This run took 31 seconds.
$ date
--- stdout ---
Thu Feb 26 17:22:34 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-MultiMaps.git /src/repo --depth=1 -b REL1_45
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_45
--- stdout ---
d82aa6dacf1075e949a5433ee48a5e6b8ac52abc refs/heads/REL1_45
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"minimatch"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
}
],
"effects": [
"grunt"
],
"range": "<3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 3,
"critical": 0,
"total": 3
},
"dependencies": {
"prod": 1,
"dev": 350,
"optional": 6,
"peer": 7,
"peerOptional": 0,
"total": 350
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 20 installs, 0 updates, 0 removals
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.9)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.0)
- Locking mediawiki/mediawiki-codesniffer (v48.0.0)
- Locking mediawiki/minus-x (1.1.3)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.1.1)
- Locking psr/container (2.0.2)
- Locking squizlabs/php_codesniffer (3.13.2)
- Locking symfony/console (v7.4.6)
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.33.0)
- Locking symfony/polyfill-intl-grapheme (v1.33.0)
- Locking symfony/polyfill-intl-normalizer (v1.33.0)
- Locking symfony/polyfill-mbstring (v1.33.0)
- Locking symfony/service-contracts (v3.6.1)
- Locking symfony/string (v8.0.6)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 20 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.2): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
- Installing phpcsstandards/phpcsutils (1.1.1): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing composer/spdx-licenses (1.5.9): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v48.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.33.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing symfony/string (v8.0.6): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/console (v7.4.6): Extracting archive
- Installing mediawiki/minus-x (1.1.3): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/18 [>---------------------------] 0%
18/18 [============================] 100%
Generating autoload files
14 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"minimatch"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
}
],
"effects": [
"grunt"
],
"range": "<3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 3,
"critical": 0,
"total": 3
},
"dependencies": {
"prod": 1,
"dev": 350,
"optional": 6,
"peer": 7,
"peerOptional": 0,
"total": 350
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 350,
"removed": 0,
"changed": 0,
"audited": 351,
"funding": 82,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"minimatch"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
}
],
"effects": [
"grunt"
],
"range": "<3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 3,
"critical": 0,
"total": 3
},
"dependencies": {
"prod": 1,
"dev": 350,
"optional": 6,
"peer": 7,
"peerOptional": 0,
"total": 350
}
}
}
}
--- end ---
{"added": 350, "removed": 0, "changed": 0, "audited": 351, "funding": 82, "audit": {"auditReportVersion": 2, "vulnerabilities": {"grunt": {"name": "grunt", "severity": "high", "isDirect": true, "via": ["minimatch"], "effects": ["grunt-eslint"], "range": ">=0.4.0-a", "nodes": ["node_modules/grunt"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "grunt-eslint": {"name": "grunt-eslint", "severity": "high", "isDirect": true, "via": ["grunt"], "effects": [], "range": "<=1.0.0 || >=18.1.0", "nodes": ["node_modules/grunt-eslint"], "fixAvailable": {"name": "grunt-eslint", "version": "18.0.0", "isSemVerMajor": true}}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}], "effects": ["grunt"], "range": "<3.1.3", "nodes": ["node_modules/minimatch"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 3, "critical": 0, "total": 3}, "dependencies": {"prod": 1, "dev": 350, "optional": 6, "peer": 7, "peerOptional": 0, "total": 350}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 350 packages, and audited 351 packages in 4s
82 packages are looking for funding
run `npm fund` for details
# npm audit report
minimatch <3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
fix available via `npm audit fix --force`
Will install grunt@0.3.17, which is a breaking change
node_modules/minimatch
grunt >=0.4.0-a
Depends on vulnerable versions of minimatch
node_modules/grunt
grunt-eslint <=1.0.0 || >=18.1.0
Depends on vulnerable versions of grunt
node_modules/grunt-eslint
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 350 packages, and audited 351 packages in 4s
82 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> grunt test
Running "eslint:all" (eslint) task
/src/repo/resources/multimaps.js
48:10 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
48:33 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
49:6 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
49:28 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
/src/repo/services/Google/ext.google.js
18:7 warning 'options' is never reassigned. Use 'const' instead prefer-const
23:1 warning This line has a length of 108. Maximum allowed is 100 max-len
26:1 warning This line has a length of 109. Maximum allowed is 100 max-len
32:1 warning This line has a length of 118. Maximum allowed is 100 max-len
35:1 warning This line has a length of 119. Maximum allowed is 100 max-len
49:8 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
50:19 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
80:27 warning 'value' is never reassigned. Use 'const' instead prefer-const
82:1 warning This line has a length of 108. Maximum allowed is 100 max-len
85:3 warning 'marker' is never reassigned. Use 'const' instead prefer-const
96:1 warning This line has a length of 105. Maximum allowed is 100 max-len
96:32 warning 'latlngs' is never reassigned. Use 'const' instead prefer-const
96:46 warning 'value' is never reassigned. Use 'const' instead prefer-const
99:1 warning This line has a length of 103. Maximum allowed is 100 max-len
104:3 warning 'polyline' is never reassigned. Use 'const' instead prefer-const
114:40 warning 'value' is never reassigned. Use 'const' instead prefer-const
116:3 warning 'latlngs' is never reassigned. Use 'const' instead prefer-const
118:1 warning This line has a length of 103. Maximum allowed is 100 max-len
123:3 warning 'polygon' is never reassigned. Use 'const' instead prefer-const
133:27 warning 'value' is never reassigned. Use 'const' instead prefer-const
135:1 warning This line has a length of 106. Maximum allowed is 100 max-len
138:3 warning 'circle' is never reassigned. Use 'const' instead prefer-const
148:38 warning 'value' is never reassigned. Use 'const' instead prefer-const
150:3 warning 'bounds' is never reassigned. Use 'const' instead prefer-const
156:3 warning 'rectangle' is never reassigned. Use 'const' instead prefer-const
166:15 warning 'mapOptions' is never reassigned. Use 'const' instead prefer-const
178:3 warning 'map' is never reassigned. Use 'const' instead prefer-const
236:4 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
/src/repo/services/Leaflet/ext.leaflet.js
14:1 warning This line has a length of 108. Maximum allowed is 100 max-len
18:7 warning 'options' is never reassigned. Use 'const' instead prefer-const
50:8 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
51:19 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
81:1 warning This line has a length of 108. Maximum allowed is 100 max-len
84:15 warning 'value' is never reassigned. Use 'const' instead prefer-const
86:3 warning 'marker' is never reassigned. Use 'const' instead prefer-const
94:20 warning 'latlngs' is never reassigned. Use 'const' instead prefer-const
95:4 warning 'value' is never reassigned. Use 'const' instead prefer-const
101:3 warning 'polyline' is never reassigned. Use 'const' instead prefer-const
109:19 warning 'latlngs' is never reassigned. Use 'const' instead prefer-const
110:4 warning 'value' is never reassigned. Use 'const' instead prefer-const
116:3 warning 'polygon' is never reassigned. Use 'const' instead prefer-const
124:15 warning 'value' is never reassigned. Use 'const' instead prefer-const
126:1 warning This line has a length of 120. Maximum allowed is 100 max-len
126:3 warning 'circle' is never reassigned. Use 'const' instead prefer-const
134:26 warning 'value' is never reassigned. Use 'const' instead prefer-const
136:3 warning 'bounds' is never reassigned. Use 'const' instead prefer-const
141:3 warning 'rectangle' is never reassigned. Use 'const' instead prefer-const
149:15 warning 'mapOptions' is never reassigned. Use 'const' instead prefer-const
158:3 warning 'map' is never reassigned. Use 'const' instead prefer-const
222:4 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
/src/repo/services/Yandex/ext.yandex.js
36:1 warning This line has a length of 105. Maximum allowed is 100 max-len
48:8 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
49:19 warning ES2015 'Array.prototype.fill' method is forbidden es-x/no-array-prototype-fill
79:15 warning 'value' is never reassigned. Use 'const' instead prefer-const
81:1 warning This line has a length of 126. Maximum allowed is 100 max-len
81:3 warning 'marker' is never reassigned. Use 'const' instead prefer-const
86:20 warning 'latlngs' is never reassigned. Use 'const' instead prefer-const
86:34 warning 'value' is never reassigned. Use 'const' instead prefer-const
92:3 warning 'polyline' is never reassigned. Use 'const' instead prefer-const
97:19 warning 'latlngs' is never reassigned. Use 'const' instead prefer-const
97:33 warning 'value' is never reassigned. Use 'const' instead prefer-const
104:3 warning 'polygon' is never reassigned. Use 'const' instead prefer-const
109:15 warning 'value' is never reassigned. Use 'const' instead prefer-const
111:1 warning This line has a length of 151. Maximum allowed is 100 max-len
111:3 warning 'circle' is never reassigned. Use 'const' instead prefer-const
116:26 warning 'value' is never reassigned. Use 'const' instead prefer-const
118:1 warning This line has a length of 128. Maximum allowed is 100 max-len
118:3 warning 'bounds' is never reassigned. Use 'const' instead prefer-const
120:3 warning 'rectangle' is never reassigned. Use 'const' instead prefer-const
125:25 warning 'mapOptions' is never reassigned. Use 'const' instead prefer-const
132:3 warning 'mapState' is never reassigned. Use 'const' instead prefer-const
137:3 warning 'map' is never reassigned. Use 'const' instead prefer-const
197:4 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
✖ 77 problems (0 errors, 77 warnings)
Running "banana:all" (banana) task
>> 1 message directory checked.
Done.
--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
[DNM] there are no updates
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmp3dbq8lqi
--- stdout ---
On branch REL1_45
Your branch is up to date with 'origin/REL1_45'.
nothing to commit, working tree clean
--- end ---