mediawiki/services/chromium-render: main (log #2353814)

$ date
--- stdout ---
Thu Jan 29 16:12:52 UTC 2026

--- end ---
$ git clone file:///srv/git/mediawiki-services-chromium-render.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/master
--- stdout ---
ebd01ddb90d91337736480c34e7c9b50c0ec107f refs/heads/master

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@puppeteer/browsers": {
      "name": "@puppeteer/browsers",
      "severity": "high",
      "isDirect": false,
      "via": [
        "tar-fs"
      ],
      "effects": [
        "puppeteer-core"
      ],
      "range": "1.4.2 - 2.2.3",
      "nodes": [
        "node_modules/@puppeteer/browsers"
      ],
      "fixAvailable": {
        "name": "puppeteer-core",
        "version": "24.36.1",
        "isSemVerMajor": true
      }
    },
    "@typescript-eslint/utils": {
      "name": "@typescript-eslint/utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "eslint"
      ],
      "effects": [
        "eslint-plugin-jest"
      ],
      "range": "<=8.0.0-alpha.62",
      "nodes": [
        "node_modules/@typescript-eslint/utils"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "body-parser": {
      "name": "body-parser",
      "severity": "high",
      "isDirect": true,
      "via": [
        "qs"
      ],
      "effects": [
        "express"
      ],
      "range": "<=1.20.3 || 2.0.0-beta.1 - 2.0.2",
      "nodes": [
        "node_modules/body-parser"
      ],
      "fixAvailable": true
    },
    "compression": {
      "name": "compression",
      "severity": "low",
      "isDirect": true,
      "via": [
        "on-headers"
      ],
      "effects": [],
      "range": "1.0.3 - 1.8.0",
      "nodes": [
        "node_modules/compression"
      ],
      "fixAvailable": true
    },
    "diff": {
      "name": "diff",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1112490,
          "name": "diff",
          "dependency": "diff",
          "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
          "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
          "severity": "low",
          "cwe": [
            "CWE-400",
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=5.0.0 <5.2.2"
        }
      ],
      "effects": [],
      "range": "5.0.0 - 5.2.1",
      "nodes": [
        "node_modules/diff"
      ],
      "fixAvailable": true
    },
    "eslint": {
      "name": "eslint",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        {
          "source": 1112686,
          "name": "eslint",
          "dependency": "eslint",
          "title": "eslint has a Stack Overflow when serializing objects with circular references",
          "url": "https://github.com/advisories/GHSA-p5wg-g6qr-c7cg",
          "severity": "moderate",
          "cwe": [
            "CWE-674"
          ],
          "cvss": {
            "score": 5.5,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": "<9.26.0"
        }
      ],
      "effects": [
        "@typescript-eslint/utils",
        "eslint-config-wikimedia",
        "eslint-plugin-compat",
        "eslint-plugin-jest",
        "eslint-plugin-jsdoc",
        "eslint-plugin-vue"
      ],
      "range": "<9.26.0",
      "nodes": [
        "node_modules/eslint"
      ],
      "fixAvailable": {
        "name": "eslint",
        "version": "9.39.2",
        "isSemVerMajor": true
      }
    },
    "eslint-config-wikimedia": {
      "name": "eslint-config-wikimedia",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "eslint",
        "eslint-plugin-compat",
        "eslint-plugin-jest",
        "eslint-plugin-jsdoc",
        "eslint-plugin-mediawiki"
      ],
      "effects": [],
      "range": ">=0.9.0",
      "nodes": [
        "node_modules/eslint-config-wikimedia"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "eslint-plugin-compat": {
      "name": "eslint-plugin-compat",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "eslint"
      ],
      "effects": [
        "eslint-config-wikimedia"
      ],
      "range": "0.0.8-0 - 5.0.0",
      "nodes": [
        "node_modules/eslint-plugin-compat"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "eslint-plugin-jest": {
      "name": "eslint-plugin-jest",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@typescript-eslint/utils",
        "eslint"
      ],
      "effects": [
        "eslint-config-wikimedia"
      ],
      "range": "25.0.1 - 28.6.0",
      "nodes": [
        "node_modules/eslint-plugin-jest"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "eslint-plugin-jsdoc": {
      "name": "eslint-plugin-jsdoc",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "eslint"
      ],
      "effects": [
        "eslint-config-wikimedia"
      ],
      "range": "8.4.4 - 46.9.1",
      "nodes": [
        "node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-jsdoc"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "eslint-plugin-mediawiki": {
      "name": "eslint-plugin-mediawiki",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "eslint-plugin-vue"
      ],
      "effects": [
        "eslint-config-wikimedia"
      ],
      "range": "0.2.3 - 0.5.0",
      "nodes": [
        "node_modules/eslint-plugin-mediawiki"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "eslint-plugin-vue": {
      "name": "eslint-plugin-vue",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "eslint"
      ],
      "effects": [
        "eslint-plugin-mediawiki"
      ],
      "range": "1.0.0 - 9.24.0",
      "nodes": [
        "node_modules/eslint-plugin-mediawiki/node_modules/eslint-plugin-vue"
      ],
      "fixAvailable": {
        "name": "eslint-config-wikimedia",
        "version": "0.8.1",
        "isSemVerMajor": true
      }
    },
    "express": {
      "name": "express",
      "severity": "high",
      "isDirect": true,
      "via": [
        "body-parser",
        "qs"
      ],
      "effects": [],
      "range": "2.5.8 - 2.5.11 || 3.2.1 - 3.2.3 || 4.0.0-rc1 - 4.21.2 || 5.0.0-alpha.1 - 5.0.1",
      "nodes": [
        "node_modules/express"
      ],
      "fixAvailable": true
    },
    "form-data": {
      "name": "form-data",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1109540,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<2.5.4"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<2.5.4",
      "nodes": [
        "node_modules/form-data"
      ],
      "fixAvailable": false
    },
    "js-yaml": {
      "name": "js-yaml",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        {
          "source": 1109801,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "js-yaml has prototype pollution in merge (<<)",
          "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<3.14.2"
        },
        {
          "source": 1109802,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "js-yaml has prototype pollution in merge (<<)",
          "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": ">=4.0.0 <4.1.1"
        }
      ],
      "effects": [],
      "range": "<3.14.2 || >=4.0.0 <4.1.1",
      "nodes": [
        "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml",
        "node_modules/js-yaml",
        "node_modules/json-schema-ref-parser/node_modules/js-yaml",
        "node_modules/service-runner/node_modules/js-yaml",
        "node_modules/swagger-router/node_modules/js-yaml"
      ],
      "fixAvailable": true
    },
    "limitation": {
      "name": "limitation",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "wikimedia-kad-fork"
      ],
      "effects": [
        "service-runner"
      ],
      "range": ">=0.2.3",
      "nodes": [
        "node_modules/limitation"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "lodash": {
      "name": "lodash",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1112455,
          "name": "lodash",
          "dependency": "lodash",
          "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
          "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": ">=4.0.0 <=4.17.22"
        }
      ],
      "effects": [],
      "range": "4.0.0 - 4.17.21",
      "nodes": [
        "node_modules/lodash"
      ],
      "fixAvailable": true
    },
    "ms": {
      "name": "ms",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1109573,
          "name": "ms",
          "dependency": "ms",
          "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability",
          "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<2.0.0"
        }
      ],
      "effects": [
        "wikimedia-kad-fork"
      ],
      "range": "<2.0.0",
      "nodes": [
        "node_modules/wikimedia-kad-fork/node_modules/ms"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "on-headers": {
      "name": "on-headers",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1106812,
          "name": "on-headers",
          "dependency": "on-headers",
          "title": "on-headers is vulnerable to http response header manipulation",
          "url": "https://github.com/advisories/GHSA-76c9-3jph-rj3q",
          "severity": "low",
          "cwe": [
            "CWE-241"
          ],
          "cvss": {
            "score": 3.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<1.1.0"
        }
      ],
      "effects": [
        "compression"
      ],
      "range": "<1.1.0",
      "nodes": [
        "node_modules/on-headers"
      ],
      "fixAvailable": true
    },
    "preq": {
      "name": "preq",
      "severity": "high",
      "isDirect": true,
      "via": [
        "request",
        "requestretry"
      ],
      "effects": [],
      "range": "*",
      "nodes": [
        "node_modules/preq"
      ],
      "fixAvailable": false
    },
    "puppeteer-core": {
      "name": "puppeteer-core",
      "severity": "high",
      "isDirect": true,
      "via": [
        "@puppeteer/browsers",
        "ws"
      ],
      "effects": [],
      "range": "11.0.0 - 22.13.0",
      "nodes": [
        "node_modules/puppeteer-core"
      ],
      "fixAvailable": {
        "name": "puppeteer-core",
        "version": "24.36.1",
        "isSemVerMajor": true
      }
    },
    "qs": {
      "name": "qs",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1111755,
          "name": "qs",
          "dependency": "qs",
          "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
          "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
          "severity": "high",
          "cwe": [
            "CWE-20"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<6.14.1"
        }
      ],
      "effects": [
        "body-parser",
        "express",
        "request"
      ],
      "range": "<6.14.1",
      "nodes": [
        "node_modules/qs",
        "node_modules/request/node_modules/qs"
      ],
      "fixAvailable": false
    },
    "request": {
      "name": "request",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1096727,
          "name": "request",
          "dependency": "request",
          "title": "Server-Side Request Forgery in Request",
          "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
          "severity": "moderate",
          "cwe": [
            "CWE-918"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<=2.88.2"
        },
        "form-data",
        "qs",
        "tough-cookie"
      ],
      "effects": [
        "preq",
        "requestretry"
      ],
      "range": "*",
      "nodes": [
        "node_modules/request"
      ],
      "fixAvailable": false
    },
    "requestretry": {
      "name": "requestretry",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1090420,
          "name": "requestretry",
          "dependency": "requestretry",
          "title": "Cookie exposure in requestretry",
          "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45",
          "severity": "high",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
          },
          "range": "<7.0.0"
        },
        "request"
      ],
      "effects": [
        "preq"
      ],
      "range": "<=7.1.0",
      "nodes": [
        "node_modules/requestretry"
      ],
      "fixAvailable": false
    },
    "service-runner": {
      "name": "service-runner",
      "severity": "high",
      "isDirect": true,
      "via": [
        "limitation",
        "tar"
      ],
      "effects": [],
      "range": ">=3.0.0",
      "nodes": [
        "node_modules/service-runner"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "tar": {
      "name": "tar",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1097493,
          "name": "tar",
          "dependency": "tar",
          "title": "Denial of service while parsing a tar file due to lack of folders count validation",
          "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": "<6.2.1"
        },
        {
          "source": 1112255,
          "name": "tar",
          "dependency": "tar",
          "title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization",
          "url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<=7.5.2"
        },
        {
          "source": 1112329,
          "name": "tar",
          "dependency": "tar",
          "title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",
          "url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w",
          "severity": "high",
          "cwe": [
            "CWE-176"
          ],
          "cvss": {
            "score": 8.8,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
          },
          "range": "<=7.5.3"
        },
        {
          "source": 1112659,
          "name": "tar",
          "dependency": "tar",
          "title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
          "url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v",
          "severity": "high",
          "cwe": [
            "CWE-22",
            "CWE-59"
          ],
          "cvss": {
            "score": 8.2,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
          },
          "range": "<7.5.7"
        }
      ],
      "effects": [
        "service-runner"
      ],
      "range": "<=7.5.6",
      "nodes": [
        "node_modules/tar"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "tar-fs": {
      "name": "tar-fs",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1109534,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball",
          "url": "https://github.com/advisories/GHSA-vj76-c3g6-qr5v",
          "severity": "high",
          "cwe": [
            "CWE-22",
            "CWE-61"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=3.0.0 <3.1.1"
        },
        {
          "source": 1109542,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs can extract outside the specified dir with a specific tarball",
          "url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=3.0.0 <3.0.9"
        },
        {
          "source": 1109551,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
          "url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=3.0.0 <3.0.7"
        }
      ],
      "effects": [
        "@puppeteer/browsers"
      ],
      "range": "3.0.0 - 3.1.0",
      "nodes": [
        "node_modules/tar-fs"
      ],
      "fixAvailable": {
        "name": "puppeteer-core",
        "version": "24.36.1",
        "isSemVerMajor": true
      }
    },
    "tough-cookie": {
      "name": "tough-cookie",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1097682,
          "name": "tough-cookie",
          "dependency": "tough-cookie",
          "title": "tough-cookie Prototype Pollution vulnerability",
          "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<4.1.3"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<4.1.3",
      "nodes": [
        "node_modules/tough-cookie"
      ],
      "fixAvailable": false
    },
    "wikimedia-kad-fork": {
      "name": "wikimedia-kad-fork",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "ms"
      ],
      "effects": [
        "limitation"
      ],
      "range": "*",
      "nodes": [
        "node_modules/wikimedia-kad-fork"
      ],
      "fixAvailable": {
        "name": "service-runner",
        "version": "2.9.0",
        "isSemVerMajor": true
      }
    },
    "ws": {
      "name": "ws",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1098392,
          "name": "ws",
          "dependency": "ws",
          "title": "ws affected by a DoS when handling a request with many HTTP headers",
          "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
          "severity": "high",
          "cwe": [
            "CWE-476"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=8.0.0 <8.17.1"
        }
      ],
      "effects": [
        "puppeteer-core"
      ],
      "range": "8.0.0 - 8.17.0",
      "nodes": [
        "node_modules/ws"
      ],
      "fixAvailable": {
        "name": "puppeteer-core",
        "version": "24.36.1",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 3,
      "moderate": 14,
      "high": 11,
      "critical": 2,
      "total": 30
    },
    "dependencies": {
      "prod": 292,
      "dev": 394,
      "optional": 15,
      "peer": 1,
      "peerOptional": 0,
      "total": 699
    }
  }
}

--- end ---
$ /usr/bin/npm install
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'eslint-plugin-jsdoc@42.0.0',
npm WARN EBADENGINE   required: { node: '^14 || ^16 || ^17 || ^18 || ^19' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained.
npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated lodash.clone@4.5.0: This package is deprecated. Use structuredClone instead.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained.
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated preq@0.5.14: Deprecated as this is a wrapper around the deprecated request library. Preq can be replaced with fetch, which is available from Node 18 as an experimental feature.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated tar@4.4.19: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me
npm WARN deprecated json-schema-ref-parser@5.1.3: Please switch to @apidevtools/json-schema-ref-parser
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---

added 669 packages, and audited 670 packages in 19s

95 packages are looking for funding
  run `npm fund` for details

23 vulnerabilities (12 moderate, 9 high, 2 critical)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
Upgrading n:eslint from ^8.56.0 -> 8.57.0
Upgrading n:eslint-config-wikimedia from ^0.26.0 -> 0.32.3
$ /usr/bin/npm install
--- stderr ---
npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead
npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---

added 61 packages, removed 17 packages, changed 28 packages, and audited 714 packages in 8s

120 packages are looking for funding
  run `npm fund` for details

17 vulnerabilities (6 moderate, 9 high, 2 critical)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
$ ./node_modules/.bin/eslint . --fix
--- stderr ---
Oops! Something went wrong! :(

ESLint: 8.57.0

ESLint couldn't find the plugin "eslint-plugin-json".

(The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

    npm install eslint-plugin-json@latest --save-dev

The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.
--- stdout ---

--- end ---
$ ./node_modules/.bin/eslint . -f json
--- stderr ---
Oops! Something went wrong! :(

ESLint: 8.57.0

ESLint couldn't find the plugin "eslint-plugin-json".

(The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

    npm install eslint-plugin-json@latest --save-dev

The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.
--- stdout ---

--- end ---
Traceback (most recent call last):
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1304, in main
    libup.run()
    ~~~~~~~~~^^
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1238, in run
    self.npm_upgrade(plan)
    ~~~~~~~~~~~~~~~~^^^^^^
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1099, in npm_upgrade
    hook(update)
    ~~~~^^^^^^^^
  File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1114, in _handle_eslint
    ESLintHandler(self.ctx).handle(update)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 309, in handle
    self.do_handle()
    ~~~~~~~~~~~~~~^^
  File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 248, in do_handle
    errors = json.loads(
        self.check_call(
            eslint_binary + files + ["-f", "json"], ignore_returncode=True
        )
    )
  File "/usr/lib/python3.13/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           ~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/json/decoder.py", line 363, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)