mediawiki/services/push-notifications: main (log #2337054)

sourcepatches

This run took 74 seconds.

$ date
--- stdout ---
Tue Jan 20 05:23:34 UTC 2026

--- end ---
$ git clone file:///srv/git/mediawiki-services-push-notifications.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/master
--- stdout ---
e045d3ee14b170e7638474de4caab75d743e103e refs/heads/master

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@wikimedia/apn": {
      "name": "@wikimedia/apn",
      "severity": "high",
      "isDirect": true,
      "via": [
        "jsonwebtoken",
        "node-forge"
      ],
      "effects": [],
      "range": "*",
      "nodes": [
        "node_modules/@wikimedia/apn"
      ],
      "fixAvailable": false
    },
    "body-parser": {
      "name": "body-parser",
      "severity": "high",
      "isDirect": true,
      "via": [
        "qs"
      ],
      "effects": [
        "express"
      ],
      "range": "<=1.20.3 || 2.0.0-beta.1 - 2.0.2",
      "nodes": [
        "node_modules/body-parser"
      ],
      "fixAvailable": true
    },
    "compression": {
      "name": "compression",
      "severity": "low",
      "isDirect": true,
      "via": [
        "on-headers"
      ],
      "effects": [],
      "range": "1.0.3 - 1.8.0",
      "nodes": [
        "node_modules/compression"
      ],
      "fixAvailable": true
    },
    "diff": {
      "name": "diff",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1112148,
          "name": "diff",
          "dependency": "diff",
          "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
          "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
          "severity": "low",
          "cwe": [
            "CWE-400",
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<8.0.3"
        }
      ],
      "effects": [
        "mocha",
        "sinon",
        "ts-node"
      ],
      "range": "<8.0.3",
      "nodes": [
        "node_modules/diff",
        "node_modules/ts-node/node_modules/diff"
      ],
      "fixAvailable": {
        "name": "mocha",
        "version": "0.13.0",
        "isSemVerMajor": true
      }
    },
    "express": {
      "name": "express",
      "severity": "high",
      "isDirect": true,
      "via": [
        "body-parser",
        "qs"
      ],
      "effects": [],
      "range": "2.5.8 - 2.5.11 || 3.2.1 - 3.2.3 || 4.0.0-rc1 - 4.21.2 || 5.0.0-alpha.1 - 5.0.1",
      "nodes": [
        "node_modules/express"
      ],
      "fixAvailable": true
    },
    "form-data": {
      "name": "form-data",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1109538,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=4.0.0 <4.0.4"
        },
        {
          "source": 1109540,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<2.5.4"
        }
      ],
      "effects": [
        "request"
      ],
      "range": ">=4.0.0 <4.0.4 || <2.5.4",
      "nodes": [
        "node_modules/@types/request/node_modules/form-data",
        "node_modules/form-data",
        "node_modules/superagent/node_modules/form-data"
      ],
      "fixAvailable": false
    },
    "js-yaml": {
      "name": "js-yaml",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        {
          "source": 1109801,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "js-yaml has prototype pollution in merge (<<)",
          "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<3.14.2"
        },
        {
          "source": 1109802,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "js-yaml has prototype pollution in merge (<<)",
          "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": ">=4.0.0 <4.1.1"
        }
      ],
      "effects": [],
      "range": "<3.14.2 || >=4.0.0 <4.1.1",
      "nodes": [
        "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml",
        "node_modules/js-yaml",
        "node_modules/service-runner/node_modules/js-yaml",
        "node_modules/swagger-router/node_modules/js-yaml"
      ],
      "fixAvailable": true
    },
    "jsonwebtoken": {
      "name": "jsonwebtoken",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1097690,
          "name": "jsonwebtoken",
          "dependency": "jsonwebtoken",
          "title": "jsonwebtoken unrestricted key type could lead to legacy keys usage ",
          "url": "https://github.com/advisories/GHSA-8cf7-32gw-wr33",
          "severity": "high",
          "cwe": [
            "CWE-327"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
          },
          "range": "<=8.5.1"
        },
        {
          "source": 1097694,
          "name": "jsonwebtoken",
          "dependency": "jsonwebtoken",
          "title": "jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC",
          "url": "https://github.com/advisories/GHSA-hjrf-2m68-5959",
          "severity": "moderate",
          "cwe": [
            "CWE-287",
            "CWE-1259"
          ],
          "cvss": {
            "score": 5,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
          },
          "range": "<=8.5.1"
        },
        {
          "source": 1102458,
          "name": "jsonwebtoken",
          "dependency": "jsonwebtoken",
          "title": "jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()",
          "url": "https://github.com/advisories/GHSA-qwph-4952-7xr6",
          "severity": "moderate",
          "cwe": [
            "CWE-287",
            "CWE-327",
            "CWE-347"
          ],
          "cvss": {
            "score": 6.4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"
          },
          "range": "<9.0.0"
        }
      ],
      "effects": [
        "@wikimedia/apn"
      ],
      "range": "<=8.5.1",
      "nodes": [
        "node_modules/jsonwebtoken"
      ],
      "fixAvailable": false
    },
    "jws": {
      "name": "jws",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1111243,
          "name": "jws",
          "dependency": "jws",
          "title": "auth0/node-jws Improperly Verifies HMAC Signature",
          "url": "https://github.com/advisories/GHSA-869p-cjfg-cm3x",
          "severity": "high",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": "=4.0.0"
        },
        {
          "source": 1111244,
          "name": "jws",
          "dependency": "jws",
          "title": "auth0/node-jws Improperly Verifies HMAC Signature",
          "url": "https://github.com/advisories/GHSA-869p-cjfg-cm3x",
          "severity": "high",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": "<3.2.3"
        }
      ],
      "effects": [],
      "range": "=4.0.0 || <3.2.3",
      "nodes": [
        "node_modules/firebase-admin/node_modules/jws",
        "node_modules/jsonwebtoken/node_modules/jws",
        "node_modules/jws"
      ],
      "fixAvailable": true
    },
    "limitation": {
      "name": "limitation",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "wikimedia-kad-fork"
      ],
      "effects": [
        "service-runner"
      ],
      "range": ">=0.2.3",
      "nodes": [
        "node_modules/limitation"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "mocha": {
      "name": "mocha",
      "severity": "low",
      "isDirect": true,
      "via": [
        "diff"
      ],
      "effects": [
        "mocha.parallel"
      ],
      "range": "0.14.0 - 12.0.0-beta-3",
      "nodes": [
        "node_modules/mocha"
      ],
      "fixAvailable": {
        "name": "mocha",
        "version": "0.13.0",
        "isSemVerMajor": true
      }
    },
    "mocha.parallel": {
      "name": "mocha.parallel",
      "severity": "low",
      "isDirect": true,
      "via": [
        "mocha"
      ],
      "effects": [],
      "range": ">=0.13.0",
      "nodes": [
        "node_modules/mocha.parallel"
      ],
      "fixAvailable": {
        "name": "mocha.parallel",
        "version": "0.12.0",
        "isSemVerMajor": true
      }
    },
    "ms": {
      "name": "ms",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1109573,
          "name": "ms",
          "dependency": "ms",
          "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability",
          "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<2.0.0"
        }
      ],
      "effects": [
        "wikimedia-kad-fork"
      ],
      "range": "<2.0.0",
      "nodes": [
        "node_modules/wikimedia-kad-fork/node_modules/ms"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "node-forge": {
      "name": "node-forge",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1088227,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Prototype Pollution in node-forge debug API.",
          "url": "https://github.com/advisories/GHSA-5rrq-pxf6-6jx5",
          "severity": "low",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<1.0.0"
        },
        {
          "source": 1088228,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Prototype Pollution in node-forge util.setPath API",
          "url": "https://github.com/advisories/GHSA-wxgw-qj99-44c2",
          "severity": "low",
          "cwe": [],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<0.10.0"
        },
        {
          "source": 1088229,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "URL parsing in node-forge could lead to undesired behavior.",
          "url": "https://github.com/advisories/GHSA-gf8q-jrpm-jvxq",
          "severity": "low",
          "cwe": [
            "CWE-601"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<1.0.0"
        },
        {
          "source": 1088746,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Improper Verification of Cryptographic Signature in `node-forge`",
          "url": "https://github.com/advisories/GHSA-2r2c-g63r-vccr",
          "severity": "moderate",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<1.3.0"
        },
        {
          "source": 1093719,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Open Redirect in node-forge",
          "url": "https://github.com/advisories/GHSA-8fr3-hfg3-gpgp",
          "severity": "moderate",
          "cwe": [
            "CWE-601"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<1.0.0"
        },
        {
          "source": 1102317,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Prototype Pollution in node-forge",
          "url": "https://github.com/advisories/GHSA-92xj-mqp7-vmcj",
          "severity": "high",
          "cwe": [
            "CWE-915",
            "CWE-1321"
          ],
          "cvss": {
            "score": 8.8,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "range": "<0.10.0"
        },
        {
          "source": 1102321,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Improper Verification of Cryptographic Signature in node-forge",
          "url": "https://github.com/advisories/GHSA-x4jg-mjrx-434g",
          "severity": "high",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": "<1.3.0"
        },
        {
          "source": 1102322,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "Improper Verification of Cryptographic Signature in node-forge",
          "url": "https://github.com/advisories/GHSA-cfm4-qjh2-4765",
          "severity": "high",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": "<1.3.0"
        },
        {
          "source": 1110996,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "node-forge has ASN.1 Unbounded Recursion",
          "url": "https://github.com/advisories/GHSA-554w-wpv2-vw27",
          "severity": "high",
          "cwe": [
            "CWE-674"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<1.3.2"
        },
        {
          "source": 1110998,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization",
          "url": "https://github.com/advisories/GHSA-5gfm-wpxj-wjgq",
          "severity": "high",
          "cwe": [
            "CWE-436"
          ],
          "cvss": {
            "score": 8.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"
          },
          "range": "<1.3.2"
        },
        {
          "source": 1111068,
          "name": "node-forge",
          "dependency": "node-forge",
          "title": "node-forge is vulnerable to ASN.1 OID Integer Truncation",
          "url": "https://github.com/advisories/GHSA-65ch-62r8-g69g",
          "severity": "moderate",
          "cwe": [
            "CWE-190"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<1.3.2"
        }
      ],
      "effects": [],
      "range": "<=1.3.1",
      "nodes": [
        "node_modules/firebase-admin/node_modules/node-forge",
        "node_modules/node-forge"
      ],
      "fixAvailable": true
    },
    "on-headers": {
      "name": "on-headers",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1106812,
          "name": "on-headers",
          "dependency": "on-headers",
          "title": "on-headers is vulnerable to http response header manipulation",
          "url": "https://github.com/advisories/GHSA-76c9-3jph-rj3q",
          "severity": "low",
          "cwe": [
            "CWE-241"
          ],
          "cvss": {
            "score": 3.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<1.1.0"
        }
      ],
      "effects": [
        "compression"
      ],
      "range": "<1.1.0",
      "nodes": [
        "node_modules/on-headers"
      ],
      "fixAvailable": true
    },
    "preq": {
      "name": "preq",
      "severity": "high",
      "isDirect": true,
      "via": [
        "request",
        "requestretry"
      ],
      "effects": [],
      "range": "*",
      "nodes": [
        "node_modules/preq"
      ],
      "fixAvailable": false
    },
    "qs": {
      "name": "qs",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1111755,
          "name": "qs",
          "dependency": "qs",
          "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
          "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
          "severity": "high",
          "cwe": [
            "CWE-20"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<6.14.1"
        }
      ],
      "effects": [
        "body-parser",
        "express",
        "request"
      ],
      "range": "<6.14.1",
      "nodes": [
        "node_modules/qs",
        "node_modules/request/node_modules/qs"
      ],
      "fixAvailable": false
    },
    "request": {
      "name": "request",
      "severity": "critical",
      "isDirect": true,
      "via": [
        {
          "source": 1096727,
          "name": "request",
          "dependency": "request",
          "title": "Server-Side Request Forgery in Request",
          "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
          "severity": "moderate",
          "cwe": [
            "CWE-918"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<=2.88.2"
        },
        "form-data",
        "qs",
        "tough-cookie"
      ],
      "effects": [
        "preq",
        "requestretry"
      ],
      "range": "*",
      "nodes": [
        "node_modules/request"
      ],
      "fixAvailable": false
    },
    "requestretry": {
      "name": "requestretry",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1090420,
          "name": "requestretry",
          "dependency": "requestretry",
          "title": "Cookie exposure in requestretry",
          "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45",
          "severity": "high",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
          },
          "range": "<7.0.0"
        },
        "request"
      ],
      "effects": [
        "preq"
      ],
      "range": "<=7.1.0",
      "nodes": [
        "node_modules/requestretry"
      ],
      "fixAvailable": false
    },
    "service-runner": {
      "name": "service-runner",
      "severity": "high",
      "isDirect": true,
      "via": [
        "limitation",
        "tar"
      ],
      "effects": [],
      "range": ">=3.0.0",
      "nodes": [
        "node_modules/service-runner"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "sinon": {
      "name": "sinon",
      "severity": "low",
      "isDirect": true,
      "via": [
        "diff"
      ],
      "effects": [],
      "range": "2.0.0-pre - 21.0.0",
      "nodes": [
        "node_modules/sinon"
      ],
      "fixAvailable": {
        "name": "sinon",
        "version": "21.0.1",
        "isSemVerMajor": true
      }
    },
    "tar": {
      "name": "tar",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1112255,
          "name": "tar",
          "dependency": "tar",
          "title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization",
          "url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<=7.5.2"
        }
      ],
      "effects": [
        "service-runner"
      ],
      "range": "<=7.5.2",
      "nodes": [
        "node_modules/tar"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "tough-cookie": {
      "name": "tough-cookie",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1097682,
          "name": "tough-cookie",
          "dependency": "tough-cookie",
          "title": "tough-cookie Prototype Pollution vulnerability",
          "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<4.1.3"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<4.1.3",
      "nodes": [
        "node_modules/tough-cookie"
      ],
      "fixAvailable": false
    },
    "ts-node": {
      "name": "ts-node",
      "severity": "low",
      "isDirect": true,
      "via": [
        "diff"
      ],
      "effects": [],
      "range": "<=1.4.3 || >=1.7.2",
      "nodes": [
        "node_modules/ts-node"
      ],
      "fixAvailable": {
        "name": "ts-node",
        "version": "1.7.1",
        "isSemVerMajor": true
      }
    },
    "wikimedia-kad-fork": {
      "name": "wikimedia-kad-fork",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "ms"
      ],
      "effects": [
        "limitation"
      ],
      "range": "*",
      "nodes": [
        "node_modules/wikimedia-kad-fork"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 7,
      "moderate": 5,
      "high": 11,
      "critical": 2,
      "total": 25
    },
    "dependencies": {
      "prod": 410,
      "dev": 417,
      "optional": 85,
      "peer": 0,
      "peerOptional": 0,
      "total": 910
    }
  }
}

--- end ---
$ /usr/bin/npm install
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'push-notifications@0.0.1',
npm WARN EBADENGINE   required: { node: '^18' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained.
npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated lodash.clone@4.5.0: This package is deprecated. Use structuredClone instead.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained.
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated preq@0.5.14: Deprecated as this is a wrapper around the deprecated request library. Preq can be replaced with fetch, which is available from Node 18 as an experimental feature.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated tar@6.2.1: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---

added 882 packages, and audited 883 packages in 39s

189 packages are looking for funding
  run `npm fund` for details

19 vulnerabilities (5 low, 4 moderate, 8 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
Upgrading n:eslint-config-wikimedia from ^0.28.1 -> 0.32.3
$ /usr/bin/npm install
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'push-notifications@0.0.1',
npm WARN EBADENGINE   required: { node: '^18' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---

added 31 packages, removed 7 packages, changed 11 packages, and audited 907 packages in 6s

201 packages are looking for funding
  run `npm fund` for details

19 vulnerabilities (5 low, 4 moderate, 8 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
$ ./node_modules/.bin/eslint . --fix
--- stderr ---
Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-json".

(The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

    npm install eslint-plugin-json@latest --save-dev

The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.
--- stdout ---

--- end ---
$ ./node_modules/.bin/eslint . -f json
--- stderr ---
Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-json".

(The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

    npm install eslint-plugin-json@latest --save-dev

The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.
--- stdout ---

--- end ---
Traceback (most recent call last):
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1304, in main
    libup.run()
    ~~~~~~~~~^^
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1238, in run
    self.npm_upgrade(plan)
    ~~~~~~~~~~~~~~~~^^^^^^
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1099, in npm_upgrade
    hook(update)
    ~~~~^^^^^^^^
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1114, in _handle_eslint
    ESLintHandler(self.ctx).handle(update)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 309, in handle
    self.do_handle()
    ~~~~~~~~~~~~~~^^
  File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 248, in do_handle
    errors = json.loads(
        self.check_call(
            eslint_binary + files + ["-f", "json"], ignore_returncode=True
        )
    )
  File "/usr/lib/python3.13/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           ~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/json/decoder.py", line 363, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Source code is licensed under the AGPL.