445,
"name": "simple-get",
"dependency": "simple-get",
"title": "Exposure of Sensitive Information in simple-get",
"url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.1"
}
],
"effects": [],
"range": "3.0.0 - 3.1.0",
"nodes": [
"node_modules/simple-get"
],
"fixAvailable": true
},
"store2": {
"name": "store2",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1101527,
"name": "store2",
"dependency": "store2",
"title": "Cross Site Scripting vulnerability in store2",
"url": "https://github.com/advisories/GHSA-w5hq-hm5m-4548",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<2.14.4"
}
],
"effects": [],
"range": "<2.14.4",
"nodes": [
"node_modules/store2"
],
"fixAvailable": true
},
"stylelint": {
"name": "stylelint",
"severity": "moderate",
"isDirect": false,
"via": [
"autoprefixer",
"postcss",
"postcss-less",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"sugarss"
],
"effects": [
"stylelint-config-wikimedia"
],
"range": "0.1.0 - 13.13.1",
"nodes": [
"node_modules/stylelint"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"stylelint-config-wikimedia": {
"name": "stylelint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"stylelint"
],
"effects": [],
"range": "<=0.11.1",
"nodes": [
"node_modules/stylelint-config-wikimedia"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"sugarss": {
"name": "sugarss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/sugarss"
],
"fixAvailable": true
},
"taffydb": {
"name": "taffydb",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1089386,
"name": "taffydb",
"dependency": "taffydb",
"title": "TaffyDB can allow access to any data items in the DB",
"url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-668"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=2.7.3"
}
],
"effects": [
"jsdoc"
],
"range": "*",
"nodes": [
"node_modules/taffydb"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"tar": {
"name": "tar",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
}
],
"effects": [],
"range": "<6.2.1",
"nodes": [
"node_modules/tar"
],
"fixAvailable": true
},
"tar-fs": {
"name": "tar-fs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1109532,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball",
"url": "https://github.com/advisories/GHSA-vj76-c3g6-qr5v",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-61"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=2.0.0 <2.1.4"
},
{
"source": 1109543,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs can extract outside the specified dir with a specific tarball",
"url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=2.0.0 <2.1.3"
},
{
"source": 1109552,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
"url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.0.0 <2.1.2"
}
],
"effects": [],
"range": "2.0.0 - 2.1.3",
"nodes": [
"node_modules/tar-fs"
],
"fixAvailable": true
},
"terser": {
"name": "terser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091691,
"name": "terser",
"dependency": "terser",
"title": "Terser insecure use of regular expressions leads to ReDoS",
"url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.8.1"
}
],
"effects": [],
"range": "<4.8.1",
"nodes": [
"node_modules/terser"
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"webpack"
],
"range": "<=2.2.1",
"nodes": [
"node_modules/webpack/node_modules/terser-webpack-plugin"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"tmp": {
"name": "tmp",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109537,
"name": "tmp",
"dependency": "tmp",
"title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
"url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
"severity": "low",
"cwe": [
"CWE-59"
],
"cvss": {
"score": 2.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.2.3"
}
],
"effects": [
"external-editor"
],
"range": "<=0.2.3",
"nodes": [
"node_modules/external-editor/node_modules/tmp"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"jsdom",
"request",
"request-promise-native"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"watchpack": {
"name": "watchpack",
"severity": "high",
"isDirect": false,
"via": [
"watchpack-chokidar2"
],
"effects": [],
"range": "1.7.2 - 1.7.5",
"nodes": [
"node_modules/watchpack"
],
"fixAvailable": true
},
"watchpack-chokidar2": {
"name": "watchpack-chokidar2",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [
"watchpack"
],
"range": "*",
"nodes": [
"node_modules/watchpack-chokidar2"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "moderate",
"isDirect": true,
"via": [
"micromatch",
"terser-webpack-plugin"
],
"effects": [
"@storybook/core-common",
"@storybook/core-server",
"terser-webpack-plugin",
"webpack-cli"
],
"range": "4.0.0-alpha.0 - 5.0.0-rc.6",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"webpack-cli": {
"name": "webpack-cli",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn",
"findup-sync",
"loader-utils",
"webpack"
],
"effects": [],
"range": "<=0.0.8-development || 1.3.0 - 2.0.9 || 2.0.11 - 4.0.0-rc.1",
"nodes": [
"node_modules/webpack-cli"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"webpack-dev-middleware": {
"name": "webpack-dev-middleware",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096729,
"name": "webpack-dev-middleware",
"dependency": "webpack-dev-middleware",
"title": "Path traversal in webpack-dev-middleware",
"url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
},
"range": "<=5.3.3"
}
],
"effects": [
"@storybook/core-server"
],
"range": "<=5.3.3",
"nodes": [
"node_modules/webpack-dev-middleware"
],
"fixAvailable": true
},
"word-wrap": {
"name": "word-wrap",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102444,
"name": "word-wrap",
"dependency": "word-wrap",
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<1.2.4"
}
],
"effects": [],
"range": "<1.2.4",
"nodes": [
"node_modules/word-wrap"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098394,
"name": "ws",
"dependency": "ws",
"title": "ws affected by a DoS when handling a request with many HTTP headers",
"url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
"severity": "high",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.2.3"
}
],
"effects": [],
"range": "6.0.0 - 6.2.2",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 9,
"moderate": 50,
"high": 41,
"critical": 14,
"total": 114
},
"dependencies": {
"prod": 2,
"dev": 2059,
"optional": 31,
"peer": 1,
"peerOptional": 0,
"total": 2060
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: babel-loader@8.2.3
npm WARN Found: webpack@4.43.0
npm WARN node_modules/webpack
npm WARN dev webpack@"4.43.0" from the root project
npm WARN 24 more (@storybook/builder-webpack4, babel-loader, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/builder-webpack4/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/builder-webpack4@6.2.3
npm WARN node_modules/@storybook/builder-webpack4
npm WARN
npm WARN Conflicting peer dependency: webpack@5.103.0
npm WARN node_modules/webpack
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/builder-webpack4/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/builder-webpack4@6.2.3
npm WARN node_modules/@storybook/builder-webpack4
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: babel-loader@8.2.3
npm WARN Found: webpack@4.43.0
npm WARN node_modules/webpack
npm WARN dev webpack@"4.43.0" from the root project
npm WARN 24 more (@storybook/builder-webpack4, babel-loader, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-common/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-common@6.2.3
npm WARN node_modules/@storybook/core-common
npm WARN
npm WARN Conflicting peer dependency: webpack@5.103.0
npm WARN node_modules/webpack
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-common/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-common@6.2.3
npm WARN node_modules/@storybook/core-common
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: babel-loader@8.2.3
npm WARN Found: webpack@4.43.0
npm WARN node_modules/webpack
npm WARN dev webpack@"4.43.0" from the root project
npm WARN 24 more (@storybook/builder-webpack4, babel-loader, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-server/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-server@6.2.3
npm WARN node_modules/@storybook/core-server
npm WARN
npm WARN Conflicting peer dependency: webpack@5.103.0
npm WARN node_modules/webpack
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-server/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-server@6.2.3
npm WARN node_modules/@storybook/core-server
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.2.4
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-corejs2/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-corejs2@0.2.3
npm WARN node_modules/babel-plugin-polyfill-corejs2
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-corejs2/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-corejs2@0.2.3
npm WARN node_modules/babel-plugin-polyfill-corejs2
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.1.5
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.1.5
npm WARN node_modules/babel-plugin-polyfill-corejs3/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.1.5" from babel-plugin-polyfill-corejs3@0.1.7
npm WARN node_modules/babel-plugin-polyfill-corejs3
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.1.5
npm WARN node_modules/babel-plugin-polyfill-corejs3/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.1.5" from babel-plugin-polyfill-corejs3@0.1.7
npm WARN node_modules/babel-plugin-polyfill-corejs3
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.2.4
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-regenerator/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-regenerator@0.2.3
npm WARN node_modules/babel-plugin-polyfill-regenerator
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-regenerator/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-regenerator@0.2.3
npm WARN node_modules/babel-plugin-polyfill-regenerator
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: undefined,
npm WARN EBADENGINE required: { node: '12.22.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.12.0',
npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@37.0.3',
npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
"added": 2094,
"removed": 0,
"changed": 0,
"audited": 2095,
"funding": 213,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/helpers": {
"name": "@babel/helpers",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104001,
"name": "@babel/helpers",
"dependency": "@babel/helpers",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
""
],
"fixAvailable": true
},
"@babel/runtime": {
"name": "@babel/runtime",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104000,
"name": "@babel/runtime",
"dependency": "@babel/runtime",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
""
],
"fixAvailable": true
},
"@babel/traverse": {
"name": "@babel/traverse",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096886,
"name": "@babel/traverse",
"dependency": "@babel/traverse",
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
"severity": "critical",
"cwe": [
"CWE-184",
"CWE-697"
],
"cvss": {
"score": 9.4,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"range": "<7.23.2"
}
],
"effects": [],
"range": "<7.23.2",
"nodes": [
""
],
"fixAvailable": true
},
"@storybook/addon-actions": {
"name": "@storybook/addon-actions",
"severity": "moderate",
"isDirect": true,
"via": [
"@storybook/components"
],
"effects": [],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/addon-actions"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"@storybook/builder-webpack4": {
"name": "@storybook/builder-webpack4",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/components",
"@storybook/core-common",
"@storybook/ui",
"autoprefixer",
"css-loader",
"fork-ts-checker-webpack-plugin",
"postcss",
"postcss-flexbugs-fixes",
"react-dev-utils",
"webpack",
"webpack-dev-middleware"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@storybook/builder-webpack4"
],
"fixAvailable": true
},
"@storybook/components": {
"name": "@storybook/components",
"severity": "moderate",
"isDirect": false,
"via": [
"react-syntax-highlighter"
],
"effects": [
"@storybook/addon-actions",
"@storybook/builder-webpack4",
"@storybook/ui"
],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/components"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"@storybook/core": {
"name": "@storybook/core",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-client",
"@storybook/core-server"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core"
],
"fixAvailable": true
},
"@storybook/core-client": {
"name": "@storybook/core-client",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/ui"
],
"effects": [
"@storybook/core",
"@storybook/core-server"
],
"range": "<=6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core-client"
],
"fixAvailable": true
},
"@storybook/core-common": {
"name": "@storybook/core-common",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"@storybook/html"
],
"range": "<=6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core-common"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "10.1.4",
"isSemVerMajor": true
}
},
"@storybook/core-server": {
"name": "@storybook/core-server",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/builder-webpack4",
"@storybook/core-client",
"@storybook/core-common",
"@storybook/ui",
"cpy",
"css-loader",
"ip",
"webpack",
"webpack-dev-middleware"
],
"effects": [
"@storybook/core"
],
"range": "<=7.6.19 || 8.0.0-alpha.0 - 8.1.5 || 8.2.0-alpha.0 - 8.2.0-beta.3",
"nodes": [
"node_modules/@storybook/core-server"
],
"fixAvailable": true
},
"@storybook/html": {
"name": "@storybook/html",
"severity": "high",
"isDirect": true,
"via": [
"@storybook/core",
"@storybook/core-common"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/html"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "10.1.4",
"isSemVerMajor": true
}
},
"@storybook/ui": {
"name": "@storybook/ui",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/components",
"markdown-to-jsx"
],
"effects": [
"@storybook/builder-webpack4",
"@storybook/core-client"
],
"range": "4.2.0-alpha.1 - 6.5.9",
"nodes": [
"node_modules/@storybook/ui"
],
"fixAvailable": true
},
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint-config-wikimedia",
"jsdom",
"qunit"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"ansi-regex": {
"name": "ansi-regex",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094091,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": "Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "high",
"cwe": [
"CWE-697",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [],
"range": "4.0.0 - 4.1.0",
"nodes": [
"",
""
],
"fixAvailable": true
},
"anymatch": {
"name": "anymatch",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar",
"sane"
],
"range": "1.2.0 - 2.0.0",
"nodes": [
"node_modules/sane/node_modules/anymatch",
"node_modules/watchpack-chokidar2/node_modules/anymatch"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"autoprefixer": {
"name": "autoprefixer",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "1.0.20131222 - 9.8.8",
"nodes": [
"node_modules/autoprefixer"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1108262,
"name": "axios",
"dependency": "axios",
"title": "Axios is vulnerable to DoS attack through lack of data size check",
"url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.30.2"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
}
],
"effects": [
"bundlesize",
"github-build"
],
"range": "<=0.30.1",
"nodes": [
"",
"node_modules/axios"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"body-parser": {
"name": "body-parser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099520,
"name": "body-parser",
"dependency": "body-parser",
"title": "body-parser vulnerable to denial of service when url encoding is enabled",
"url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7",
"severity": "high",
"cwe": [
"CWE-405"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.20.3"
},
"qs"
],
"effects": [
"express"
],
"range": "<=1.20.2",
"nodes": [
""
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
}
],
"effects": [],
"range": "1.0.0 - 1.1.11",
"nodes": [
""
],
"fixAvailable": true
},
"braces": {
"name": "braces",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098094,
"name": "braces",
"dependency": "braces",
"title": "Uncontrolled resource consumption in braces",
"url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1050"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.3"
}
],
"effects": [
"chokidar",
"micromatch"
],
"range": "<3.0.3",
"nodes": [
"",
"node_modules/@storybook/builder-webpack4/node_modules/braces",
"node_modules/fast-glob/node_modules/braces",
"node_modules/findup-sync/node_modules/braces",
"node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces",
"node_modules/sane/node_modules/braces",
"node_modules/watchpack-chokidar2/node_modules/braces",
"node_modules/webpack-cli/node_modules/braces",
"node_modules/webpack/node_modules/braces"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"browserify-sign": {
"name": "browserify-sign",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1102445,
"name": "browserify-sign",
"dependency": "browserify-sign",
"title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
"url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.6.0 <=4.2.1"
}
],
"effects": [],
"range": "2.6.0 - 4.2.1",
"nodes": [
""
],
"fixAvailable": true
},
"browserslist": {
"name": "browserslist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1093035,
"name": "browserslist",
"dependency": "browserslist",
"title": "Regular Expression Denial of Service in browserslist",
"url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <4.16.5"
}
],
"effects": [
"react-dev-utils"
],
"range": "4.0.0 - 4.16.4",
"nodes": [
"node_modules/react-dev-utils/node_modules/browserslist"
],
"fixAvailable": true
},
"bundlesize": {
"name": "bundlesize",
"severity": "high",
"isDirect": true,
"via": [
"axios"
],
"effects": [],
"range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1",
"nodes": [
"node_modules/bundlesize"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"anymatch",
"braces",
"readdirp"
],
"effects": [
"watchpack-chokidar2"
],
"range": "1.3.0 - 2.1.8",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/chokidar"
],
"fixAvailable": true
},
"cipher-base": {
"name": "cipher-base",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109536,
"name": "cipher-base",
"dependency": "cipher-base",
"title": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data",
"url": "https://github.com/advisories/GHSA-cpq7-6gpm-g9rc",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<=1.0.4"
}
],
"effects": [],
"range": "<=1.0.4",
"nodes": [
""
],
"fixAvailable": true
},
"cookie": {
"name": "cookie",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1103907,
"name": "cookie",
"dependency": "cookie",
"title": "cookie accepts cookie name, path, and domain with out of bounds characters",
"url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
"severity": "low",
"cwe": [
"CWE-74"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.7.0"
}
],
"effects": [
"express"
],
"range": "<0.7.0",
"nodes": [
""
],
"fixAvailable": true
},
"core-js-compat": {
"name": "core-js-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [],
"range": "3.6.0 - 3.25.0",
"nodes": [
""
],
"fixAvailable": true
},
"cpy": {
"name": "cpy",
"severity": "moderate",
"isDirect": false,
"via": [
"globby"
],
"effects": [
"@storybook/core-server"
],
"range": "7.0.0 - 8.1.2",
"nodes": [
"node_modules/cpy"
],
"fixAvailable": true
},
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
},
{
"source": 1104664,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.0.5"
}
],
"effects": [
"pre-commit",
"react-dev-utils",
"webpack-cli"
],
"range": "<6.0.6 || >=7.0.0 <7.0.5",
"nodes": [
"",
"",
"",
"",
"node_modules/cross-spawn",
"node_modules/react-dev-utils/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"css-loader": {
"name": "css-loader",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"effects": [],
"range": "0.15.0 - 4.3.0",
"nodes": [
"node_modules/css-loader"
],
"fixAvailable": true
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094087,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
""
],
"fixAvailable": true
},
"elliptic": {
"name": "elliptic",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1102901,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)",
"url": "https://github.com/advisories/GHSA-vjh7-7g9h-fjfh",
"severity": "critical",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.6.0"
},
{
"source": 1109566,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's EDDSA missing signature length check",
"url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=4.0.0 <=6.5.6"
},
{
"source": 1109567,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
"url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw",
"severity": "low",
"cwe": [
"CWE-130"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=2.0.0 <=6.5.6"
},
{
"source": 1109568,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic allows BER-encoded signatures",
"url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=5.2.1 <=6.5.6"
},
{
"source": 1111036,
"name": "elliptic",
"dependency": "elliptic",
"title": "Valid ECDSA signatures erroneously rejected in Elliptic",
"url": "https://github.com/advisories/GHSA-fc9h-whq2-v747",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<6.6.0"
},
{
"source": 1111037,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's verify function omits uniqueness validation",
"url": "https://github.com/advisories/GHSA-434g-2637-qmqr",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.5.6"
}
],
"effects": [],
"range": "<=6.6.0",
"nodes": [
""
],
"fixAvailable": true
},
"eslint": {
"name": "eslint",
"severity": "low",
"isDirect": false,
"via": [
"inquirer"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "4.0.0-alpha.0 - 7.2.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/eslint"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "high",
"isDirect": true,
"via": [
"eslint",
"eslint-plugin-compat"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.18.0 - 0.21.0 || 0.9.0 - 0.15.3",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/eslint-config-wikimedia",
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-plugin-compat": {
"name": "eslint-plugin-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "3.6.0-0 - 4.1.4",
"nodes": [
"node_modules/eslint-plugin-compat"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"express": {
"name": "express",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096820,
"name": "express",
"dependency": "express",
"title": "Express.js Open Redirect in malformed URLs",
"url": "https://github.com/advisories/GHSA-rv95-896h-c2vc",
"severity": "moderate",
"cwe": [
"CWE-601",
"CWE-1286"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<4.19.2"
},
{
"source": 1100530,
"name": "express",
"dependency": "express",
"title": "express vulnerable to XSS via response.redirect()",
"url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<4.20.0"
},
"body-parser",
"cookie",
"path-to-regexp",
"qs",
"send",
"serve-static"
],
"effects": [],
"range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0",
"nodes": [
""
],
"fixAvailable": true
},
"external-editor": {
"name": "external-editor",
"severity": "low",
"isDirect": false,
"via": [
"tmp"
],
"effects": [
"inquirer"
],
"range": ">=1.1.1",
"nodes": [
"node_modules/external-editor"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"fast-glob": {
"name": "fast-glob",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"globby"
],
"range": "<=2.2.7",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": true
},
"findup-sync": {
"name": "findup-sync",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"qunit",
"webpack-cli"
],
"range": "0.4.0 - 3.0.0",
"nodes": [
"",
"node_modules/webpack-cli/node_modules/findup-sync"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1092623,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",
"url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-212"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<1.14.8"
},
{
"source": 1096856,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects' Proxy-Authorization header kept across hosts",
"url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=1.15.5"
},
{
"source": 1102323,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of sensitive information in follow-redirects",
"url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q",
"severity": "high",
"cwe": [
"CWE-359"
],
"cvss": {
"score": 8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
},
"range": "<1.14.7"
},
{
"source": 1109569,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Follow Redirects improperly handles URLs in the url.parse() function",
"url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc",
"severity": "moderate",
"cwe": [
"CWE-20",
"CWE-601"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<1.15.4"
}
],
"effects": [],
"range": "<=1.15.5",
"nodes": [
""
],
"fixAvailable": true
},
"fork-ts-checker-webpack-plugin": {
"name": "fork-ts-checker-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"react-dev-utils"
],
"range": "0.4.14 - 4.1.6",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin",
"node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin"
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109539,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=3.0.0 <3.0.4"
},
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": ">=3.0.0 <3.0.4 || <2.5.4",
"nodes": [
"",
"node_modules/request/node_modules/form-data"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"github-build": {
"name": "github-build",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [],
"range": "<=1.2.3",
"nodes": [
""
],
"fixAvailable": true
},
"globby": {
"name": "globby",
"severity": "moderate",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"cpy"
],
"range": "8.0.0 - 9.2.0",
"nodes": [
"node_modules/globby"
],
"fixAvailable": true
},
"icss-utils": {
"name": "icss-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader",
"postcss-modules-local-by-default",
"postcss-modules-values"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/icss-utils"
],
"fixAvailable": true
},
"immer": {
"name": "immer",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097196,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx",
"severity": "high",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <9.0.6"
},
{
"source": 1097209,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-33f9-j839-rf8h",
"severity": "critical",
"cwe": [
"CWE-843",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=7.0.0 <9.0.6"
}
],
"effects": [],
"range": "7.0.0 - 9.0.5",
"nodes": [
"node_modules/immer"
],
"fixAvailable": true
},
"inquirer": {
"name": "inquirer",
"severity": "low",
"isDirect": false,
"via": [
"external-editor"
],
"effects": [
"eslint"
],
"range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7",
"nodes": [
""
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"ip": {
"name": "ip",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097720,
"name": "ip",
"dependency": "ip",
"title": "NPM IP package incorrectly identifies some private IP addresses as public",
"url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<1.1.9"
},
{
"source": 1101851,
"name": "ip",
"dependency": "ip",
"title": "ip SSRF improper categorization in isPublic",
"url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=2.0.1"
}
],
"effects": [
"@storybook/core-server"
],
"range": "*",
"nodes": [
""
],
"fixAvailable": true
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109801,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.14.2"
}
],
"effects": [],
"range": "<3.14.2",
"nodes": [
""
],
"fixAvailable": true
},
"jsdoc": {
"name": "jsdoc",
"severity": "high",
"isDirect": true,
"via": [
"markdown-it",
"marked",
"taffydb"
],
"effects": [],
"range": "3.2.0-dev - 3.6.11",
"nodes": [
"node_modules/jsdoc"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": true,
"via": [
"request",
"request-promise-native",
"tough-cookie"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.1.20 || 0.2.0 - 16.5.3",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"json-schema": {
"name": "json-schema",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1101855,
"name": "json-schema",
"dependency": "json-schema",
"title": "json-schema is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-896r-f27r-55mw",
"severity": "critical",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<0.4.0"
}
],
"effects": [
"jsprim"
],
"range": "<0.4.0",
"nodes": [
""
],
"fixAvailable": true
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096543,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1096544,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"",
"",
""
],
"fixAvailable": true
},
"jsprim": {
"name": "jsprim",
"severity": "critical",
"isDirect": false,
"via": [
"json-schema"
],
"effects": [],
"range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1",
"nodes": [
""
],
"fixAvailable": true
},
"less": {
"name": "less",
"severity": "moderate",
"isDirect": true,
"via": [
"request"
],
"effects": [],
"range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3",
"nodes": [
"node_modules/less"
],
"fixAvailable": {
"name": "less",
"version": "3.13.1",
"isSemVerMajor": false
}
},
"loader-utils": {
"name": "loader-utils",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1094088,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.4.1"
},
{
"source": 1094089,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1095054,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1095055,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
},
{
"source": 1109587,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1109588,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
}
],
"effects": [
"react-dev-utils",
"webpack-cli"
],
"range": "<=1.4.1 || 2.0.0 - 2.0.3",
"nodes": [
"",
"",
"",
"",
"",
"",
"",
"node_modules/react-dev-utils/node_modules/loader-utils",
"node_modules/webpack-cli/node_modules/loader-utils"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1092663,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "Uncontrolled Resource Consumption in markdown-it",
"url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<12.3.2"
}
],
"effects": [
"jsdoc"
],
"range": "<12.3.2",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"markdown-to-jsx": {
"name": "markdown-to-jsx",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1100074,
"name": "markdown-to-jsx",
"dependency": "markdown-to-jsx",
"title": "Cross site scripting in markdown-to-jsx",
"url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<7.4.0"
}
],
"effects": [
"@storybook/ui"
],
"range": "<7.4.0",
"nodes": [
"",
"node_modules/@storybook/ui/node_modules/markdown-to-jsx"
],
"fixAvailable": true
},
"marked": {
"name": "marked",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095051,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
},
{
"source": 1095052,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
}
],
"effects": [
"jsdoc"
],
"range": "<=4.0.9",
"nodes": [
"node_modules/marked"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
},
"braces"
],
"effects": [
"anymatch",
"fast-glob",
"findup-sync",
"fork-ts-checker-webpack-plugin",
"readdirp",
"sane",
"webpack"
],
"range": "<=4.0.7",
"nodes": [
"",
"",
"node_modules/@storybook/builder-webpack4/node_modules/micromatch",
"node_modules/fast-glob/node_modules/micromatch",
"node_modules/findup-sync/node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/micromatch",
"node_modules/sane/node_modules/micromatch",
"node_modules/watchpack-chokidar2/node_modules/micromatch",
"node_modules/webpack-cli/node_modules/micromatch",
"node_modules/webpack/node_modules/micromatch"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"min-document": {
"name": "min-document",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109626,
"name": "min-document",
"dependency": "min-document",
"title": "min-document vulnerable to prototype pollution",
"url": "https://github.com/advisories/GHSA-rx8g-88g5-qh64",
"severity": "low",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=2.19.0"
}
],
"effects": [],
"range": "<=2.19.0",
"nodes": [
""
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"recursive-readdir"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097678,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
""
],
"fixAvailable": true
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
},
{
"source": 1109578,
"name": "nanoid",
"dependency": "nanoid",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
"url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-704"
],
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.31"
}
],
"effects": [],
"range": "<=3.3.7",
"nodes": [
"",
""
],
"fixAvailable": true
},
"node-fetch": {
"name": "node-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095073,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "node-fetch forwards secure headers to untrusted sites",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
"severity": "high",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.6.7"
}
],
"effects": [],
"range": "<2.6.7",
"nodes": [
""
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1101849,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=0.2.0 <1.9.0"
},
{
"source": 1101850,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.10"
},
{
"source": 1105199,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp contains a ReDoS",
"url": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.12"
}
],
"effects": [
"express"
],
"range": "<=0.1.11 || 0.2.0 - 1.8.0",
"nodes": [
"",
""
],
"fixAvailable": true
},
"pbkdf2": {
"name": "pbkdf2",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1105691,
"name": "pbkdf2",
"dependency": "pbkdf2",
"title": "pbkdf2 silently disregards Uint8Array input, returning static keys",
"url": "https://github.com/advisories/GHSA-v62p-rq8g-8h59",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.1.2"
},
{
"source": 1105692,
"name": "pbkdf2",
"dependency": "pbkdf2",
"title": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos",
"url": "https://github.com/advisories/GHSA-h7cp-r72f-jxh6",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=3.0.10 <=3.1.2"
}
],
"effects": [],
"range": "<=3.1.2",
"nodes": [
""
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109574,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"@storybook/builder-webpack4",
"autoprefixer",
"css-loader",
"icss-utils",
"postcss-flexbugs-fixes",
"postcss-less",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"stylelint",
"sugarss"
],
"range": "<8.4.31",
"nodes": [
"",
"",
"node_modules/postcss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-flexbugs-fixes": {
"name": "postcss-flexbugs-fixes",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=4.2.1",
"nodes": [
"node_modules/postcss-flexbugs-fixes"
],
"fixAvailable": true
},
"postcss-less": {
"name": "postcss-less",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=3.1.4",
"nodes": [
"node_modules/postcss-less"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-modules-extract-imports": {
"name": "postcss-modules-extract-imports",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-modules-extract-imports"
],
"fixAvailable": true
},
"postcss-modules-local-by-default": {
"name": "postcss-modules-local-by-default",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [],
"range": "<=4.0.0-rc.4",
"nodes": [
"node_modules/postcss-modules-local-by-default"
],
"fixAvailable": true
},
"postcss-modules-scope": {
"name": "postcss-modules-scope",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.2.0",
"nodes": [
"node_modules/postcss-modules-scope"
],
"fixAvailable": true
},
"postcss-modules-values": {
"name": "postcss-modules-values",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=4.0.0-rc.5",
"nodes": [
"node_modules/postcss-modules-values"
],
"fixAvailable": true
},
"postcss-safe-parser": {
"name": "postcss-safe-parser",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=4.0.2",
"nodes": [
"node_modules/postcss-safe-parser"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-sass": {
"name": "postcss-sass",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=0.4.4",
"nodes": [
"node_modules/postcss-sass"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"postcss-scss": {
"name": "postcss-scss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=2.1.1",
"nodes": [
"node_modules/postcss-scss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"pre-commit": {
"name": "pre-commit",
"severity": "high",
"isDirect": false,
"via": [
"cross-spawn"
],
"effects": [],
"range": ">=1.1.0",
"nodes": [
""
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"prismjs": {
"name": "prismjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090424,
"name": "prismjs",
"dependency": "prismjs",
"title": "Cross-site Scripting in Prism",
"url": "https://github.com/advisories/GHSA-3949-f494-cm99",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"
},
"range": ">=1.14.0 <1.27.0"
},
{
"source": 1105770,
"name": "prismjs",
"dependency": "prismjs",
"title": "PrismJS DOM Clobbering vulnerability",
"url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-94"
],
"cvss": {
"score": 4.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<1.30.0"
}
],
"effects": [
"refractor"
],
"range": "<=1.29.0",
"nodes": [
""
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"qs": {
"name": "qs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104118,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.5.0 <6.5.3"
},
{
"source": 1104120,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.7.0 <6.7.3"
},
{
"source": 1104123,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.10.0 <6.10.3"
}
],
"effects": [
"body-parser",
"express"
],
"range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2",
"nodes": [
"",
"",
"",
""
],
"fixAvailable": true
},
"qunit": {
"name": "qunit",
"severity": "moderate",
"isDirect": false,
"via": [
"findup-sync",
"sane"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "2.4.1 - 2.8.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"react-dev-utils": {
"name": "react-dev-utils",
"severity": "critical",
"isDirect": false,
"via": [
"browserslist",
"cross-spawn",
"fork-ts-checker-webpack-plugin",
"immer",
"loader-utils",
"recursive-readdir",
"shell-quote"
],
"effects": [
"@storybook/builder-webpack4"
],
"range": "0.5.2 - 12.0.0-next.60",
"nodes": [
"node_modules/react-dev-utils"
],
"fixAvailable": true
},
"react-syntax-highlighter": {
"name": "react-syntax-highlighter",
"severity": "moderate",
"isDirect": false,
"via": [
"refractor"
],
"effects": [
"@storybook/components"
],
"range": "6.0.0 - 15.6.6",
"nodes": [
"node_modules/react-syntax-highlighter"
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"readdirp": {
"name": "readdirp",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar"
],
"range": "2.2.0 - 2.2.1",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/readdirp"
],
"fixAvailable": true
},
"recursive-readdir": {
"name": "recursive-readdir",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"react-dev-utils"
],
"range": "1.2.0 - 2.2.2",
"nodes": [
"node_modules/recursive-readdir"
],
"fixAvailable": true
},
"refractor": {
"name": "refractor",
"severity": "moderate",
"isDirect": false,
"via": [
"prismjs"
],
"effects": [
"react-syntax-highlighter"
],
"range": "<=4.6.0",
"nodes": [
""
],
"fixAvailable": {
"name": "@storybook/addon-actions",
"version": "6.5.16",
"isSemVerMajor": false
}
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"tough-cookie"
],
"effects": [
"jsdom",
"less",
"request-promise-core",
"request-promise-native"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"request-promise-core": {
"name": "request-promise-core",
"severity": "moderate",
"isDirect": false,
"via": [
"request"
],
"effects": [
"request-promise-native"
],
"range": "*",
"nodes": [
"node_modules/request-promise-core"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"request-promise-native": {
"name": "request-promise-native",
"severity": "moderate",
"isDirect": false,
"via": [
"request",
"request-promise-core",
"tough-cookie"
],
"effects": [
"jsdom"
],
"range": ">=1.0.0",
"nodes": [
"node_modules/request-promise-native"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"sane": {
"name": "sane",
"severity": "moderate",
"isDirect": false,
"via": [
"anymatch",
"micromatch"
],
"effects": [
"qunit"
],
"range": "1.5.0 - 4.1.0",
"nodes": [
"node_modules/sane"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"semver": {
"name": "semver",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1101088,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.5.2"
},
{
"source": 1101089,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.7.2"
},
{
"source": 1101090,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.3.1"
}
],
"effects": [
"core-js-compat",
"eslint-plugin-compat"
],
"range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
"nodes": [
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"node_modules/eslint-plugin-compat/node_modules/semver"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"send": {
"name": "send",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109556,
"name": "send",
"dependency": "send",
"title": "send vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<0.19.0"
}
],
"effects": [
"express",
"serve-static"
],
"range": "<0.19.0",
"nodes": [
""
],
"fixAvailable": true
},
"serve-static": {
"name": "serve-static",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1100528,
"name": "serve-static",
"dependency": "serve-static",
"title": "serve-static vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-cm22-4g7w-348p",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<1.16.0"
},
"send"
],
"effects": [],
"range": "<=1.16.0",
"nodes": [
""
],
"fixAvailable": true
},
"sha.js": {
"name": "sha.js",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109535,
"name": "sha.js",
"dependency": "sha.js",
"title": "sha.js is missing type checks leading to hash rewind and passing on crafted data",
"url": "https://github.com/advisories/GHSA-95m3-7q98-8xr5",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<=2.4.11"
}
],
"effects": [],
"range": "<=2.4.11",
"nodes": [
""
],
"fixAvailable": true
},
"shell-quote": {
"name": "shell-quote",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1107366,
"name": "shell-quote",
"dependency": "shell-quote",
"title": "Improper Neutralization of Special Elements used in a Command in Shell-quote",
"url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7",
"severity": "critical",
"cwe": [
"CWE-77"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.6.3 <=1.7.2"
}
],
"effects": [
"react-dev-utils"
],
"range": "1.6.3 - 1.7.2",
"nodes": [
"node_modules/shell-quote"
],
"fixAvailable": true
},
"simple-get": {
"name": "simple-get",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090445,
"name": "simple-get",
"dependency": "simple-get",
"title": "Exposure of Sensitive Information in simple-get",
"url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.1"
}
],
"effects": [],
"range": "3.0.0 - 3.1.0",
"nodes": [
""
],
"fixAvailable": true
},
"store2": {
"name": "store2",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1101527,
"name": "store2",
"dependency": "store2",
"title": "Cross Site Scripting vulnerability in store2",
"url": "https://github.com/advisories/GHSA-w5hq-hm5m-4548",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<2.14.4"
}
],
"effects": [],
"range": "<2.14.4",
"nodes": [
""
],
"fixAvailable": true
},
"stylelint": {
"name": "stylelint",
"severity": "moderate",
"isDirect": false,
"via": [
"autoprefixer",
"postcss",
"postcss-less",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"sugarss"
],
"effects": [
"stylelint-config-wikimedia"
],
"range": "0.1.0 - 13.13.1",
"nodes": [
"node_modules/stylelint"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"stylelint-config-wikimedia": {
"name": "stylelint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"stylelint"
],
"effects": [],
"range": "<=0.11.1",
"nodes": [
"node_modules/stylelint-config-wikimedia"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.18.0",
"isSemVerMajor": true
}
},
"sugarss": {
"name": "sugarss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/sugarss"
],
"fixAvailable": true
},
"taffydb": {
"name": "taffydb",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1089386,
"name": "taffydb",
"dependency": "taffydb",
"title": "TaffyDB can allow access to any data items in the DB",
"url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-668"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=2.7.3"
}
],
"effects": [
"jsdoc"
],
"range": "*",
"nodes": [
""
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"tar": {
"name": "tar",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
}
],
"effects": [],
"range": "<6.2.1",
"nodes": [
""
],
"fixAvailable": true
},
"tar-fs": {
"name": "tar-fs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1109532,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball",
"url": "https://github.com/advisories/GHSA-vj76-c3g6-qr5v",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-61"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=2.0.0 <2.1.4"
},
{
"source": 1109543,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs can extract outside the specified dir with a specific tarball",
"url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=2.0.0 <2.1.3"
},
{
"source": 1109552,
"name": "tar-fs",
"dependency": "tar-fs",
"title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
"url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.0.0 <2.1.2"
}
],
"effects": [],
"range": "2.0.0 - 2.1.3",
"nodes": [
""
],
"fixAvailable": true
},
"terser": {
"name": "terser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091691,
"name": "terser",
"dependency": "terser",
"title": "Terser insecure use of regular expressions leads to ReDoS",
"url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.8.1"
}
],
"effects": [],
"range": "<4.8.1",
"nodes": [
""
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"webpack"
],
"range": "<=2.2.1",
"nodes": [
""
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"tmp": {
"name": "tmp",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109537,
"name": "tmp",
"dependency": "tmp",
"title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
"url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
"severity": "low",
"cwe": [
"CWE-59"
],
"cvss": {
"score": 2.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.2.3"
}
],
"effects": [
"external-editor"
],
"range": "<=0.2.3",
"nodes": [
""
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"jsdom",
"request",
"request-promise-native"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": {
"name": "jsdom",
"version": "27.2.0",
"isSemVerMajor": true
}
},
"watchpack": {
"name": "watchpack",
"severity": "high",
"isDirect": false,
"via": [
"watchpack-chokidar2"
],
"effects": [],
"range": "1.7.2 - 1.7.5",
"nodes": [
"node_modules/watchpack"
],
"fixAvailable": true
},
"watchpack-chokidar2": {
"name": "watchpack-chokidar2",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [
"watchpack"
],
"range": "*",
"nodes": [
"node_modules/watchpack-chokidar2"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "moderate",
"isDirect": true,
"via": [
"micromatch",
"terser-webpack-plugin"
],
"effects": [
"@storybook/core-common",
"@storybook/core-server",
"terser-webpack-plugin",
"webpack-cli"
],
"range": "4.0.0-alpha.0 - 5.0.0-rc.6",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": {
"name": "webpack",
"version": "5.103.0",
"isSemVerMajor": true
}
},
"webpack-cli": {
"name": "webpack-cli",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn",
"findup-sync",
"loader-utils",
"webpack"
],
"effects": [],
"range": "<=0.0.8-development || 1.3.0 - 2.0.9 || 2.0.11 - 4.0.0-rc.1",
"nodes": [
"node_modules/webpack-cli"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"webpack-dev-middleware": {
"name": "webpack-dev-middleware",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096729,
"name": "webpack-dev-middleware",
"dependency": "webpack-dev-middleware",
"title": "Path traversal in webpack-dev-middleware",
"url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
},
"range": "<=5.3.3"
}
],
"effects": [
"@storybook/core-server"
],
"range": "<=5.3.3",
"nodes": [
"node_modules/webpack-dev-middleware"
],
"fixAvailable": true
},
"word-wrap": {
"name": "word-wrap",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102444,
"name": "word-wrap",
"dependency": "word-wrap",
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<1.2.4"
}
],
"effects": [],
"range": "<1.2.4",
"nodes": [
""
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098394,
"name": "ws",
"dependency": "ws",
"title": "ws affected by a DoS when handling a request with many HTTP headers",
"url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
"severity": "high",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.2.3"
}
],
"effects": [],
"range": "6.0.0 - 6.2.2",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 9,
"moderate": 50,
"high": 41,
"critical": 14,
"total": 114
},
"dependencies": {
"prod": 2,
"dev": 2093,
"optional": 31,
"peer": 1,
"peerOptional": 0,
"total": 2094
}
}
}
}
--- end ---
{"added": 2094, "removed": 0, "changed": 0, "audited": 2095, "funding": 213, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@babel/helpers": {"name": "@babel/helpers", "severity": "moderate", "isDirect": false, "via": [{"source": 1104001, "name": "@babel/helpers", "dependency": "@babel/helpers", "title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups", "url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.26.10"}], "effects": [], "range": "<7.26.10", "nodes": [""], "fixAvailable": true}, "@babel/runtime": {"name": "@babel/runtime", "severity": "moderate", "isDirect": false, "via": [{"source": 1104000, "name": "@babel/runtime", "dependency": "@babel/runtime", "title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups", "url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.26.10"}], "effects": [], "range": "<7.26.10", "nodes": [""], "fixAvailable": true}, "@babel/traverse": {"name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [{"source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": ["CWE-184", "CWE-697"], "cvss": {"score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "range": "<7.23.2"}], "effects": [], "range": "<7.23.2", "nodes": [""], "fixAvailable": true}, "@storybook/addon-actions": {"name": "@storybook/addon-actions", "severity": "moderate", "isDirect": true, "via": ["@storybook/components"], "effects": [], "range": "4.2.0-alpha.1 - 6.5.9", "nodes": ["node_modules/@storybook/addon-actions"], "fixAvailable": {"name": "@storybook/addon-actions", "version": "6.5.16", "isSemVerMajor": false}}, "@storybook/builder-webpack4": {"name": "@storybook/builder-webpack4", "severity": "high", "isDirect": false, "via": ["@storybook/components", "@storybook/core-common", "@storybook/ui", "autoprefixer", "css-loader", "fork-ts-checker-webpack-plugin", "postcss", "postcss-flexbugs-fixes", "react-dev-utils", "webpack", "webpack-dev-middleware"], "effects": [], "range": "*", "nodes": ["node_modules/@storybook/builder-webpack4"], "fixAvailable": true}, "@storybook/components": {"name": "@storybook/components", "severity": "moderate", "isDirect": false, "via": ["react-syntax-highlighter"], "effects": ["@storybook/addon-actions", "@storybook/builder-webpack4", "@storybook/ui"], "range": "4.2.0-alpha.1 - 6.5.9", "nodes": ["node_modules/@storybook/components"], "fixAvailable": {"name": "@storybook/addon-actions", "version": "6.5.16", "isSemVerMajor": false}}, "@storybook/core": {"name": "@storybook/core", "severity": "high", "isDirect": false, "via": ["@storybook/core-client", "@storybook/core-server"], "effects": [], "range": "6.2.0-alpha.0 - 6.5.17-alpha.0", "nodes": ["node_modules/@storybook/core"], "fixAvailable": true}, "@storybook/core-client": {"name": "@storybook/core-client", "severity": "moderate", "isDirect": false, "via": ["@storybook/ui"], "effects": ["@storybook/core", "@storybook/core-server"], "range": "<=6.4.0-rc.11", "nodes": ["node_modules/@storybook/core-client"], "fixAvailable": true}, "@storybook/core-common": {"name": "@storybook/core-common", "severity": "moderate", "isDirect": false, "via": ["webpack"], "effects": ["@storybook/html"], "range": "<=6.5.17-alpha.0", "nodes": ["node_modules/@storybook/core-common"], "fixAvailable": {"name": "@storybook/html", "version": "10.1.4", "isSemVerMajor": true}}, "@storybook/core-server": {"name": "@storybook/core-server", "severity": "high", "isDirect": false, "via": ["@storybook/builder-webpack4", "@storybook/core-client", "@storybook/core-common", "@storybook/ui", "cpy", "css-loader", "ip", "webpack", "webpack-dev-middleware"], "effects": ["@storybook/core"], "range": "<=7.6.19 || 8.0.0-alpha.0 - 8.1.5 || 8.2.0-alpha.0 - 8.2.0-beta.3", "nodes": ["node_modules/@storybook/core-server"], "fixAvailable": true}, "@storybook/html": {"name": "@storybook/html", "severity": "high", "isDirect": true, "via": ["@storybook/core", "@storybook/core-common"], "effects": [], "range": "6.2.0-alpha.0 - 6.5.17-alpha.0", "nodes": ["node_modules/@storybook/html"], "fixAvailable": {"name": "@storybook/html", "version": "10.1.4", "isSemVerMajor": true}}, "@storybook/ui": {"name": "@storybook/ui", "severity": "moderate", "isDirect": false, "via": ["@storybook/components", "markdown-to-jsx"], "effects": ["@storybook/builder-webpack4", "@storybook/core-client"], "range": "4.2.0-alpha.1 - 6.5.9", "nodes": ["node_modules/@storybook/ui"], "fixAvailable": true}, "@wikimedia/mw-node-qunit": {"name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": ["eslint-config-wikimedia", "jsdom", "qunit"], "effects": [], "range": "<=6.2.1", "nodes": ["node_modules/@wikimedia/mw-node-qunit"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false}}, "ansi-regex": {"name": "ansi-regex", "severity": "high", "isDirect": false, "via": [{"source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": ["CWE-697", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <4.1.1"}], "effects": [], "range": "4.0.0 - 4.1.0", "nodes": ["", ""], "fixAvailable": true}, "anymatch": {"name": "anymatch", "severity": "moderate", "isDirect": false, "via": ["micromatch"], "effects": ["chokidar", "sane"], "range": "1.2.0 - 2.0.0", "nodes": ["node_modules/sane/node_modules/anymatch", "node_modules/watchpack-chokidar2/node_modules/anymatch"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false}}, "autoprefixer": {"name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": ["stylelint"], "range": "1.0.20131222 - 9.8.8", "nodes": ["node_modules/autoprefixer"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "axios": {"name": "axios", "severity": "high", "isDirect": false, "via": [{"source": 1097679, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": ["CWE-352"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "range": ">=0.8.1 <0.28.0"}, {"source": 1108262, "name": "axios", "dependency": "axios", "title": "Axios is vulnerable to DoS attack through lack of data size check", "url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj", "severity": "high", "cwe": ["CWE-770"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.30.2"}, {"source": 1111034, "name": "axios", "dependency": "axios", "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", "severity": "high", "cwe": ["CWE-918"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.30.0"}], "effects": ["bundlesize", "github-build"], "range": "<=0.30.1", "nodes": ["", "node_modules/axios"], "fixAvailable": {"name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false}}, "body-parser": {"name": "body-parser", "severity": "high", "isDirect": false, "via": [{"source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": ["CWE-405"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<1.20.3"}, "qs"], "effects": ["express"], "range": "<=1.20.2", "nodes": [""], "fixAvailable": true}, "brace-expansion": {"name": "brace-expansion", "severity": "low", "isDirect": false, "via": [{"source": 1105443, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion Regular Expression Denial of Service vulnerability", "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", "severity": "low", "cwe": ["CWE-400"], "cvss": {"score": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=1.0.0 <=1.1.11"}], "effects": [], "range": "1.0.0 - 1.1.11", "nodes": [""], "fixAvailable": true}, "braces": {"name": "braces", "severity": "high", "isDirect": false, "via": [{"source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": ["CWE-400", "CWE-1050"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.0.3"}], "effects": ["chokidar", "micromatch"], "range": "<3.0.3", "nodes": ["", "node_modules/@storybook/builder-webpack4/node_modules/braces", "node_modules/fast-glob/node_modules/braces", "node_modules/findup-sync/node_modules/braces", "node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces", "node_modules/sane/node_modules/braces", "node_modules/watchpack-chokidar2/node_modules/braces", "node_modules/webpack-cli/node_modules/braces", "node_modules/webpack/node_modules/braces"], "fixAvailable": {"name": "webpack", "version": "5.103.0", "isSemVerMajor": true}}, "browserify-sign": {"name": "browserify-sign", "severity": "high", "isDirect": false, "via": [{"source": 1102445, "name": "browserify-sign", "dependency": "browserify-sign", "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", "severity": "high", "cwe": ["CWE-347"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": ">=2.6.0 <=4.2.1"}], "effects": [], "range": "2.6.0 - 4.2.1", "nodes": [""], "fixAvailable": true}, "browserslist": {"name": "browserslist", "severity": "moderate", "isDirect": false, "via": [{"source": 1093035, "name": "browserslist", "dependency": "browserslist", "title": "Regular Expression Denial of Service in browserslist", "url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5", "severity": "moderate", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=4.0.0 <4.16.5"}], "effects": ["react-dev-utils"], "range": "4.0.0 - 4.16.4", "nodes": ["node_modules/react-dev-utils/node_modules/browserslist"], "fixAvailable": true}, "bundlesize": {"name": "bundlesize", "severity": "high", "isDirect": true, "via": ["axios"], "effects": [], "range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1", "nodes": ["node_modules/bundlesize"], "fixAvailable": {"name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false}}, "chokidar": {"name": "chokidar", "severity": "high", "isDirect": false, "via": ["anymatch", "braces", "readdirp"], "effects": ["watchpack-chokidar2"], "range": "1.3.0 - 2.1.8", "nodes": ["node_modules/watchpack-chokidar2/node_modules/chokidar"], "fixAvailable": true}, "cipher-base": {"name": "cipher-base", "severity": "critical", "isDirect": false, "via": [{"source": 1109536, "name": "cipher-base", "dependency": "cipher-base", "title": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data", "url": "https://github.com/advisories/GHSA-cpq7-6gpm-g9rc", "severity": "critical", "cwe": ["CWE-20"], "cvss": {"score": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "range": "<=1.0.4"}], "effects": [], "range": "<=1.0.4", "nodes": [""], "fixAvailable": true}, "cookie": {"name": "cookie", "severity": "low", "isDirect": false, "via": [{"source": 1103907, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": ["CWE-74"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.7.0"}], "effects": ["express"], "range": "<0.7.0", "nodes": [""], "fixAvailable": true}, "core-js-compat": {"name": "core-js-compat", "severity": "high", "isDirect": false, "via": ["semver"], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [""], "fixAvailable": true}, "cpy": {"name": "cpy", "severity": "moderate", "isDirect": false, "via": ["globby"], "effects": ["@storybook/core-server"], "range": "7.0.0 - 8.1.2", "nodes": ["node_modules/cpy"], "fixAvailable": true}, "cross-spawn": {"name": "cross-spawn", "severity": "high", "isDirect": false, "via": [{"source": 1104663, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<6.0.6"}, {"source": 1104664, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.0.5"}], "effects": ["pre-commit", "react-dev-utils", "webpack-cli"], "range": "<6.0.6 || >=7.0.0 <7.0.5", "nodes": ["", "", "", "", "node_modules/cross-spawn", "node_modules/react-dev-utils/node_modules/cross-spawn"], "fixAvailable": {"name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true}}, "css-loader": {"name": "css-loader", "severity": "moderate", "isDirect": false, "via": ["icss-utils", "postcss", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values"], "effects": [], "range": "0.15.0 - 4.3.0", "nodes": ["node_modules/css-loader"], "fixAvailable": true}, "decode-uri-component": {"name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [{"source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": ["CWE-20"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.2.1"}], "effects": [], "range": "<0.2.1", "nodes": [""], "fixAvailable": true}, "elliptic": {"name": "elliptic", "severity": "critical", "isDirect": false, "via": [{"source": 1102901, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)", "url": "https://github.com/advisories/GHSA-vjh7-7g9h-fjfh", "severity": "critical", "cwe": ["CWE-200"], "cvss": {"score": 0, "vectorString": null}, "range": "<=6.6.0"}, {"source": 1109566, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's EDDSA missing signature length check", "url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p", "severity": "low", "cwe": ["CWE-347"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "range": ">=4.0.0 <=6.5.6"}, {"source": 1109567, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero", "url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw", "severity": "low", "cwe": ["CWE-130"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "range": ">=2.0.0 <=6.5.6"}, {"source": 1109568, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic allows BER-encoded signatures", "url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m", "severity": "low", "cwe": ["CWE-347"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "range": ">=5.2.1 <=6.5.6"}, {"source": 1111036, "name": "elliptic", "dependency": "elliptic", "title": "Valid ECDSA signatures erroneously rejected in Elliptic", "url": "https://github.com/advisories/GHSA-fc9h-whq2-v747", "severity": "low", "cwe": ["CWE-347"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<6.6.0"}, {"source": 1111037, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's verify function omits uniqueness validation", "url": "https://github.com/advisories/GHSA-434g-2637-qmqr", "severity": "low", "cwe": ["CWE-347"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<6.5.6"}], "effects": [], "range": "<=6.6.0", "nodes": [""], "fixAvailable": true}, "eslint": {"name": "eslint", "severity": "low", "isDirect": false, "via": ["inquirer"], "effects": ["eslint-config-wikimedia"], "range": "4.0.0-alpha.0 - 7.2.0", "nodes": ["node_modules/@wikimedia/mw-node-qunit/node_modules/eslint"], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "eslint-config-wikimedia": {"name": "eslint-config-wikimedia", "severity": "high", "isDirect": true, "via": ["eslint", "eslint-plugin-compat"], "effects": ["@wikimedia/mw-node-qunit"], "range": "0.18.0 - 0.21.0 || 0.9.0 - 0.15.3", "nodes": ["node_modules/@wikimedia/mw-node-qunit/node_modules/eslint-config-wikimedia", "node_modules/eslint-config-wikimedia"], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "eslint-plugin-compat": {"name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": ["semver"], "effects": ["eslint-config-wikimedia"], "range": "3.6.0-0 - 4.1.4", "nodes": ["node_modules/eslint-plugin-compat"], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "express": {"name": "express", "severity": "high", "isDirect": false, "via": [{"source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": ["CWE-601", "CWE-1286"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<4.19.2"}, {"source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<4.20.0"}, "body-parser", "cookie", "path-to-regexp", "qs", "send", "serve-static"], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [""], "fixAvailable": true}, "external-editor": {"name": "external-editor", "severity": "low", "isDirect": false, "via": ["tmp"], "effects": ["inquirer"], "range": ">=1.1.1", "nodes": ["node_modules/external-editor"], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "fast-glob": {"name": "fast-glob", "severity": "moderate", "isDirect": false, "via": ["micromatch"], "effects": ["globby"], "range": "<=2.2.7", "nodes": ["node_modules/fast-glob"], "fixAvailable": true}, "findup-sync": {"name": "findup-sync", "severity": "moderate", "isDirect": false, "via": ["micromatch"], "effects": ["qunit", "webpack-cli"], "range": "0.4.0 - 3.0.0", "nodes": ["", "node_modules/webpack-cli/node_modules/findup-sync"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false}}, "follow-redirects": {"name": "follow-redirects", "severity": "high", "isDirect": false, "via": [{"source": 1092623, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "severity": "moderate", "cwe": ["CWE-200", "CWE-212"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": "<1.14.8"}, {"source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", "severity": "moderate", "cwe": ["CWE-200"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "range": "<=1.15.5"}, {"source": 1102323, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of sensitive information in follow-redirects", "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "severity": "high", "cwe": ["CWE-359"], "cvss": {"score": 8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}, "range": "<1.14.7"}, {"source": 1109569, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", "severity": "moderate", "cwe": ["CWE-20", "CWE-601"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<1.15.4"}], "effects": [], "range": "<=1.15.5", "nodes": [""], "fixAvailable": true}, "fork-ts-checker-webpack-plugin": {"name": "fork-ts-checker-webpack-plugin", "severity": "moderate", "isDirect": false, "via": ["micromatch"], "effects": ["react-dev-utils"], "range": "0.4.14 - 4.1.6", "nodes": ["node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin", "node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin"], "fixAvailable": true}, "form-data": {"name": "form-data", "severity": "critical", "isDirect": false, "via": [{"source": 1109539, "name": "form-data", "dependency": "form-data", "title": "form-data uses unsafe random function in form-data for choosing boundary", "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", "severity": "critical", "cwe": ["CWE-330"], "cvss": {"score": 0, "vectorString": null}, "range": ">=3.0.0 <3.0.4"}, {"source": 1109540, "name": "form-data", "dependency": "form-data", "title": "form-data uses unsafe random function in form-data for choosing boundary", "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", "severity": "critical", "cwe": ["CWE-330"], "cvss": {"score": 0, "vectorString": null}, "range": "<2.5.4"}], "effects": ["request"], "range": ">=3.0.0 <3.0.4 || <2.5.4", "nodes": ["", "node_modules/request/node_modules/form-data"], "fixAvailable": {"name": "jsdom", "version": "27.2.0", "isSemVerMajor": true}}, "github-build": {"name": "github-build", "severity": "high", "isDirect": false, "via": ["axios"], "effects": [], "range": "<=1.2.3", "nodes": [""], "fixAvailable": true}, "globby": {"name": "globby", "severity": "moderate", "isDirect": false, "via": ["fast-glob"], "effects": ["cpy"], "range": "8.0.0 - 9.2.0", "nodes": ["node_modules/globby"], "fixAvailable": true}, "icss-utils": {"name": "icss-utils", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": ["css-loader", "postcss-modules-local-by-default", "postcss-modules-values"], "range": "<=4.1.1", "nodes": ["node_modules/icss-utils"], "fixAvailable": true}, "immer": {"name": "immer", "severity": "critical", "isDirect": false, "via": [{"source": 1097196, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx", "severity": "high", "cwe": ["CWE-915", "CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <9.0.6"}, {"source": 1097209, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-33f9-j839-rf8h", "severity": "critical", "cwe": ["CWE-843", "CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=7.0.0 <9.0.6"}], "effects": [], "range": "7.0.0 - 9.0.5", "nodes": ["node_modules/immer"], "fixAvailable": true}, "inquirer": {"name": "inquirer", "severity": "low", "isDirect": false, "via": ["external-editor"], "effects": ["eslint"], "range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7", "nodes": [""], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "ip": {"name": "ip", "severity": "high", "isDirect": false, "via": [{"source": 1097720, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "low", "cwe": ["CWE-918"], "cvss": {"score": 0, "vectorString": null}, "range": "<1.1.9"}, {"source": 1101851, "name": "ip", "dependency": "ip", "title": "ip SSRF improper categorization in isPublic", "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", "severity": "high", "cwe": ["CWE-918"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=2.0.1"}], "effects": ["@storybook/core-server"], "range": "*", "nodes": [""], "fixAvailable": true}, "js-yaml": {"name": "js-yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1109801, "name": "js-yaml", "dependency": "js-yaml", "title": "js-yaml has prototype pollution in merge (<<)", "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<3.14.2"}], "effects": [], "range": "<3.14.2", "nodes": [""], "fixAvailable": true}, "jsdoc": {"name": "jsdoc", "severity": "high", "isDirect": true, "via": ["markdown-it", "marked", "taffydb"], "effects": [], "range": "3.2.0-dev - 3.6.11", "nodes": ["node_modules/jsdoc"], "fixAvailable": {"name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false}}, "jsdom": {"name": "jsdom", "severity": "moderate", "isDirect": true, "via": ["request", "request-promise-native", "tough-cookie"], "effects": ["@wikimedia/mw-node-qunit"], "range": "0.1.20 || 0.2.0 - 16.5.3", "nodes": ["node_modules/jsdom"], "fixAvailable": {"name": "jsdom", "version": "27.2.0", "isSemVerMajor": true}}, "json-schema": {"name": "json-schema", "severity": "critical", "isDirect": false, "via": [{"source": 1101855, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": ["CWE-915", "CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<0.4.0"}], "effects": ["jsprim"], "range": "<0.4.0", "nodes": [""], "fixAvailable": true}, "json5": {"name": "json5", "severity": "high", "isDirect": false, "via": [{"source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": "<1.0.2"}, {"source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": ">=2.0.0 <2.2.2"}], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": ["", "", ""], "fixAvailable": true}, "jsprim": {"name": "jsprim", "severity": "critical", "isDirect": false, "via": ["json-schema"], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [""], "fixAvailable": true}, "less": {"name": "less", "severity": "moderate", "isDirect": true, "via": ["request"], "effects": [], "range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3", "nodes": ["node_modules/less"], "fixAvailable": {"name": "less", "version": "3.13.1", "isSemVerMajor": false}}, "loader-utils": {"name": "loader-utils", "severity": "critical", "isDirect": false, "via": [{"source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<1.4.1"}, {"source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=2.0.0 <2.0.3"}, {"source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=2.0.0 <2.0.4"}, {"source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=1.0.0 <1.4.2"}, {"source": 1109587, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=2.0.0 <2.0.4"}, {"source": 1109588, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=1.0.0 <1.4.2"}], "effects": ["react-dev-utils", "webpack-cli"], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": ["", "", "", "", "", "", "", "node_modules/react-dev-utils/node_modules/loader-utils", "node_modules/webpack-cli/node_modules/loader-utils"], "fixAvailable": {"name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false}}, "markdown-it": {"name": "markdown-it", "severity": "moderate", "isDirect": false, "via": [{"source": 1092663, "name": "markdown-it", "dependency": "markdown-it", "title": "Uncontrolled Resource Consumption in markdown-it", "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c", "severity": "moderate", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<12.3.2"}], "effects": ["jsdoc"], "range": "<12.3.2", "nodes": ["node_modules/markdown-it"], "fixAvailable": {"name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false}}, "markdown-to-jsx": {"name": "markdown-to-jsx", "severity": "moderate", "isDirect": false, "via": [{"source": 1100074, "name": "markdown-to-jsx", "dependency": "markdown-to-jsx", "title": "Cross site scripting in markdown-to-jsx", "url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<7.4.0"}], "effects": ["@storybook/ui"], "range": "<7.4.0", "nodes": ["", "node_modules/@storybook/ui/node_modules/markdown-to-jsx"], "fixAvailable": true}, "marked": {"name": "marked", "severity": "high", "isDirect": false, "via": [{"source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<4.0.10"}, {"source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<4.0.10"}], "effects": ["jsdoc"], "range": "<=4.0.9", "nodes": ["node_modules/marked"], "fixAvailable": {"name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false}}, "micromatch": {"name": "micromatch", "severity": "high", "isDirect": false, "via": [{"source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<4.0.8"}, "braces"], "effects": ["anymatch", "fast-glob", "findup-sync", "fork-ts-checker-webpack-plugin", "readdirp", "sane", "webpack"], "range": "<=4.0.7", "nodes": ["", "", "node_modules/@storybook/builder-webpack4/node_modules/micromatch", "node_modules/fast-glob/node_modules/micromatch", "node_modules/findup-sync/node_modules/micromatch", "node_modules/react-dev-utils/node_modules/micromatch", "node_modules/sane/node_modules/micromatch", "node_modules/watchpack-chokidar2/node_modules/micromatch", "node_modules/webpack-cli/node_modules/micromatch", "node_modules/webpack/node_modules/micromatch"], "fixAvailable": {"name": "webpack", "version": "5.103.0", "isSemVerMajor": true}}, "min-document": {"name": "min-document", "severity": "low", "isDirect": false, "via": [{"source": 1109626, "name": "min-document", "dependency": "min-document", "title": "min-document vulnerable to prototype pollution", "url": "https://github.com/advisories/GHSA-rx8g-88g5-qh64", "severity": "low", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": "<=2.19.0"}], "effects": [], "range": "<=2.19.0", "nodes": [""], "fixAvailable": true}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.0.5"}], "effects": ["recursive-readdir"], "range": "<3.0.5", "nodes": ["node_modules/minimatch"], "fixAvailable": true}, "minimist": {"name": "minimist", "severity": "critical", "isDirect": false, "via": [{"source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.0.0 <1.2.6"}], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [""], "fixAvailable": true}, "nanoid": {"name": "nanoid", "severity": "moderate", "isDirect": false, "via": [{"source": 1109563, "name": "nanoid", "dependency": "nanoid", "title": "Predictable results in nanoid generation when given non-integer values", "url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55", "severity": "moderate", "cwe": ["CWE-835"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}, "range": "<3.3.8"}, {"source": 1109578, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": ["CWE-200", "CWE-704"], "cvss": {"score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=3.0.0 <3.1.31"}], "effects": [], "range": "<=3.3.7", "nodes": ["", ""], "fixAvailable": true}, "node-fetch": {"name": "node-fetch", "severity": "high", "isDirect": false, "via": [{"source": 1095073, "name": "node-fetch", "dependency": "node-fetch", "title": "node-fetch forwards secure headers to untrusted sites", "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g", "severity": "high", "cwe": ["CWE-173", "CWE-200", "CWE-601"], "cvss": {"score": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "range": "<2.6.7"}], "effects": [], "range": "<2.6.7", "nodes": [""], "fixAvailable": true}, "path-to-regexp": {"name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [{"source": 1101849, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=0.2.0 <1.9.0"}, {"source": 1101850, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.10"}, {"source": 1105199, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp contains a ReDoS", "url": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.12"}], "effects": ["express"], "range": "<=0.1.11 || 0.2.0 - 1.8.0", "nodes": ["", ""], "fixAvailable": true}, "pbkdf2": {"name": "pbkdf2", "severity": "critical", "isDirect": false, "via": [{"source": 1105691, "name": "pbkdf2", "dependency": "pbkdf2", "title": "pbkdf2 silently disregards Uint8Array input, returning static keys", "url": "https://github.com/advisories/GHSA-v62p-rq8g-8h59", "severity": "critical", "cwe": ["CWE-20"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.1.2"}, {"source": 1105692, "name": "pbkdf2", "dependency": "pbkdf2", "title": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos", "url": "https://github.com/advisories/GHSA-h7cp-r72f-jxh6", "severity": "critical", "cwe": ["CWE-20"], "cvss": {"score": 0, "vectorString": null}, "range": ">=3.0.10 <=3.1.2"}], "effects": [], "range": "<=3.1.2", "nodes": [""], "fixAvailable": true}, "postcss": {"name": "postcss", "severity": "moderate", "isDirect": false, "via": [{"source": 1109574, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": ["CWE-74", "CWE-144"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<8.4.31"}], "effects": ["@storybook/builder-webpack4", "autoprefixer", "css-loader", "icss-utils", "postcss-flexbugs-fixes", "postcss-less", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss"], "range": "<8.4.31", "nodes": ["", "", "node_modules/postcss"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "postcss-flexbugs-fixes": {"name": "postcss-flexbugs-fixes", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": [], "range": "<=4.2.1", "nodes": ["node_modules/postcss-flexbugs-fixes"], "fixAvailable": true}, "postcss-less": {"name": "postcss-less", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": ["stylelint"], "range": "<=3.1.4", "nodes": ["node_modules/postcss-less"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "postcss-modules-extract-imports": {"name": "postcss-modules-extract-imports", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": [], "range": "<=2.0.0", "nodes": ["node_modules/postcss-modules-extract-imports"], "fixAvailable": true}, "postcss-modules-local-by-default": {"name": "postcss-modules-local-by-default", "severity": "moderate", "isDirect": false, "via": ["icss-utils", "postcss"], "effects": [], "range": "<=4.0.0-rc.4", "nodes": ["node_modules/postcss-modules-local-by-default"], "fixAvailable": true}, "postcss-modules-scope": {"name": "postcss-modules-scope", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": [], "range": "<=2.2.0", "nodes": ["node_modules/postcss-modules-scope"], "fixAvailable": true}, "postcss-modules-values": {"name": "postcss-modules-values", "severity": "moderate", "isDirect": false, "via": ["icss-utils", "postcss"], "effects": ["css-loader"], "range": "<=4.0.0-rc.5", "nodes": ["node_modules/postcss-modules-values"], "fixAvailable": true}, "postcss-safe-parser": {"name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": ["stylelint"], "range": "<=4.0.2", "nodes": ["node_modules/postcss-safe-parser"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "postcss-sass": {"name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": ["stylelint"], "range": "<=0.4.4", "nodes": ["node_modules/postcss-sass"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "postcss-scss": {"name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": ["stylelint"], "range": "<=2.1.1", "nodes": ["node_modules/postcss-scss"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "pre-commit": {"name": "pre-commit", "severity": "high", "isDirect": false, "via": ["cross-spawn"], "effects": [], "range": ">=1.1.0", "nodes": [""], "fixAvailable": {"name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true}}, "prismjs": {"name": "prismjs", "severity": "high", "isDirect": false, "via": [{"source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "https://github.com/advisories/GHSA-3949-f494-cm99", "severity": "high", "cwe": ["CWE-79"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"}, "range": ">=1.14.0 <1.27.0"}, {"source": 1105770, "name": "prismjs", "dependency": "prismjs", "title": "PrismJS DOM Clobbering vulnerability", "url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg", "severity": "moderate", "cwe": ["CWE-79", "CWE-94"], "cvss": {"score": 4.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "range": "<1.30.0"}], "effects": ["refractor"], "range": "<=1.29.0", "nodes": [""], "fixAvailable": {"name": "@storybook/addon-actions", "version": "6.5.16", "isSemVerMajor": false}}, "qs": {"name": "qs", "severity": "high", "isDirect": false, "via": [{"source": 1104118, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.5.0 <6.5.3"}, {"source": 1104120, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.7.0 <6.7.3"}, {"source": 1104123, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.10.0 <6.10.3"}], "effects": ["body-parser", "express"], "range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2", "nodes": ["", "", "", ""], "fixAvailable": true}, "qunit": {"name": "qunit", "severity": "moderate", "isDirect": false, "via": ["findup-sync", "sane"], "effects": ["@wikimedia/mw-node-qunit"], "range": "2.4.1 - 2.8.0", "nodes": ["node_modules/@wikimedia/mw-node-qunit/node_modules/qunit"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false}}, "react-dev-utils": {"name": "react-dev-utils", "severity": "critical", "isDirect": false, "via": ["browserslist", "cross-spawn", "fork-ts-checker-webpack-plugin", "immer", "loader-utils", "recursive-readdir", "shell-quote"], "effects": ["@storybook/builder-webpack4"], "range": "0.5.2 - 12.0.0-next.60", "nodes": ["node_modules/react-dev-utils"], "fixAvailable": true}, "react-syntax-highlighter": {"name": "react-syntax-highlighter", "severity": "moderate", "isDirect": false, "via": ["refractor"], "effects": ["@storybook/components"], "range": "6.0.0 - 15.6.6", "nodes": ["node_modules/react-syntax-highlighter"], "fixAvailable": {"name": "@storybook/addon-actions", "version": "6.5.16", "isSemVerMajor": false}}, "readdirp": {"name": "readdirp", "severity": "moderate", "isDirect": false, "via": ["micromatch"], "effects": ["chokidar"], "range": "2.2.0 - 2.2.1", "nodes": ["node_modules/watchpack-chokidar2/node_modules/readdirp"], "fixAvailable": true}, "recursive-readdir": {"name": "recursive-readdir", "severity": "high", "isDirect": false, "via": ["minimatch"], "effects": ["react-dev-utils"], "range": "1.2.0 - 2.2.2", "nodes": ["node_modules/recursive-readdir"], "fixAvailable": true}, "refractor": {"name": "refractor", "severity": "moderate", "isDirect": false, "via": ["prismjs"], "effects": ["react-syntax-highlighter"], "range": "<=4.6.0", "nodes": [""], "fixAvailable": {"name": "@storybook/addon-actions", "version": "6.5.16", "isSemVerMajor": false}}, "request": {"name": "request", "severity": "critical", "isDirect": false, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "form-data", "tough-cookie"], "effects": ["jsdom", "less", "request-promise-core", "request-promise-native"], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": {"name": "jsdom", "version": "27.2.0", "isSemVerMajor": true}}, "request-promise-core": {"name": "request-promise-core", "severity": "moderate", "isDirect": false, "via": ["request"], "effects": ["request-promise-native"], "range": "*", "nodes": ["node_modules/request-promise-core"], "fixAvailable": {"name": "jsdom", "version": "27.2.0", "isSemVerMajor": true}}, "request-promise-native": {"name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": ["request", "request-promise-core", "tough-cookie"], "effects": ["jsdom"], "range": ">=1.0.0", "nodes": ["node_modules/request-promise-native"], "fixAvailable": {"name": "jsdom", "version": "27.2.0", "isSemVerMajor": true}}, "sane": {"name": "sane", "severity": "moderate", "isDirect": false, "via": ["anymatch", "micromatch"], "effects": ["qunit"], "range": "1.5.0 - 4.1.0", "nodes": ["node_modules/sane"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false}}, "semver": {"name": "semver", "severity": "high", "isDirect": false, "via": [{"source": 1101088, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.5.2"}, {"source": 1101089, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<5.7.2"}, {"source": 1101090, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.0.0 <6.3.1"}], "effects": ["core-js-compat", "eslint-plugin-compat"], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": ["", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "node_modules/eslint-plugin-compat/node_modules/semver"], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "send": {"name": "send", "severity": "low", "isDirect": false, "via": [{"source": 1109556, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<0.19.0"}], "effects": ["express", "serve-static"], "range": "<0.19.0", "nodes": [""], "fixAvailable": true}, "serve-static": {"name": "serve-static", "severity": "low", "isDirect": false, "via": [{"source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<1.16.0"}, "send"], "effects": [], "range": "<=1.16.0", "nodes": [""], "fixAvailable": true}, "sha.js": {"name": "sha.js", "severity": "critical", "isDirect": false, "via": [{"source": 1109535, "name": "sha.js", "dependency": "sha.js", "title": "sha.js is missing type checks leading to hash rewind and passing on crafted data", "url": "https://github.com/advisories/GHSA-95m3-7q98-8xr5", "severity": "critical", "cwe": ["CWE-20"], "cvss": {"score": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "range": "<=2.4.11"}], "effects": [], "range": "<=2.4.11", "nodes": [""], "fixAvailable": true}, "shell-quote": {"name": "shell-quote", "severity": "critical", "isDirect": false, "via": [{"source": 1107366, "name": "shell-quote", "dependency": "shell-quote", "title": "Improper Neutralization of Special Elements used in a Command in Shell-quote", "url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7", "severity": "critical", "cwe": ["CWE-77"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.6.3 <=1.7.2"}], "effects": ["react-dev-utils"], "range": "1.6.3 - 1.7.2", "nodes": ["node_modules/shell-quote"], "fixAvailable": true}, "simple-get": {"name": "simple-get", "severity": "high", "isDirect": false, "via": [{"source": 1090445, "name": "simple-get", "dependency": "simple-get", "title": "Exposure of Sensitive Information in simple-get", "url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", "severity": "high", "cwe": ["CWE-200"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=3.0.0 <3.1.1"}], "effects": [], "range": "3.0.0 - 3.1.0", "nodes": [""], "fixAvailable": true}, "store2": {"name": "store2", "severity": "moderate", "isDirect": false, "via": [{"source": 1101527, "name": "store2", "dependency": "store2", "title": "Cross Site Scripting vulnerability in store2", "url": "https://github.com/advisories/GHSA-w5hq-hm5m-4548", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<2.14.4"}], "effects": [], "range": "<2.14.4", "nodes": [""], "fixAvailable": true}, "stylelint": {"name": "stylelint", "severity": "moderate", "isDirect": false, "via": ["autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss"], "effects": ["stylelint-config-wikimedia"], "range": "0.1.0 - 13.13.1", "nodes": ["node_modules/stylelint"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "stylelint-config-wikimedia": {"name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": ["stylelint"], "effects": [], "range": "<=0.11.1", "nodes": ["node_modules/stylelint-config-wikimedia"], "fixAvailable": {"name": "stylelint-config-wikimedia", "version": "0.18.0", "isSemVerMajor": true}}, "sugarss": {"name": "sugarss", "severity": "moderate", "isDirect": false, "via": ["postcss"], "effects": [], "range": "<=2.0.0", "nodes": ["node_modules/sugarss"], "fixAvailable": true}, "taffydb": {"name": "taffydb", "severity": "high", "isDirect": false, "via": [{"source": 1089386, "name": "taffydb", "dependency": "taffydb", "title": "TaffyDB can allow access to any data items in the DB", "url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6", "severity": "high", "cwe": ["CWE-20", "CWE-668"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": "<=2.7.3"}], "effects": ["jsdoc"], "range": "*", "nodes": [""], "fixAvailable": {"name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false}}, "tar": {"name": "tar", "severity": "moderate", "isDirect": false, "via": [{"source": 1097493, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<6.2.1"}], "effects": [], "range": "<6.2.1", "nodes": [""], "fixAvailable": true}, "tar-fs": {"name": "tar-fs", "severity": "high", "isDirect": false, "via": [{"source": 1109532, "name": "tar-fs", "dependency": "tar-fs", "title": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball", "url": "https://github.com/advisories/GHSA-vj76-c3g6-qr5v", "severity": "high", "cwe": ["CWE-22", "CWE-61"], "cvss": {"score": 0, "vectorString": null}, "range": ">=2.0.0 <2.1.4"}, {"source": 1109543, "name": "tar-fs", "dependency": "tar-fs", "title": "tar-fs can extract outside the specified dir with a specific tarball", "url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 0, "vectorString": null}, "range": ">=2.0.0 <2.1.3"}, {"source": 1109552, "name": "tar-fs", "dependency": "tar-fs", "title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File", "url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": ">=2.0.0 <2.1.2"}], "effects": [], "range": "2.0.0 - 2.1.3", "nodes": [""], "fixAvailable": true}, "terser": {"name": "terser", "severity": "high", "isDirect": false, "via": [{"source": 1091691, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<4.8.1"}], "effects": [], "range": "<4.8.1", "nodes": [""], "fixAvailable": true}, "terser-webpack-plugin": {"name": "terser-webpack-plugin", "severity": "moderate", "isDirect": false, "via": ["webpack"], "effects": ["webpack"], "range": "<=2.2.1", "nodes": [""], "fixAvailable": {"name": "webpack", "version": "5.103.0", "isSemVerMajor": true}}, "tmp": {"name": "tmp", "severity": "low", "isDirect": false, "via": [{"source": 1109537, "name": "tmp", "dependency": "tmp", "title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter", "url": "https://github.com/advisories/GHSA-52f5-9888-hmc6", "severity": "low", "cwe": ["CWE-59"], "cvss": {"score": 2.5, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"}, "range": "<=0.2.3"}], "effects": ["external-editor"], "range": "<=0.2.3", "nodes": [""], "fixAvailable": {"name": "eslint-config-wikimedia", "version": "0.32.3", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["jsdom", "request", "request-promise-native"], "range": "<4.1.3", "nodes": ["node_modules/tough-cookie"], "fixAvailable": {"name": "jsdom", "version": "27.2.0", "isSemVerMajor": true}}, "watchpack": {"name": "watchpack", "severity": "high", "isDirect": false, "via": ["watchpack-chokidar2"], "effects": [], "range": "1.7.2 - 1.7.5", "nodes": ["node_modules/watchpack"], "fixAvailable": true}, "watchpack-chokidar2": {"name": "watchpack-chokidar2", "severity": "high", "isDirect": false, "via": ["chokidar"], "effects": ["watchpack"], "range": "*", "nodes": ["node_modules/watchpack-chokidar2"], "fixAvailable": true}, "webpack": {"name": "webpack", "severity": "moderate", "isDirect": true, "via": ["micromatch", "terser-webpack-plugin"], "effects": ["@storybook/core-common", "@storybook/core-server", "terser-webpack-plugin", "webpack-cli"], "range": "4.0.0-alpha.0 - 5.0.0-rc.6", "nodes": ["node_modules/webpack"], "fixAvailable": {"name": "webpack", "version": "5.103.0", "isSemVerMajor": true}}, "webpack-cli": {"name": "webpack-cli", "severity": "high", "isDirect": true, "via": ["cross-spawn", "findup-sync", "loader-utils", "webpack"], "effects": [], "range": "<=0.0.8-development || 1.3.0 - 2.0.9 || 2.0.11 - 4.0.0-rc.1", "nodes": ["node_modules/webpack-cli"], "fixAvailable": {"name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false}}, "webpack-dev-middleware": {"name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [{"source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"}, "range": "<=5.3.3"}], "effects": ["@storybook/core-server"], "range": "<=5.3.3", "nodes": ["node_modules/webpack-dev-middleware"], "fixAvailable": true}, "word-wrap": {"name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [{"source": 1102444, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<1.2.4"}], "effects": [], "range": "<1.2.4", "nodes": [""], "fixAvailable": true}, "ws": {"name": "ws", "severity": "high", "isDirect": false, "via": [{"source": 1098394, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": ["CWE-476"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.0.0 <6.2.3"}], "effects": [], "range": "6.0.0 - 6.2.2", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 9, "moderate": 50, "high": 41, "critical": 14, "total": 114}, "dependencies": {"prod": 2, "dev": 2093, "optional": 31, "peer": 1, "peerOptional": 0, "total": 2094}}}}
{}
Upgrading n:@storybook/addon-actions from 6.2.3 -> 6.5.16
{}
Upgrading n:@wikimedia/mw-node-qunit from 6.2.1 -> 6.4.2
{}
Upgrading n:bundlesize from 0.18.1 -> 0.18.2
{}
Upgrading n:jsdoc from 3.6.7 -> 3.6.11
{}
Upgrading n:less from 3.8.1 -> 3.13.1
{}
Upgrading n:webpack-cli from 3.3.11 -> 3.3.12
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: babel-loader@8.2.3
npm WARN Found: webpack@4.43.0
npm WARN node_modules/webpack
npm WARN dev webpack@"4.43.0" from the root project
npm WARN 24 more (@storybook/builder-webpack4, babel-loader, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/builder-webpack4/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/builder-webpack4@6.2.3
npm WARN node_modules/@storybook/builder-webpack4
npm WARN
npm WARN Conflicting peer dependency: webpack@5.103.0
npm WARN node_modules/webpack
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/builder-webpack4/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/builder-webpack4@6.2.3
npm WARN node_modules/@storybook/builder-webpack4
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: babel-loader@8.2.3
npm WARN Found: webpack@4.43.0
npm WARN node_modules/webpack
npm WARN dev webpack@"4.43.0" from the root project
npm WARN 24 more (@storybook/builder-webpack4, babel-loader, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-common/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-common@6.2.3
npm WARN node_modules/@storybook/core-common
npm WARN
npm WARN Conflicting peer dependency: webpack@5.103.0
npm WARN node_modules/webpack
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-common/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-common@6.2.3
npm WARN node_modules/@storybook/core-common
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: babel-loader@8.2.3
npm WARN Found: webpack@4.43.0
npm WARN node_modules/webpack
npm WARN dev webpack@"4.43.0" from the root project
npm WARN 24 more (@storybook/builder-webpack4, babel-loader, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-server/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-server@6.2.3
npm WARN node_modules/@storybook/core-server
npm WARN
npm WARN Conflicting peer dependency: webpack@5.103.0
npm WARN node_modules/webpack
npm WARN peer webpack@">=2" from babel-loader@8.2.3
npm WARN node_modules/@storybook/core-server/node_modules/babel-loader
npm WARN babel-loader@"^8.2.2" from @storybook/core-server@6.2.3
npm WARN node_modules/@storybook/core-server
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.2.4
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-corejs2/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-corejs2@0.2.3
npm WARN node_modules/babel-plugin-polyfill-corejs2
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-corejs2/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-corejs2@0.2.3
npm WARN node_modules/babel-plugin-polyfill-corejs2
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.1.5
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.1.5
npm WARN node_modules/babel-plugin-polyfill-corejs3/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.1.5" from babel-plugin-polyfill-corejs3@0.1.7
npm WARN node_modules/babel-plugin-polyfill-corejs3
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.1.5
npm WARN node_modules/babel-plugin-polyfill-corejs3/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.1.5" from babel-plugin-polyfill-corejs3@0.1.7
npm WARN node_modules/babel-plugin-polyfill-corejs3
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.2.4
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-regenerator/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-regenerator@0.2.3
npm WARN node_modules/babel-plugin-polyfill-regenerator
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-regenerator/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-regenerator@0.2.3
npm WARN node_modules/babel-plugin-polyfill-regenerator
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: undefined,
npm WARN EBADENGINE required: { node: '12.22.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.12.0',
npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@37.0.3',
npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated is-data-descriptor@1.0.0: Please upgrade to v1.0.1
npm WARN deprecated is-accessor-descriptor@1.0.0: Please upgrade to v1.0.1
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated is-data-descriptor@0.1.4: Please upgrade to v0.1.5
npm WARN deprecated is-data-descriptor@0.1.4: Please upgrade to v0.1.5
npm WARN deprecated is-accessor-descriptor@0.1.6: Please upgrade to v0.1.7
npm WARN deprecated is-accessor-descriptor@0.1.6: Please upgrade to v0.1.7
npm WARN deprecated is-data-descriptor@0.1.4: Please upgrade to v0.1.5
npm WARN deprecated is-accessor-descriptor@0.1.6: Please upgrade to v0.1.7
npm WARN deprecated is-data-descriptor@0.1.4: Please upgrade to v0.1.5
npm WARN deprecated is-accessor-descriptor@0.1.6: Please upgrade to v0.1.7
npm WARN deprecated is-data-descriptor@0.1.4: Please upgrade to v0.1.5
npm WARN deprecated is-accessor-descriptor@0.1.6: Please upgrade to v0.1.7
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated move-concurrently@1.0.1: This package is no longer supported.
npm WARN deprecated lodash.get@4.4.2: This package is deprecated. Use the optional chaining (?.) operator instead.
npm WARN deprecated @babel/plugin-proposal-unicode-property-regex@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-unicode-property-regex instead.
npm WARN deprecated @babel/plugin-proposal-private-methods@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-methods instead.
npm WARN deprecated @babel/plugin-proposal-private-property-in-object@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-property-in-object instead.
npm WARN deprecated @babel/plugin-proposal-optional-catch-binding@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-catch-binding instead.
npm WARN deprecated @babel/plugin-proposal-nullish-coalescing-operator@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead.
npm WARN deprecated @babel/plugin-proposal-logical-assignment-operators@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-logical-assignment-operators instead.
npm WARN deprecated @babel/plugin-proposal-numeric-separator@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-numeric-separator instead.
npm WARN deprecated @babel/plugin-proposal-json-strings@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-json-strings instead.
npm WARN deprecated @babel/plugin-proposal-dynamic-import@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-dynamic-import instead.
npm WARN deprecated @babel/plugin-proposal-export-namespace-from@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-export-namespace-from instead.
npm WARN deprecated @babel/plugin-proposal-class-properties@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm WARN deprecated @babel/plugin-proposal-class-static-block@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-static-block instead.
npm WARN deprecated @babel/plugin-proposal-class-static-block@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-static-block instead.
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated figgy-pudding@3.5.2: This module is no longer supported.
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated @babel/plugin-proposal-async-generator-functions@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-async-generator-functions instead.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated npmlog@4.1.2: This package is no longer supported.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.5.0: Use @eslint/config-array instead
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated copy-concurrently@1.0.5: This package is no longer supported.
npm WARN deprecated @babel/plugin-proposal-object-rest-spread@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-spread instead.
npm WARN deprecated @babel/plugin-proposal-optional-chaining@7.16.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead.
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated domexception@1.0.1: Use your platform's native DOMException instead
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated are-we-there-yet@1.1.7: This package is no longer supported.
npm WARN deprecated wikimedia-ui-base@0.15.0: Package no longer supported. Please use @wikimedia/codex-design-tokens instead.
npm WARN deprecated uuid-browser@3.1.0: Package no longer supported and required. Use the uuid package or crypto.randomUUID instead
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated fs-write-stream-atomic@1.0.10: This package is no longer supported.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam
npm WARN deprecated @humanwhocodes/object-schema@1.2.1: Use @eslint/object-schema instead
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated gauge@2.7.4: This package is no longer supported.
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.2: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated sinon@4.5.0: 16.1.1
npm WARN deprecated iltorb@2.4.5: The zlib module provides APIs for brotli compression/decompression starting with Node.js v10.16.0, please use it over iltorb
npm WARN deprecated sinon@12.0.1: 16.1.1
npm WARN deprecated eslint@7.32.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js-pure@3.19.1: core-js-pure@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js-pure.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.19.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm ERR! code 1
npm ERR! path /src/repo/node_modules/iltorb
npm ERR! command failed
npm ERR! command sh -c node ./scripts/install.js || node-gyp rebuild
npm ERR! make: Entering directory '/src/repo/node_modules/iltorb/build'
npm ERR! CC(target) Release/obj.target/iltorb/brotli/c/common/dictionary.o
npm ERR! make: Leaving directory '/src/repo/node_modules/iltorb/build'
npm ERR! info install installing standalone, skipping download.
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using node-gyp@11.1.0
npm ERR! gyp info using node@20.19.2 | linux | x64
npm ERR! gyp info find Python using Python version 3.13.5 found at "/usr/bin/python3"
npm ERR! gyp info spawn /usr/bin/python3
npm ERR! gyp info spawn args [
npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/gyp/gyp_main.py',
npm ERR! gyp info spawn args 'binding.gyp',
npm ERR! gyp info spawn args '-f',
npm ERR! gyp info spawn args 'make',
npm ERR! gyp info spawn args '-I',
npm ERR! gyp info spawn args '/src/repo/node_modules/iltorb/build/config.gypi',
npm ERR! gyp info spawn args '-I',
npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/addon.gypi',
npm ERR! gyp info spawn args '-I',
npm ERR! gyp info spawn args '/usr/include/nodejs/common.gypi',
npm ERR! gyp info spawn args '-Dlibrary=shared_library',
npm ERR! gyp info spawn args '-Dvisibility=default',
npm ERR! gyp info spawn args '-Dnode_root_dir=/usr/include/nodejs',
npm ERR! gyp info spawn args '-Dnode_gyp_dir=/usr/share/nodejs/node-gyp',
npm ERR! gyp info spawn args '-Dnode_lib_file=/usr/include/nodejs/<(target_arch)/node.lib',
npm ERR! gyp info spawn args '-Dmodule_root_dir=/src/repo/node_modules/iltorb',
npm ERR! gyp info spawn args '-Dnode_engine=v8',
npm ERR! gyp info spawn args '--depth=.',
npm ERR! gyp info spawn args '--no-parallel',
npm ERR! gyp info spawn args '--generator-output',
npm ERR! gyp info spawn args 'build',
npm ERR! gyp info spawn args '-Goutput_dir=.'
npm ERR! gyp info spawn args ]
npm ERR! gyp info spawn make
npm ERR! gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
npm ERR! make: cc: No such file or directory
npm ERR! make: *** [iltorb.target.mk:145: Release/obj.target/iltorb/brotli/c/common/dictionary.o] Error 127
npm ERR! gyp ERR! build error
npm ERR! gyp ERR! stack Error: `make` failed with exit code: 2
npm ERR! gyp ERR! stack at ChildProcess.<anonymous> (/usr/share/nodejs/node-gyp/lib/build.js:216:23)
npm ERR! gyp ERR! System Linux 6.1.0-30-cloud-amd64
npm ERR! gyp ERR! command "/usr/bin/node" "/usr/share/nodejs/node-gyp/bin/node-gyp.js" "rebuild"
npm ERR! gyp ERR! cwd /src/repo/node_modules/iltorb
npm ERR! gyp ERR! node -v v20.19.2
npm ERR! gyp ERR! node-gyp -v v11.1.0
npm ERR! gyp ERR! not ok
npm ERR! A complete log of this run can be found in:
npm ERR! /cache/_logs/2025-12-04T12_32_29_480Z-debug-0.log
--- stdout ---
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.2.4
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-corejs2/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-corejs2@0.2.3
npm WARN node_modules/babel-plugin-polyfill-corejs2
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-corejs2/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-corejs2@0.2.3
npm WARN node_modules/babel-plugin-polyfill-corejs2
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.1.5
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.1.5
npm WARN node_modules/babel-plugin-polyfill-corejs3/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.1.5" from babel-plugin-polyfill-corejs3@0.1.7
npm WARN node_modules/babel-plugin-polyfill-corejs3
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.1.5
npm WARN node_modules/babel-plugin-polyfill-corejs3/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.1.5" from babel-plugin-polyfill-corejs3@0.1.7
npm WARN node_modules/babel-plugin-polyfill-corejs3
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: @babel/helper-define-polyfill-provider@0.2.4
npm WARN Found: @babel/core@7.2.2
npm WARN node_modules/@babel/core
npm WARN dev @babel/core@"7.2.2" from the root project
npm WARN 85 more (@babel/helper-compilation-targets, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-regenerator/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-regenerator@0.2.3
npm WARN node_modules/babel-plugin-polyfill-regenerator
npm WARN
npm WARN Conflicting peer dependency: @babel/core@7.28.5
npm WARN node_modules/@babel/core
npm WARN peer @babel/core@"^7.4.0-0" from @babel/helper-define-polyfill-provider@0.2.4
npm WARN node_modules/babel-plugin-polyfill-regenerator/node_modules/@babel/helper-define-polyfill-provider
npm WARN @babel/helper-define-polyfill-provider@"^0.2.4" from babel-plugin-polyfill-regenerator@0.2.3
npm WARN node_modules/babel-plugin-polyfill-regenerator
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: undefined,
npm WARN EBADENGINE required: { node: '12.22.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.12.0',
npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@37.0.3',
npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm ERR! code EUSAGE
npm ERR!
npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR!
npm ERR! Invalid: lock file's @storybook/addon-actions@6.2.3 does not satisfy @storybook/addon-actions@6.5.16
npm ERR! Invalid: lock file's @wikimedia/mw-node-qunit@6.2.1 does not satisfy @wikimedia/mw-node-qunit@6.4.2
npm ERR! Invalid: lock file's bundlesize@0.18.1 does not satisfy bundlesize@0.18.2
npm ERR! Invalid: lock file's jsdoc@3.6.7 does not satisfy jsdoc@3.6.11
npm ERR! Invalid: lock file's less@3.8.1 does not satisfy less@3.13.1
npm ERR! Invalid: lock file's webpack-cli@3.3.11 does not satisfy webpack-cli@3.3.12
npm ERR! Missing: @storybook/addons@6.5.16 from lock file
npm ERR! Missing: @storybook/api@6.5.16 from lock file
npm ERR! Missing: @storybook/client-logger@6.5.16 from lock file
npm ERR! Missing: @storybook/components@6.5.16 from lock file
npm ERR! Missing: @storybook/core-events@6.5.16 from lock file
npm ERR! Missing: @storybook/csf@0.0.2--canary.4566f4d.1 from lock file
npm ERR! Missing: @storybook/theming@6.5.16 from lock file
npm ERR! Invalid: lock file's polished@4.1.3 does not satisfy polished@4.3.1
npm ERR! Missing: telejson@6.0.8 from lock file
npm ERR! Missing: jsdom@18.0.1 from lock file
npm ERR! Missing: mustache@4.2.0 from lock file
npm ERR! Invalid: lock file's oojs@2.2.2 does not satisfy oojs@6.0.0
npm ERR! Invalid: lock file's prettier@1.11.1 does not satisfy prettier@2.4.1
npm ERR! Invalid: lock file's qunit@2.7.0 does not satisfy qunit@2.17.2
npm ERR! Missing: sinon@12.0.1 from lock file
npm ERR! Invalid: lock file's axios@0.21.4 does not satisfy axios@1.13.2
npm ERR! Invalid: lock file's github-build@1.2.3 does not satisfy github-build@1.2.4
npm ERR! Invalid: lock file's follow-redirects@1.14.5 does not satisfy follow-redirects@1.15.11
npm ERR! Missing: form-data@4.0.5 from lock file
npm ERR! Missing: proxy-from-env@1.1.0 from lock file
npm ERR! Invalid: lock file's axios@0.21.3 does not satisfy axios@1.6.0
npm ERR! Missing: @types/markdown-it@12.2.3 from lock file
npm ERR! Invalid: lock file's markdown-it@10.0.0 does not satisfy markdown-it@12.3.2
npm ERR! Invalid: lock file's markdown-it-anchor@5.3.0 does not satisfy markdown-it-anchor@8.6.7
npm ERR! Invalid: lock file's marked@2.1.3 does not satisfy marked@4.3.0
npm ERR! Invalid: lock file's underscore@1.13.1 does not satisfy underscore@1.13.7
npm ERR! Missing: @types/linkify-it@5.0.0 from lock file
npm ERR! Missing: @types/mdurl@2.0.0 from lock file
npm ERR! Missing: copy-anything@2.0.6 from lock file
npm ERR! Missing: make-dir@2.1.0 from lock file
npm ERR! Missing: native-request@1.1.2 from lock file
npm ERR! Missing: tslib@1.14.1 from lock file
npm ERR! Missing: is-what@3.14.1 from lock file
npm ERR! Missing: argparse@2.0.1 from lock file
npm ERR! Invalid: lock file's entities@2.0.3 does not satisfy entities@2.1.0
npm ERR! Invalid: lock file's linkify-it@2.2.0 does not satisfy linkify-it@3.0.3
npm ERR! Invalid: lock file's @babel/runtime@7.16.0 does not satisfy @babel/runtime@7.28.4
npm ERR! Invalid: lock file's interpret@1.2.0 does not satisfy interpret@1.4.0
npm ERR! Missing: yargs@13.3.2 from lock file
npm ERR! Missing: cliui@5.0.0 from lock file
npm ERR! Missing: find-up@3.0.0 from lock file
npm ERR! Missing: string-width@3.1.0 from lock file
npm ERR! Missing: y18n@4.0.3 from lock file
npm ERR! Missing: yargs-parser@13.1.2 from lock file
npm ERR! Missing: @storybook/channels@6.5.16 from lock file
npm ERR! Missing: @storybook/router@6.5.16 from lock file
npm ERR! Missing: acorn@8.15.0 from lock file
npm ERR! Missing: acorn-globals@6.0.0 from lock file
npm ERR! Missing: cssom@0.5.0 from lock file
npm ERR! Missing: cssstyle@2.3.0 from lock file
npm ERR! Missing: data-urls@3.0.2 from lock file
npm ERR! Missing: decimal.js@10.6.0 from lock file
npm ERR! Missing: domexception@4.0.0 from lock file
npm ERR! Missing: escodegen@2.1.0 from lock file
npm ERR! Missing: form-data@4.0.5 from lock file
npm ERR! Missing: html-encoding-sniffer@3.0.0 from lock file
npm ERR! Missing: http-proxy-agent@5.0.0 from lock file
npm ERR! Missing: https-proxy-agent@5.0.1 from lock file
npm ERR! Missing: is-potential-custom-element-name@1.0.1 from lock file
npm ERR! Missing: parse5@6.0.1 from lock file
npm ERR! Missing: saxes@5.0.1 from lock file
npm ERR! Missing: tough-cookie@4.1.4 from lock file
npm ERR! Missing: w3c-xmlserializer@3.0.0 from lock file
npm ERR! Missing: webidl-conversions@7.0.0 from lock file
npm ERR! Missing: whatwg-encoding@2.0.0 from lock file
npm ERR! Missing: whatwg-mimetype@3.0.0 from lock file
npm ERR! Missing: whatwg-url@10.0.0 from lock file
npm ERR! Missing: ws@8.18.3 from lock file
npm ERR! Missing: xml-name-validator@4.0.0 from lock file
npm ERR! Missing: @tootallnate/once@2.0.0 from lock file
npm ERR! Missing: agent-base@6.0.2 from lock file
npm ERR! Missing: xml-name-validator@4.0.0 from lock file
npm ERR! Missing: acorn@7.4.1 from lock file
npm ERR! Missing: acorn-walk@7.2.0 from lock file
npm ERR! Missing: cssom@0.3.8 from lock file
npm ERR! Invalid: lock file's abab@2.0.5 does not satisfy abab@2.0.6
npm ERR! Missing: whatwg-url@11.0.0 from lock file
npm ERR! Missing: estraverse@5.3.0 from lock file
npm ERR! Missing: source-map@0.6.1 from lock file
npm ERR! Missing: es-set-tostringtag@2.1.0 from lock file
npm ERR! Missing: hasown@2.0.2 from lock file
npm ERR! Missing: es-errors@1.3.0 from lock file
npm ERR! Invalid: lock file's get-intrinsic@1.1.1 does not satisfy get-intrinsic@1.3.0
npm ERR! Invalid: lock file's has-tostringtag@1.0.0 does not satisfy has-tostringtag@1.0.2
npm ERR! Missing: call-bind-apply-helpers@1.0.2 from lock file
npm ERR! Missing: es-define-property@1.0.1 from lock file
npm ERR! Missing: es-object-atoms@1.1.1 from lock file
npm ERR! Invalid: lock file's function-bind@1.1.1 does not satisfy function-bind@1.1.2
npm ERR! Missing: get-proto@1.0.1 from lock file
npm ERR! Missing: gopd@1.2.0 from lock file
npm ERR! Invalid: lock file's has-symbols@1.0.2 does not satisfy has-symbols@1.1.0
npm ERR! Missing: math-intrinsics@1.1.0 from lock file
npm ERR! Missing: dunder-proto@1.0.1 from lock file
npm ERR! Invalid: lock file's commander@2.12.2 does not satisfy commander@7.2.0
npm ERR! Missing: node-watch@0.7.2 from lock file
npm ERR! Missing: @sinonjs/fake-timers@8.1.0 from lock file
npm ERR! Missing: @sinonjs/samsam@6.1.3 from lock file
npm ERR! Missing: diff@5.2.0 from lock file
npm ERR! Missing: nise@5.1.9 from lock file
npm ERR! Missing: supports-color@7.2.0 from lock file
npm ERR! Missing: @sinonjs/commons@3.0.1 from lock file
npm ERR! Missing: @sinonjs/fake-timers@11.3.1 from lock file
npm ERR! Invalid: lock file's @sinonjs/text-encoding@0.7.1 does not satisfy @sinonjs/text-encoding@0.7.3
npm ERR! Missing: just-extend@6.2.0 from lock file
npm ERR! Missing: path-to-regexp@6.3.0 from lock file
npm ERR! Missing: universalify@0.2.0 from lock file
npm ERR! Missing: url-parse@1.5.10 from lock file
npm ERR! Missing: querystringify@2.2.0 from lock file
npm ERR! Missing: requires-port@1.0.0 from lock file
npm ERR! Missing: iconv-lite@0.6.3 from lock file
npm ERR! Missing: tr46@3.0.0 from lock file
npm ERR! Missing: form-data@4.0.5 from lock file
npm ERR! Missing: strip-ansi@5.2.0 from lock file
npm ERR! Missing: wrap-ansi@5.1.0 from lock file
npm ERR! Missing: locate-path@3.0.0 from lock file
npm ERR! Missing: p-locate@3.0.0 from lock file
npm ERR! Missing: path-exists@3.0.0 from lock file
npm ERR! Missing: p-limit@2.3.0 from lock file
npm ERR! Missing: emoji-regex@7.0.3 from lock file
npm ERR! Missing: is-fullwidth-code-point@2.0.0 from lock file
npm ERR! Missing: ansi-regex@4.1.1 from lock file
npm ERR!
npm ERR! Clean install a project
npm ERR!
npm ERR! Usage:
npm ERR! npm ci
npm ERR!
npm ERR! Options:
npm ERR! [-S|--save|--no-save|--save-prod|--save-dev|--save-optional|--save-peer|--save-bundle]
npm ERR! [-E|--save-exact] [-g|--global] [--install-strategy <hoisted|nested|shallow>]
npm ERR! [--legacy-bundling] [--global-style]
npm ERR! [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
npm ERR! [--strict-peer-deps] [--no-package-lock] [--foreground-scripts]
npm ERR! [--ignore-scripts] [--no-audit] [--no-bin-links] [--no-fund] [--dry-run]
npm ERR! [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
npm ERR! [-ws|--workspaces] [--include-workspace-root] [--no-install-links]
npm ERR!
npm ERR! aliases: clean-install, ic, install-clean, isntall-clean
npm ERR!
npm ERR! Run "npm help ci" for more info
npm ERR! A complete log of this run can be found in:
npm ERR! /cache/_logs/2025-12-04T12_34_40_420Z-debug-0.log
--- stdout ---
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 2044, in main
libup.run(args.repo, args.output, args.branch)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1986, in run
self.npm_audit_fix(new_npm_audit)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 276, in npm_audit_fix
self.npm_test()
~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 323, in npm_test
self.check_call(["npm", "ci"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 63, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'ci']' returned non-zero exit status 1.