This run took 27 seconds.
$ date
--- stdout ---
Tue Jan 20 05:27:06 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-services-restbase.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
f75ee582b714545fd70efbe097e4e6f9fd5cc722 refs/heads/master
--- end ---
$ /usr/bin/npm i --package-lock-only
--- stdout ---
up to date, audited 580 packages in 9s
87 packages are looking for funding
run `npm fund` for details
39 vulnerabilities (8 low, 10 moderate, 16 high, 5 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
Editing .gitignore to remove package-lock.json
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"busboy": {
"name": "busboy",
"severity": "high",
"isDirect": false,
"via": [
"dicer"
],
"effects": [
"hyperswitch"
],
"range": "<=0.3.1",
"nodes": [
"node_modules/busboy"
],
"fixAvailable": {
"name": "hyperswitch",
"version": "0.10.5",
"isSemVerMajor": true
}
},
"coveralls": {
"name": "coveralls",
"severity": "moderate",
"isDirect": true,
"via": [
"request"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/coveralls"
],
"fixAvailable": false
},
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
}
],
"effects": [
"foreground-child"
],
"range": "<6.0.6",
"nodes": [
"node_modules/foreground-child/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "nyc",
"version": "17.1.0",
"isSemVerMajor": true
}
},
"debug": {
"name": "debug",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1096793,
"name": "debug",
"dependency": "debug",
"title": "Regular Expression Denial of Service in debug",
"url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=3.2.0 <3.2.7"
}
],
"effects": [
"mocha"
],
"range": "3.2.0 - 3.2.6",
"nodes": [
"node_modules/mocha/node_modules/debug"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
},
"dicer": {
"name": "dicer",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1093150,
"name": "dicer",
"dependency": "dicer",
"title": "Crash in HeaderParser in dicer",
"url": "https://github.com/advisories/GHSA-wm7h-9275-46v2",
"severity": "high",
"cwe": [
"CWE-248"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.3.1"
}
],
"effects": [
"busboy"
],
"range": "*",
"nodes": [
"node_modules/dicer"
],
"fixAvailable": {
"name": "hyperswitch",
"version": "0.10.5",
"isSemVerMajor": true
}
},
"diff": {
"name": "diff",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1112148,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<8.0.3"
}
],
"effects": [
"mocha"
],
"range": "<8.0.3",
"nodes": [
"node_modules/diff"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
},
"eslint": {
"name": "eslint",
"severity": "low",
"isDirect": true,
"via": [
"inquirer"
],
"effects": [
"eslint-config-wikimedia",
"eslint-plugin-jsdoc"
],
"range": "4.0.0-alpha.0 - 7.2.0",
"nodes": [
"node_modules/eslint"
],
"fixAvailable": {
"name": "eslint",
"version": "9.39.2",
"isSemVerMajor": true
}
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "low",
"isDirect": true,
"via": [
"eslint"
],
"effects": [],
"range": "0.9.0 - 0.15.3",
"nodes": [
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.32.3",
"isSemVerMajor": true
}
},
"eslint-plugin-jsdoc": {
"name": "eslint-plugin-jsdoc",
"severity": "low",
"isDirect": true,
"via": [
"eslint"
],
"effects": [],
"range": "8.4.4 - 24.0.6",
"nodes": [
"node_modules/eslint-plugin-jsdoc"
],
"fixAvailable": {
"name": "eslint-plugin-jsdoc",
"version": "62.2.0",
"isSemVerMajor": true
}
},
"external-editor": {
"name": "external-editor",
"severity": "low",
"isDirect": false,
"via": [
"tmp"
],
"effects": [
"inquirer"
],
"range": ">=1.1.1",
"nodes": [
"node_modules/external-editor"
],
"fixAvailable": {
"name": "eslint",
"version": "9.39.2",
"isSemVerMajor": true
}
},
"flat": {
"name": "flat",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089152,
"name": "flat",
"dependency": "flat",
"title": "flat vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-2j2x-2gpw-g8fm",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<5.0.1"
}
],
"effects": [
"yargs-unparser"
],
"range": "<5.0.1",
"nodes": [
"node_modules/flat"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
},
"foreground-child": {
"name": "foreground-child",
"severity": "high",
"isDirect": false,
"via": [
"cross-spawn"
],
"effects": [
"nyc",
"spawn-wrap"
],
"range": "1.5.2 - 1.5.6",
"nodes": [
"node_modules/foreground-child"
],
"fixAvailable": {
"name": "nyc",
"version": "17.1.0",
"isSemVerMajor": true
}
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/form-data"
],
"fixAvailable": false
},
"hyperswitch": {
"name": "hyperswitch",
"severity": "high",
"isDirect": true,
"via": [
"busboy",
"preq",
"swagger-ui-dist"
],
"effects": [],
"range": ">=0.1.0",
"nodes": [
"node_modules/hyperswitch"
],
"fixAvailable": {
"name": "hyperswitch",
"version": "0.10.5",
"isSemVerMajor": true
}
},
"inquirer": {
"name": "inquirer",
"severity": "low",
"isDirect": false,
"via": [
"external-editor"
],
"effects": [
"eslint"
],
"range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7",
"nodes": [
"node_modules/inquirer"
],
"fixAvailable": {
"name": "eslint",
"version": "9.39.2",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109801,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.14.2"
}
],
"effects": [
"mocha"
],
"range": "<3.14.2",
"nodes": [
"node_modules/mocha/node_modules/js-yaml"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
},
"jsonwebtoken": {
"name": "jsonwebtoken",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1097690,
"name": "jsonwebtoken",
"dependency": "jsonwebtoken",
"title": "jsonwebtoken unrestricted key type could lead to legacy keys usage ",
"url": "https://github.com/advisories/GHSA-8cf7-32gw-wr33",
"severity": "high",
"cwe": [
"CWE-327"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=8.5.1"
},
{
"source": 1097694,
"name": "jsonwebtoken",
"dependency": "jsonwebtoken",
"title": "jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC",
"url": "https://github.com/advisories/GHSA-hjrf-2m68-5959",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1259"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<=8.5.1"
},
{
"source": 1102458,
"name": "jsonwebtoken",
"dependency": "jsonwebtoken",
"title": "jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()",
"url": "https://github.com/advisories/GHSA-qwph-4952-7xr6",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-327",
"CWE-347"
],
"cvss": {
"score": 6.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<9.0.0"
}
],
"effects": [],
"range": "<=8.5.1",
"nodes": [
"node_modules/jsonwebtoken"
],
"fixAvailable": {
"name": "jsonwebtoken",
"version": "9.0.3",
"isSemVerMajor": true
}
},
"limitation": {
"name": "limitation",
"severity": "moderate",
"isDirect": false,
"via": [
"wikimedia-kad-fork"
],
"effects": [],
"range": ">=0.2.3",
"nodes": [
"node_modules/limitation"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"mocha"
],
"range": "<3.0.5",
"nodes": [
"node_modules/mocha/node_modules/minimatch"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "critical",
"isDirect": true,
"via": [
"debug",
"diff",
"js-yaml",
"minimatch",
"yargs-unparser"
],
"effects": [],
"range": "0.14.0 - 12.0.0-beta-3",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
},
"ms": {
"name": "ms",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109573,
"name": "ms",
"dependency": "ms",
"title": "Vercel ms Inefficient Regular Expression Complexity vulnerability",
"url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.0.0"
}
],
"effects": [
"wikimedia-kad-fork"
],
"range": "<2.0.0",
"nodes": [
"node_modules/wikimedia-kad-fork/node_modules/ms"
],
"fixAvailable": true
},
"node-pre-gyp": {
"name": "node-pre-gyp",
"severity": "high",
"isDirect": false,
"via": [
"tar"
],
"effects": [
"sqlite3"
],
"range": "*",
"nodes": [
"node_modules/node-pre-gyp"
],
"fixAvailable": {
"name": "restbase-mod-table-sqlite",
"version": "0.1.0",
"isSemVerMajor": true
}
},
"nyc": {
"name": "nyc",
"severity": "high",
"isDirect": true,
"via": [
"foreground-child",
"spawn-wrap"
],
"effects": [],
"range": "3.2.1 - 5.0.1 || 6.2.0-alpha - 14.1.1",
"nodes": [
"node_modules/nyc"
],
"fixAvailable": {
"name": "nyc",
"version": "17.1.0",
"isSemVerMajor": true
}
},
"preq": {
"name": "preq",
"severity": "high",
"isDirect": true,
"via": [
"request",
"requestretry"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/preq"
],
"fixAvailable": false
},
"qs": {
"name": "qs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1111755,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/request/node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [
"coveralls",
"preq",
"requestretry"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"requestretry": {
"name": "requestretry",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090420,
"name": "requestretry",
"dependency": "requestretry",
"title": "Cookie exposure in requestretry",
"url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<7.0.0"
},
"request"
],
"effects": [
"preq"
],
"range": "<=7.1.0",
"nodes": [
"node_modules/requestretry"
],
"fixAvailable": false
},
"restbase-mod-table-cassandra": {
"name": "restbase-mod-table-cassandra",
"severity": "moderate",
"isDirect": true,
"via": [
"yargs"
],
"effects": [],
"range": ">=1.1.2",
"nodes": [
"node_modules/restbase-mod-table-cassandra"
],
"fixAvailable": {
"name": "restbase-mod-table-cassandra",
"version": "1.1.1",
"isSemVerMajor": true
}
},
"restbase-mod-table-sqlite": {
"name": "restbase-mod-table-sqlite",
"severity": "high",
"isDirect": true,
"via": [
"sqlite3"
],
"effects": [],
"range": ">=0.1.3",
"nodes": [
"node_modules/restbase-mod-table-sqlite"
],
"fixAvailable": {
"name": "restbase-mod-table-sqlite",
"version": "0.1.0",
"isSemVerMajor": true
}
},
"spawn-wrap": {
"name": "spawn-wrap",
"severity": "high",
"isDirect": false,
"via": [
"foreground-child"
],
"effects": [
"nyc"
],
"range": "1.3.2 - 1.4.3",
"nodes": [
"node_modules/spawn-wrap"
],
"fixAvailable": {
"name": "nyc",
"version": "17.1.0",
"isSemVerMajor": true
}
},
"sqlite3": {
"name": "sqlite3",
"severity": "high",
"isDirect": false,
"via": [
"node-pre-gyp"
],
"effects": [
"restbase-mod-table-sqlite"
],
"range": "2.2.0 - 5.0.2",
"nodes": [
"node_modules/sqlite3"
],
"fixAvailable": {
"name": "restbase-mod-table-sqlite",
"version": "0.1.0",
"isSemVerMajor": true
}
},
"swagger-ui-dist": {
"name": "swagger-ui-dist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1088759,
"name": "swagger-ui-dist",
"dependency": "swagger-ui-dist",
"title": "Spoofing attack in swagger-ui-dist",
"url": "https://github.com/advisories/GHSA-6c9x-mj3g-h47x",
"severity": "moderate",
"cwe": [
"CWE-1021"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<4.1.3"
},
{
"source": 1092160,
"name": "swagger-ui-dist",
"dependency": "swagger-ui-dist",
"title": "Server side request forgery in SwaggerUI",
"url": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<4.1.3"
}
],
"effects": [
"hyperswitch"
],
"range": "<=4.1.2",
"nodes": [
"node_modules/swagger-ui-dist"
],
"fixAvailable": {
"name": "hyperswitch",
"version": "0.10.5",
"isSemVerMajor": true
}
},
"tar": {
"name": "tar",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
},
{
"source": 1112255,
"name": "tar",
"dependency": "tar",
"title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization",
"url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.2"
}
],
"effects": [
"node-pre-gyp"
],
"range": "<=7.5.2",
"nodes": [
"node_modules/tar"
],
"fixAvailable": {
"name": "restbase-mod-table-sqlite",
"version": "0.1.0",
"isSemVerMajor": true
}
},
"tmp": {
"name": "tmp",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109537,
"name": "tmp",
"dependency": "tmp",
"title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
"url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
"severity": "low",
"cwe": [
"CWE-59"
],
"cvss": {
"score": 2.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.2.3"
}
],
"effects": [
"external-editor"
],
"range": "<=0.2.3",
"nodes": [
"node_modules/tmp"
],
"fixAvailable": {
"name": "eslint",
"version": "9.39.2",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": false
},
"wikimedia-kad-fork": {
"name": "wikimedia-kad-fork",
"severity": "moderate",
"isDirect": false,
"via": [
"ms"
],
"effects": [
"limitation"
],
"range": "*",
"nodes": [
"node_modules/wikimedia-kad-fork"
],
"fixAvailable": true
},
"yargs": {
"name": "yargs",
"severity": "moderate",
"isDirect": false,
"via": [
"yargs-parser"
],
"effects": [
"restbase-mod-table-cassandra"
],
"range": "8.0.0-candidate.0 - 12.0.5",
"nodes": [
"node_modules/restbase-mod-table-cassandra/node_modules/yargs"
],
"fixAvailable": {
"name": "restbase-mod-table-cassandra",
"version": "1.1.1",
"isSemVerMajor": true
}
},
"yargs-parser": {
"name": "yargs-parser",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1088811,
"name": "yargs-parser",
"dependency": "yargs-parser",
"title": "yargs-parser Vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-p9pc-299p-vxgp",
"severity": "moderate",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
},
"range": ">=6.0.0 <13.1.2"
}
],
"effects": [
"yargs"
],
"range": "6.0.0 - 13.1.1",
"nodes": [
"node_modules/restbase-mod-table-cassandra/node_modules/yargs-parser"
],
"fixAvailable": {
"name": "restbase-mod-table-cassandra",
"version": "1.1.1",
"isSemVerMajor": true
}
},
"yargs-unparser": {
"name": "yargs-unparser",
"severity": "critical",
"isDirect": false,
"via": [
"flat"
],
"effects": [
"mocha"
],
"range": "<=1.6.3",
"nodes": [
"node_modules/yargs-unparser"
],
"fixAvailable": {
"name": "mocha",
"version": "11.7.5",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 8,
"moderate": 10,
"high": 16,
"critical": 5,
"total": 39
},
"dependencies": {
"prod": 214,
"dev": 353,
"optional": 13,
"peer": 0,
"peerOptional": 0,
"total": 579
}
}
}
--- end ---
$ /usr/bin/npm install
--- stderr ---
npm WARN deprecated osenv@0.1.5: This package is no longer supported.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained.
npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated rimraf@2.6.3: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated npmlog@4.1.2: This package is no longer supported.
npm WARN deprecated lodash.clone@4.5.0: This package is deprecated. Use structuredClone instead.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained.
npm WARN deprecated are-we-there-yet@1.1.7: This package is no longer supported.
npm WARN deprecated glob@7.1.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated gc-stats@1.4.1: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm WARN deprecated preq@0.5.14: Deprecated as this is a wrapper around the deprecated request library. Preq can be replaced with fetch, which is available from Node 18 as an experimental feature.
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated gauge@2.7.4: This package is no longer supported.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated tar@4.4.19: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me
npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated eslint@5.16.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
npm ERR! code 1
npm ERR! path /src/repo/node_modules/sqlite3
npm ERR! command failed
npm ERR! command sh -c node-pre-gyp install --fallback-to-build
npm ERR! make: Entering directory '/src/repo/node_modules/sqlite3/build'
npm ERR! ACTION deps_sqlite3_gyp_action_before_build_target_unpack_sqlite_dep Release/obj/gen/sqlite-autoconf-3310100/sqlite3.c
npm ERR! make: Leaving directory '/src/repo/node_modules/sqlite3/build'
npm ERR! Failed to execute '/usr/bin/node /usr/share/nodejs/node-gyp/bin/node-gyp.js build --fallback-to-build --module=/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64/node_sqlite3.node --module_name=node_sqlite3 --module_path=/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64 --napi_version=9 --node_abi_napi=napi --napi_build_version=0 --node_napi_label=node-v115' (1)
npm ERR! node-pre-gyp info it worked if it ends with ok
npm ERR! node-pre-gyp info using node-pre-gyp@0.11.0
npm ERR! node-pre-gyp info using node@20.19.2 | linux | x64
npm ERR! node-pre-gyp WARN Using request for node-pre-gyp https download
npm ERR! node-pre-gyp info check checked for "/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64/node_sqlite3.node" (not found)
npm ERR! node-pre-gyp http GET https://mapbox-node-binary.s3.amazonaws.com/sqlite3/v4.2.0/node-v115-linux-x64.tar.gz
npm ERR! node-pre-gyp http 403 https://mapbox-node-binary.s3.amazonaws.com/sqlite3/v4.2.0/node-v115-linux-x64.tar.gz
npm ERR! node-pre-gyp WARN Tried to download(403): https://mapbox-node-binary.s3.amazonaws.com/sqlite3/v4.2.0/node-v115-linux-x64.tar.gz
npm ERR! node-pre-gyp WARN Pre-built binaries not found for sqlite3@4.2.0 and node@20.19.2 (node-v115 ABI, glibc) (falling back to source compile with node-gyp)
npm ERR! node-pre-gyp http 403 status code downloading tarball https://mapbox-node-binary.s3.amazonaws.com/sqlite3/v4.2.0/node-v115-linux-x64.tar.gz
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using node-gyp@11.1.0
npm ERR! gyp info using node@20.19.2 | linux | x64
npm ERR! gyp info ok
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using node-gyp@11.1.0
npm ERR! gyp info using node@20.19.2 | linux | x64
npm ERR! gyp info find Python using Python version 3.13.5 found at "/usr/bin/python3"
npm ERR! gyp info spawn /usr/bin/python3
npm ERR! gyp info spawn args [
npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/gyp/gyp_main.py',
npm ERR! gyp info spawn args 'binding.gyp',
npm ERR! gyp info spawn args '-f',
npm ERR! gyp info spawn args 'make',
npm ERR! gyp info spawn args '-I',
npm ERR! gyp info spawn args '/src/repo/node_modules/sqlite3/build/config.gypi',
npm ERR! gyp info spawn args '-I',
npm ERR! gyp info spawn args '/usr/share/nodejs/node-gyp/addon.gypi',
npm ERR! gyp info spawn args '-I',
npm ERR! gyp info spawn args '/usr/include/nodejs/common.gypi',
npm ERR! gyp info spawn args '-Dlibrary=shared_library',
npm ERR! gyp info spawn args '-Dvisibility=default',
npm ERR! gyp info spawn args '-Dnode_root_dir=/usr/include/nodejs',
npm ERR! gyp info spawn args '-Dnode_gyp_dir=/usr/share/nodejs/node-gyp',
npm ERR! gyp info spawn args '-Dnode_lib_file=/usr/include/nodejs/<(target_arch)/node.lib',
npm ERR! gyp info spawn args '-Dmodule_root_dir=/src/repo/node_modules/sqlite3',
npm ERR! gyp info spawn args '-Dnode_engine=v8',
npm ERR! gyp info spawn args '--depth=.',
npm ERR! gyp info spawn args '--no-parallel',
npm ERR! gyp info spawn args '--generator-output',
npm ERR! gyp info spawn args 'build',
npm ERR! gyp info spawn args '-Goutput_dir=.'
npm ERR! gyp info spawn args ]
npm ERR! gyp info ok
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using node-gyp@11.1.0
npm ERR! gyp info using node@20.19.2 | linux | x64
npm ERR! gyp info spawn make
npm ERR! gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
npm ERR! /bin/sh: 1: python: not found
npm ERR! make: *** [deps/action_before_build.target.mk:13: Release/obj/gen/sqlite-autoconf-3310100/sqlite3.c] Error 127
npm ERR! gyp ERR! build error
npm ERR! gyp ERR! stack Error: `make` failed with exit code: 2
npm ERR! gyp ERR! stack at ChildProcess.<anonymous> (/usr/share/nodejs/node-gyp/lib/build.js:216:23)
npm ERR! gyp ERR! System Linux 6.1.0-30-cloud-amd64
npm ERR! gyp ERR! command "/usr/bin/node" "/usr/share/nodejs/node-gyp/bin/node-gyp.js" "build" "--fallback-to-build" "--module=/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64/node_sqlite3.node" "--module_name=node_sqlite3" "--module_path=/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64" "--napi_version=9" "--node_abi_napi=napi" "--napi_build_version=0" "--node_napi_label=node-v115"
npm ERR! gyp ERR! cwd /src/repo/node_modules/sqlite3
npm ERR! gyp ERR! node -v v20.19.2
npm ERR! gyp ERR! node-gyp -v v11.1.0
npm ERR! gyp ERR! not ok
npm ERR! node-pre-gyp ERR! build error
npm ERR! node-pre-gyp ERR! stack Error: Failed to execute '/usr/bin/node /usr/share/nodejs/node-gyp/bin/node-gyp.js build --fallback-to-build --module=/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64/node_sqlite3.node --module_name=node_sqlite3 --module_path=/src/repo/node_modules/sqlite3/lib/binding/node-v115-linux-x64 --napi_version=9 --node_abi_napi=napi --napi_build_version=0 --node_napi_label=node-v115' (1)
npm ERR! node-pre-gyp ERR! stack at ChildProcess.<anonymous> (/src/repo/node_modules/node-pre-gyp/lib/util/compile.js:83:29)
npm ERR! node-pre-gyp ERR! stack at ChildProcess.emit (node:events:524:28)
npm ERR! node-pre-gyp ERR! stack at maybeClose (node:internal/child_process:1104:16)
npm ERR! node-pre-gyp ERR! stack at ChildProcess._handle.onexit (node:internal/child_process:304:5)
npm ERR! node-pre-gyp ERR! System Linux 6.1.0-30-cloud-amd64
npm ERR! node-pre-gyp ERR! command "/usr/bin/node" "/src/repo/node_modules/.bin/node-pre-gyp" "install" "--fallback-to-build"
npm ERR! node-pre-gyp ERR! cwd /src/repo/node_modules/sqlite3
npm ERR! node-pre-gyp ERR! node -v v20.19.2
npm ERR! node-pre-gyp ERR! node-pre-gyp -v v0.11.0
npm ERR! node-pre-gyp ERR! not ok
npm ERR! A complete log of this run can be found in:
npm ERR! /cache/_logs/2026-01-20T05_27_18_945Z-debug-0.log
--- stdout ---
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1304, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1231, in run
self.fix_remove_eslint_stylelint_if_grunt()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 770, in fix_remove_eslint_stylelint_if_grunt
self.check_call(["npm", "install"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 66, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'install']' returned non-zero exit status 1.