This run took 109 seconds.
$ date
--- stdout ---
Mon Mar 16 10:40:28 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-services-wikifeeds.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
8cd8caed22940339175325ff92d101145cbbaa03 refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
}
],
"effects": [
"pre-commit"
],
"range": "<6.0.6",
"nodes": [
"node_modules/pre-commit/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/request/node_modules/form-data"
],
"fixAvailable": false
},
"limitation": {
"name": "limitation",
"severity": "moderate",
"isDirect": false,
"via": [
"wikimedia-kad-fork"
],
"effects": [
"service-runner"
],
"range": ">=0.2.3",
"nodes": [
"node_modules/limitation"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": true,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "7.2.0",
"isSemVerMajor": true
}
},
"ms": {
"name": "ms",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109573,
"name": "ms",
"dependency": "ms",
"title": "Vercel ms Inefficient Regular Expression Complexity vulnerability",
"url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.0.0"
}
],
"effects": [
"wikimedia-kad-fork"
],
"range": "<2.0.0",
"nodes": [
"node_modules/wikimedia-kad-fork/node_modules/ms"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"pre-commit": {
"name": "pre-commit",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn"
],
"effects": [],
"range": ">=1.1.0",
"nodes": [
"node_modules/pre-commit"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"preq": {
"name": "preq",
"severity": "high",
"isDirect": true,
"via": [
"request",
"requestretry"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/preq"
],
"fixAvailable": false
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/request/node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [
"preq",
"requestretry"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"requestretry": {
"name": "requestretry",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090420,
"name": "requestretry",
"dependency": "requestretry",
"title": "Cookie exposure in requestretry",
"url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<7.0.0"
},
"request"
],
"effects": [
"preq"
],
"range": "<=7.1.0",
"nodes": [
"node_modules/requestretry"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.2",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "mocha",
"version": "7.2.0",
"isSemVerMajor": true
}
},
"service-runner": {
"name": "service-runner",
"severity": "high",
"isDirect": true,
"via": [
"limitation",
"tar"
],
"effects": [],
"range": ">=3.0.0",
"nodes": [
"node_modules/service-runner"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"tar": {
"name": "tar",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
},
{
"source": 1112329,
"name": "tar",
"dependency": "tar",
"title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",
"url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w",
"severity": "high",
"cwe": [
"CWE-176"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
},
"range": "<=7.5.3"
},
{
"source": 1112659,
"name": "tar",
"dependency": "tar",
"title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-59"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
},
"range": "<7.5.7"
},
{
"source": 1113300,
"name": "tar",
"dependency": "tar",
"title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization",
"url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.2"
},
{
"source": 1113375,
"name": "tar",
"dependency": "tar",
"title": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",
"url": "https://github.com/advisories/GHSA-83g3-92jg-28cx",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"range": "<7.5.8"
},
{
"source": 1114200,
"name": "tar",
"dependency": "tar",
"title": "tar has Hardlink Path Traversal via Drive-Relative Linkpath",
"url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-59"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.9"
},
{
"source": 1114302,
"name": "tar",
"dependency": "tar",
"title": "node-tar Symlink Path Traversal via Drive-Relative Linkpath",
"url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.10"
}
],
"effects": [
"service-runner"
],
"range": "<=7.5.10",
"nodes": [
"node_modules/tar"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": false
},
"wikimedia-kad-fork": {
"name": "wikimedia-kad-fork",
"severity": "moderate",
"isDirect": false,
"via": [
"ms"
],
"effects": [
"limitation"
],
"range": "*",
"nodes": [
"node_modules/wikimedia-kad-fork"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 5,
"high": 8,
"critical": 2,
"total": 15
},
"dependencies": {
"prod": 223,
"dev": 435,
"optional": 13,
"peer": 1,
"peerOptional": 0,
"total": 669
}
}
}
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
}
],
"effects": [
"pre-commit"
],
"range": "<6.0.6",
"nodes": [
"node_modules/pre-commit/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/request/node_modules/form-data"
],
"fixAvailable": false
},
"limitation": {
"name": "limitation",
"severity": "moderate",
"isDirect": false,
"via": [
"wikimedia-kad-fork"
],
"effects": [
"service-runner"
],
"range": ">=0.2.3",
"nodes": [
"node_modules/limitation"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": true,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "7.2.0",
"isSemVerMajor": true
}
},
"ms": {
"name": "ms",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109573,
"name": "ms",
"dependency": "ms",
"title": "Vercel ms Inefficient Regular Expression Complexity vulnerability",
"url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.0.0"
}
],
"effects": [
"wikimedia-kad-fork"
],
"range": "<2.0.0",
"nodes": [
"node_modules/wikimedia-kad-fork/node_modules/ms"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"pre-commit": {
"name": "pre-commit",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn"
],
"effects": [],
"range": ">=1.1.0",
"nodes": [
"node_modules/pre-commit"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"preq": {
"name": "preq",
"severity": "high",
"isDirect": true,
"via": [
"request",
"requestretry"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/preq"
],
"fixAvailable": false
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/request/node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [
"preq",
"requestretry"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"requestretry": {
"name": "requestretry",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090420,
"name": "requestretry",
"dependency": "requestretry",
"title": "Cookie exposure in requestretry",
"url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<7.0.0"
},
"request"
],
"effects": [
"preq"
],
"range": "<=7.1.0",
"nodes": [
"node_modules/requestretry"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.2",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "mocha",
"version": "7.2.0",
"isSemVerMajor": true
}
},
"service-runner": {
"name": "service-runner",
"severity": "high",
"isDirect": true,
"via": [
"limitation",
"tar"
],
"effects": [],
"range": ">=3.0.0",
"nodes": [
"node_modules/service-runner"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"tar": {
"name": "tar",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
},
{
"source": 1112329,
"name": "tar",
"dependency": "tar",
"title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",
"url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w",
"severity": "high",
"cwe": [
"CWE-176"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
},
"range": "<=7.5.3"
},
{
"source": 1112659,
"name": "tar",
"dependency": "tar",
"title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-59"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
},
"range": "<7.5.7"
},
{
"source": 1113300,
"name": "tar",
"dependency": "tar",
"title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization",
"url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.2"
},
{
"source": 1113375,
"name": "tar",
"dependency": "tar",
"title": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",
"url": "https://github.com/advisories/GHSA-83g3-92jg-28cx",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"range": "<7.5.8"
},
{
"source": 1114200,
"name": "tar",
"dependency": "tar",
"title": "tar has Hardlink Path Traversal via Drive-Relative Linkpath",
"url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-59"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.9"
},
{
"source": 1114302,
"name": "tar",
"dependency": "tar",
"title": "node-tar Symlink Path Traversal via Drive-Relative Linkpath",
"url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.10"
}
],
"effects": [
"service-runner"
],
"range": "<=7.5.10",
"nodes": [
"node_modules/tar"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": false
},
"wikimedia-kad-fork": {
"name": "wikimedia-kad-fork",
"severity": "moderate",
"isDirect": false,
"via": [
"ms"
],
"effects": [
"limitation"
],
"range": "*",
"nodes": [
"node_modules/wikimedia-kad-fork"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 5,
"high": 8,
"critical": 2,
"total": 15
},
"dependencies": {
"prod": 223,
"dev": 435,
"optional": 13,
"peer": 1,
"peerOptional": 0,
"total": 669
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 669,
"removed": 0,
"changed": 0,
"audited": 670,
"funding": 114,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
}
],
"effects": [
"pre-commit"
],
"range": "<6.0.6",
"nodes": [
"node_modules/pre-commit/node_modules/cross-spawn"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/request/node_modules/form-data"
],
"fixAvailable": false
},
"limitation": {
"name": "limitation",
"severity": "moderate",
"isDirect": false,
"via": [
"wikimedia-kad-fork"
],
"effects": [
"service-runner"
],
"range": ">=0.2.3",
"nodes": [
"node_modules/limitation"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": true,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "7.2.0",
"isSemVerMajor": true
}
},
"ms": {
"name": "ms",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109573,
"name": "ms",
"dependency": "ms",
"title": "Vercel ms Inefficient Regular Expression Complexity vulnerability",
"url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.0.0"
}
],
"effects": [
"wikimedia-kad-fork"
],
"range": "<2.0.0",
"nodes": [
"node_modules/wikimedia-kad-fork/node_modules/ms"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"pre-commit": {
"name": "pre-commit",
"severity": "high",
"isDirect": true,
"via": [
"cross-spawn"
],
"effects": [],
"range": ">=1.1.0",
"nodes": [
"node_modules/pre-commit"
],
"fixAvailable": {
"name": "pre-commit",
"version": "1.0.10",
"isSemVerMajor": true
}
},
"preq": {
"name": "preq",
"severity": "high",
"isDirect": true,
"via": [
"request",
"requestretry"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/preq"
],
"fixAvailable": false
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/request/node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [
"preq",
"requestretry"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"requestretry": {
"name": "requestretry",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090420,
"name": "requestretry",
"dependency": "requestretry",
"title": "Cookie exposure in requestretry",
"url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<7.0.0"
},
"request"
],
"effects": [
"preq"
],
"range": "<=7.1.0",
"nodes": [
"node_modules/requestretry"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.2",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "mocha",
"version": "7.2.0",
"isSemVerMajor": true
}
},
"service-runner": {
"name": "service-runner",
"severity": "high",
"isDirect": true,
"via": [
"limitation",
"tar"
],
"effects": [],
"range": ">=3.0.0",
"nodes": [
"node_modules/service-runner"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"tar": {
"name": "tar",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
},
{
"source": 1112329,
"name": "tar",
"dependency": "tar",
"title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",
"url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w",
"severity": "high",
"cwe": [
"CWE-176"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"
},
"range": "<=7.5.3"
},
{
"source": 1112659,
"name": "tar",
"dependency": "tar",
"title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-59"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
},
"range": "<7.5.7"
},
{
"source": 1113300,
"name": "tar",
"dependency": "tar",
"title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization",
"url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.2"
},
{
"source": 1113375,
"name": "tar",
"dependency": "tar",
"title": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",
"url": "https://github.com/advisories/GHSA-83g3-92jg-28cx",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"range": "<7.5.8"
},
{
"source": 1114200,
"name": "tar",
"dependency": "tar",
"title": "tar has Hardlink Path Traversal via Drive-Relative Linkpath",
"url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-59"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.9"
},
{
"source": 1114302,
"name": "tar",
"dependency": "tar",
"title": "node-tar Symlink Path Traversal via Drive-Relative Linkpath",
"url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=7.5.10"
}
],
"effects": [
"service-runner"
],
"range": "<=7.5.10",
"nodes": [
"node_modules/tar"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": false
},
"wikimedia-kad-fork": {
"name": "wikimedia-kad-fork",
"severity": "moderate",
"isDirect": false,
"via": [
"ms"
],
"effects": [
"limitation"
],
"range": "*",
"nodes": [
"node_modules/wikimedia-kad-fork"
],
"fixAvailable": {
"name": "service-runner",
"version": "2.9.0",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 5,
"high": 8,
"critical": 2,
"total": 15
},
"dependencies": {
"prod": 223,
"dev": 435,
"optional": 13,
"peer": 1,
"peerOptional": 0,
"total": 669
}
}
}
}
--- end ---
{"added": 669, "removed": 0, "changed": 0, "audited": 670, "funding": 114, "audit": {"auditReportVersion": 2, "vulnerabilities": {"cross-spawn": {"name": "cross-spawn", "severity": "high", "isDirect": false, "via": [{"source": 1104663, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<6.0.6"}], "effects": ["pre-commit"], "range": "<6.0.6", "nodes": ["node_modules/pre-commit/node_modules/cross-spawn"], "fixAvailable": {"name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true}}, "form-data": {"name": "form-data", "severity": "critical", "isDirect": false, "via": [{"source": 1109540, "name": "form-data", "dependency": "form-data", "title": "form-data uses unsafe random function in form-data for choosing boundary", "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", "severity": "critical", "cwe": ["CWE-330"], "cvss": {"score": 0, "vectorString": null}, "range": "<2.5.4"}], "effects": ["request"], "range": "<2.5.4", "nodes": ["node_modules/request/node_modules/form-data"], "fixAvailable": false}, "limitation": {"name": "limitation", "severity": "moderate", "isDirect": false, "via": ["wikimedia-kad-fork"], "effects": ["service-runner"], "range": ">=0.2.3", "nodes": ["node_modules/limitation"], "fixAvailable": {"name": "service-runner", "version": "2.9.0", "isSemVerMajor": true}}, "mocha": {"name": "mocha", "severity": "high", "isDirect": true, "via": ["serialize-javascript"], "effects": [], "range": "8.0.0 - 12.0.0-beta-2", "nodes": ["node_modules/mocha"], "fixAvailable": {"name": "mocha", "version": "7.2.0", "isSemVerMajor": true}}, "ms": {"name": "ms", "severity": "moderate", "isDirect": false, "via": [{"source": 1109573, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<2.0.0"}], "effects": ["wikimedia-kad-fork"], "range": "<2.0.0", "nodes": ["node_modules/wikimedia-kad-fork/node_modules/ms"], "fixAvailable": {"name": "service-runner", "version": "2.9.0", "isSemVerMajor": true}}, "pre-commit": {"name": "pre-commit", "severity": "high", "isDirect": true, "via": ["cross-spawn"], "effects": [], "range": ">=1.1.0", "nodes": ["node_modules/pre-commit"], "fixAvailable": {"name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true}}, "preq": {"name": "preq", "severity": "high", "isDirect": true, "via": ["request", "requestretry"], "effects": [], "range": "*", "nodes": ["node_modules/preq"], "fixAvailable": false}, "qs": {"name": "qs", "severity": "moderate", "isDirect": false, "via": [{"source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<6.14.1"}], "effects": ["request"], "range": "<6.14.1", "nodes": ["node_modules/request/node_modules/qs"], "fixAvailable": false}, "request": {"name": "request", "severity": "critical", "isDirect": false, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "form-data", "qs", "tough-cookie"], "effects": ["preq", "requestretry"], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": false}, "requestretry": {"name": "requestretry", "severity": "high", "isDirect": false, "via": [{"source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": ["CWE-200"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": "<7.0.0"}, "request"], "effects": ["preq"], "range": "<=7.1.0", "nodes": ["node_modules/requestretry"], "fixAvailable": false}, "serialize-javascript": {"name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [{"source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": ["CWE-96"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=7.0.2"}], "effects": ["mocha"], "range": "<=7.0.2", "nodes": ["node_modules/serialize-javascript"], "fixAvailable": {"name": "mocha", "version": "7.2.0", "isSemVerMajor": true}}, "service-runner": {"name": "service-runner", "severity": "high", "isDirect": true, "via": ["limitation", "tar"], "effects": [], "range": ">=3.0.0", "nodes": ["node_modules/service-runner"], "fixAvailable": {"name": "service-runner", "version": "2.9.0", "isSemVerMajor": true}}, "tar": {"name": "tar", "severity": "high", "isDirect": false, "via": [{"source": 1097493, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<6.2.1"}, {"source": 1112329, "name": "tar", "dependency": "tar", "title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS", "url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w", "severity": "high", "cwe": ["CWE-176"], "cvss": {"score": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L"}, "range": "<=7.5.3"}, {"source": 1112659, "name": "tar", "dependency": "tar", "title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal", "url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v", "severity": "high", "cwe": ["CWE-22", "CWE-59"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"}, "range": "<7.5.7"}, {"source": 1113300, "name": "tar", "dependency": "tar", "title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization", "url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 0, "vectorString": null}, "range": "<=7.5.2"}, {"source": 1113375, "name": "tar", "dependency": "tar", "title": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction", "url": "https://github.com/advisories/GHSA-83g3-92jg-28cx", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}, "range": "<7.5.8"}, {"source": 1114200, "name": "tar", "dependency": "tar", "title": "tar has Hardlink Path Traversal via Drive-Relative Linkpath", "url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96", "severity": "high", "cwe": ["CWE-22", "CWE-59"], "cvss": {"score": 0, "vectorString": null}, "range": "<=7.5.9"}, {"source": 1114302, "name": "tar", "dependency": "tar", "title": "node-tar Symlink Path Traversal via Drive-Relative Linkpath", "url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 0, "vectorString": null}, "range": "<=7.5.10"}], "effects": ["service-runner"], "range": "<=7.5.10", "nodes": ["node_modules/tar"], "fixAvailable": {"name": "service-runner", "version": "2.9.0", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/tough-cookie"], "fixAvailable": false}, "wikimedia-kad-fork": {"name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": ["ms"], "effects": ["limitation"], "range": "*", "nodes": ["node_modules/wikimedia-kad-fork"], "fixAvailable": {"name": "service-runner", "version": "2.9.0", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 5, "high": 8, "critical": 2, "total": 15}, "dependencies": {"prod": 223, "dev": 435, "optional": 13, "peer": 1, "peerOptional": 0, "total": 669}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated lodash.get@4.4.2: This package is deprecated. Use the optional chaining (?.) operator instead.
npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained.
npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated lodash.clone@4.5.0: This package is deprecated. Use structuredClone instead.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm WARN deprecated preq@0.5.14: Deprecated as this is a wrapper around the deprecated request library. Preq can be replaced with fetch, which is available from Node 18 as an experimental feature.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 664 packages, and audited 665 packages in 10s
114 packages are looking for funding
run `npm fund` for details
# npm audit report
cross-spawn <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install pre-commit@1.0.10, which is a breaking change
node_modules/pre-commit/node_modules/cross-spawn
pre-commit >=1.1.0
Depends on vulnerable versions of cross-spawn
node_modules/pre-commit
form-data <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
No fix available
node_modules/request/node_modules/form-data
request *
Depends on vulnerable versions of form-data
Depends on vulnerable versions of qs
Depends on vulnerable versions of tough-cookie
node_modules/request
preq *
Depends on vulnerable versions of request
Depends on vulnerable versions of requestretry
node_modules/preq
requestretry <=7.1.0
Depends on vulnerable versions of request
node_modules/requestretry
ms <2.0.0
Severity: moderate
Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f
fix available via `npm audit fix --force`
Will install service-runner@2.9.0, which is a breaking change
node_modules/wikimedia-kad-fork/node_modules/ms
wikimedia-kad-fork *
Depends on vulnerable versions of ms
node_modules/wikimedia-kad-fork
limitation >=0.2.3
Depends on vulnerable versions of wikimedia-kad-fork
node_modules/limitation
service-runner >=3.0.0
Depends on vulnerable versions of limitation
Depends on vulnerable versions of tar
node_modules/service-runner
qs <6.14.1
Severity: moderate
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
No fix available
node_modules/request/node_modules/qs
serialize-javascript <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@7.2.0, which is a breaking change
node_modules/serialize-javascript
mocha 8.0.0 - 12.0.0-beta-2
Depends on vulnerable versions of serialize-javascript
node_modules/mocha
tar <=7.5.10
Severity: high
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
fix available via `npm audit fix --force`
Will install service-runner@2.9.0, which is a breaking change
node_modules/tar
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie
15 vulnerabilities (5 moderate, 8 high, 2 critical)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated lodash.get@4.4.2: This package is deprecated. Use the optional chaining (?.) operator instead.
npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained.
npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated lodash.clone@4.5.0: This package is deprecated. Use structuredClone instead.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm WARN deprecated preq@0.5.14: Deprecated as this is a wrapper around the deprecated request library. Preq can be replaced with fetch, which is available from Node 18 as an experimental feature.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated eslint@8.57.0: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 664 packages, and audited 665 packages in 9s
114 packages are looking for funding
run `npm fund` for details
15 vulnerabilities (5 moderate, 8 high, 2 critical)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
[baseline-browser-mapping] The data in this module is over two months old. To ensure accurate Baseline data, please update: `npm i baseline-browser-mapping@latest -D`
strict mode: missing type "object" for keyword "required" at "#/definitions/problem#" (strictTypes)
strict mode: missing type "object" for keyword "properties" at "#/definitions/problem#" (strictTypes)
--- stdout ---
> @wikimedia/wikifeeds@1.0.0 test
> npm run lint && PREQ_CONNECT_TIMEOUT=15 mocha --recursive
> @wikimedia/wikifeeds@1.0.0 lint
> eslint .
/src/repo/.eslintrc.json
1:1 warning Use the global form of 'use strict' strict
/src/repo/app.js
20:1 warning The type 'bluebird' is undefined jsdoc/no-undefined-types
64:37 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
136:1 warning The type 'Application' is undefined jsdoc/no-undefined-types
138:1 warning The type 'bluebird' is undefined jsdoc/no-undefined-types
150:31 warning Found non-literal argument in require security/detect-non-literal-require
197:1 warning The type 'Application' is undefined jsdoc/no-undefined-types
198:1 warning The type 'bluebird' is undefined jsdoc/no-undefined-types
236:1 warning The type 'bluebird' is undefined jsdoc/no-undefined-types
/src/repo/etc/dyk-sites.js
19:5 warning Missing JSDoc @return declaration jsdoc/require-returns
/src/repo/etc/news-sites.js
4:1 warning At most one access-control tag may be present on a JSDoc block jsdoc/check-access
5:1 warning @private should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
6:1 warning @private should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
50:1 warning Syntax error in type: {Object.<string, NewsSite>} jsdoc/valid-types
/src/repo/lib/announcements.js
30:1 warning Expected this semicolon to be at the end of the previous line semi-style
34:1 warning This line has a length of 123. Maximum allowed is 100 max-len
51:1 warning This line has a length of 134. Maximum allowed is 100 max-len
84:1 warning This line has a length of 119. Maximum allowed is 100 max-len
86:1 warning This line has a length of 118. Maximum allowed is 100 max-len
135:1 warning This line has a length of 123. Maximum allowed is 100 max-len
/src/repo/lib/api-util.js
296:1 warning The type 'Application' is undefined jsdoc/no-undefined-types
/src/repo/lib/did-you-know.js
20:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
21:1 warning Missing JSDoc @param "lang" type jsdoc/require-param-type
41:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
42:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
82:12 warning 'si' is already declared in the upper scope on line 8 column 7 no-shadow
97:20 warning 'result' is already declared in the upper scope on line 88 column 19 no-shadow
/src/repo/lib/featured.js
136:12 warning 'si' is already declared in the upper scope on line 12 column 7 no-shadow
/src/repo/lib/imageinfo.js
30:1 warning The type 'Bool' is undefined jsdoc/no-undefined-types
85:1 warning JSDoc @return declaration present but return expression not available in function jsdoc/require-returns-check
132:1 warning JSDoc @return declaration present but return expression not available in function jsdoc/require-returns-check
203:43 warning Array.prototype.map() expects a return value from arrow function array-callback-return
280:1 warning Syntax error in type: [type] jsdoc/valid-types
282:1 warning Syntax error in type: [type] jsdoc/valid-types
/src/repo/lib/most-read.js
81:1 warning At most one access-control tag may be present on a JSDoc block jsdoc/check-access
82:1 warning @public should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
83:1 warning @public should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
100:1 warning This line has a length of 122. Maximum allowed is 100 max-len
115:28 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
116:1 warning This line has a length of 112. Maximum allowed is 100 max-len
145:19 warning 'pageviews' is already declared in the upper scope on line 10 column 7 no-shadow
161:25 warning Array.prototype.map() expects a return value from arrow function array-callback-return
202:1 warning This line has a length of 148. Maximum allowed is 100 max-len
212:1 warning This line has a length of 113. Maximum allowed is 100 max-len
/src/repo/lib/news.js
15:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
73:12 warning 'si' is already declared in the upper scope on line 8 column 7 no-shadow
96:20 warning 'result' is already declared in the upper scope on line 80 column 19 no-shadow
/src/repo/lib/on-this-day.js
34:1 warning The type 'Integer' is undefined jsdoc/no-undefined-types
122:1 warning The type 'AnchorElement' is undefined jsdoc/no-undefined-types
123:1 warning The type 'Integer' is undefined jsdoc/no-undefined-types
128:12 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
141:1 warning The type 'AnchorElement' is undefined jsdoc/no-undefined-types
151:1 warning The type 'AnchorElement' is undefined jsdoc/no-undefined-types
172:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
184:1 warning The type 'AnchorElement' is undefined jsdoc/no-undefined-types
207:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
253:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
270:1 warning The type 'Integer' is undefined jsdoc/no-undefined-types
309:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
320:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
321:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
342:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
360:1 warning The type 'ListElement' is undefined jsdoc/no-undefined-types
380:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
412:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
426:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
440:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
454:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
468:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
483:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
484:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
543:1 warning Missing JSDoc @param "sendResponse" type jsdoc/require-param-type
/src/repo/lib/on-this-day.languages.js
28:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
30:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
32:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
60:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
62:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
64:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
100:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
102:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
104:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
128:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
130:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
132:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
156:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
158:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
160:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
189:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
191:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
193:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
217:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
219:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
221:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
245:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
247:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
249:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
273:13 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
275:13 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
277:13 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
301:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
303:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
305:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
335:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
337:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
339:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
362:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
364:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
366:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
390:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
392:11 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
418:13 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
420:13 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
422:13 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
/src/repo/lib/pageviews.js
36:1 warning At most one access-control tag may be present on a JSDoc block jsdoc/check-access
37:1 warning @private should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
38:1 warning @private should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
39:1 warning @private should not have a bracketed type in "jsdoc" mode jsdoc/valid-types
53:1 warning The type 'Platform' is undefined jsdoc/no-undefined-types
54:1 warning The type 'Agent' is undefined jsdoc/no-undefined-types
56:1 warning The type 'Granularity' is undefined jsdoc/no-undefined-types
71:1 warning The type 'Platform' is undefined jsdoc/no-undefined-types
/src/repo/lib/random.js
38:9 warning 'score' is already declared in the upper scope on line 31 column 10 no-shadow
55:1 warning Missing JSDoc @param "scoredResults" type jsdoc/require-param-type
/src/repo/lib/siteinfo.js
3:1 warning Use the global form of 'use strict' strict
10:29 warning Unsafe Regular Expression security/detect-unsafe-regex
/src/repo/lib/util.js
104:1 warning The type 'Application' is undefined jsdoc/no-undefined-types
142:1 warning The type 'Application' is undefined jsdoc/no-undefined-types
222:1 warning The type 'Router' is undefined jsdoc/no-undefined-types
280:1 warning JSDoc @return declaration present but return expression not available in function jsdoc/require-returns-check
293:1 warning JSDoc @return declaration present but return expression not available in function jsdoc/require-returns-check
306:1 warning JSDoc @return declaration present but return expression not available in function jsdoc/require-returns-check
378:1 warning The type 'Application' is undefined jsdoc/no-undefined-types
450:34 warning Default parameters should be last default-param-last
/src/repo/package-lock.json
1:1 warning Use the global form of 'use strict' strict
/src/repo/package.json
1:1 warning Use the global form of 'use strict' strict
/src/repo/scripts/check-featured-feed.js
49:35 warning 'feature' is already declared in the upper scope on line 212 column 7 no-shadow
82:44 warning 'feature' is already declared in the upper scope on line 212 column 7 no-shadow
107:34 warning 'feature' is already declared in the upper scope on line 212 column 7 no-shadow
150:30 warning 'feature' is already declared in the upper scope on line 212 column 7 no-shadow
217:5 warning Don't use process.exit(); throw an error instead n/no-process-exit
/src/repo/spec.yaml
228:1 warning This line has a length of 154. Maximum allowed is 100 max-len
232:1 warning This line has a length of 141. Maximum allowed is 100 max-len
866:1 warning This line has a length of 117. Maximum allowed is 100 max-len
871:1 warning This line has a length of 116. Maximum allowed is 100 max-len
876:1 warning This line has a length of 116. Maximum allowed is 100 max-len
881:1 warning This line has a length of 116. Maximum allowed is 100 max-len
886:1 warning This line has a length of 116. Maximum allowed is 100 max-len
938:1 warning This line has a length of 108. Maximum allowed is 100 max-len
955:1 warning This line has a length of 126. Maximum allowed is 100 max-len
956:1 warning This line has a length of 107. Maximum allowed is 100 max-len
962:1 warning This line has a length of 132. Maximum allowed is 100 max-len
969:1 warning This line has a length of 127. Maximum allowed is 100 max-len
971:1 warning This line has a length of 108. Maximum allowed is 100 max-len
972:1 warning This line has a length of 113. Maximum allowed is 100 max-len
973:1 warning This line has a length of 121. Maximum allowed is 100 max-len
977:1 warning This line has a length of 121. Maximum allowed is 100 max-len
981:1 warning This line has a length of 113. Maximum allowed is 100 max-len
985:1 warning This line has a length of 111. Maximum allowed is 100 max-len
991:1 warning This line has a length of 124. Maximum allowed is 100 max-len
995:1 warning This line has a length of 281. Maximum allowed is 100 max-len
1082:1 warning This line has a length of 144. Maximum allowed is 100 max-len
✖ 161 problems (0 errors, 161 warnings)
aggregated featured
starting test server
✔ should return 200 for a valid request (2035ms)
✔ should return 404 for an invalid year
✔ should return 404 for an invalid month
✔ should return 404 for an invalid day
✔ should return only historic keys for past date (613ms)
✔ should return current keys for today (1576ms)
✔ should return future keys for tomorrow (1270ms)
aggregate onthisday
✔ should return 200 for a valid request (6556ms)
✔ should return 404 for an invalid month (188ms)
✔ should return 404 for an invalid day (125ms)
✔ should return objects with the expected keys (6848ms)
express app
✔ should get robots.txt
✔ should set CORS headers
✔ should set CSP headers
✔ should get static content gzipped
✔ should get static content uncompressed
Swagger spec
✔ get the spec
✔ spec validation
validate responses against schema
- random response should conform to schema
✔ featured article response should conform to schema (207ms)
✔ featured image response should conform to schema (176ms)
✔ most-read response should conform to schema (459ms)
✔ news response should conform to schema (82ms)
✔ announcements should conform to schema
✔ onthisday response should conform to schema (9861ms)
✔ featured article response should conform to schema (invalid lang, agg=true)
✔ featured image response should conform to schema (invalid date, agg=true)
✔ most-read response should conform to schema (invalid date, agg=true)
✔ news response (invalid language, agg=true) should be empty
✔ featured article request should fail for invalid language when !agg=true
✔ featured image request should fail for invalid date when !agg=true
✔ most-read request should fail for invalid date when !agg=true
✔ news request should fail for invalid language when !agg=true
validate spec examples
✔ spec from root
✔ retrieve service info
✔ Retrieve feed content availability from \'wikipedia.org\'
✔ Retrieve announcements
✔ retrieve selected events on January 15 (1056ms)
✔ retrieve title of the featured article for April 29, 2016 (285ms)
✔ retrieve featured article info for unsupported site (with aggregated=true)
✔ retrieve featured image data for April 29, 2016 (936ms)
✔ retrieve the most read articles for January 1, 2016 (579ms)
✔ retrieve the most-read articles for January 1, 2016 (with aggregated=true) (510ms)
✔ retrieve most-read articles for date with no data (with aggregated=true)
✔ get 'In the News' content (146ms)
✔ get "In the News" content for unsupported language (with aggregated=true)
✔ retrieve a random article title (66ms)
did-you-know
✔ ar: results list should have expected properties (238ms)
✔ de: results list should have expected properties (172ms)
✔ en: results list should have expected properties
✔ hi: results list should have expected properties (170ms)
✔ pt: results list should have expected properties (154ms)
✔ ru: results list should have expected properties (156ms)
✔ uk: results list should have expected properties (125ms)
featured
✔ incomplete date should return 404
✔ extra uri path parameter after date should return 404
✔ Missing TFA should return 204 (170ms)
✔ Missing TFA with aggregated=true should return 204 (155ms)
✔ featured article of an old date should return 404
featured-image-lang
✔ bg description (1755ms)
✔ bn description (278ms)
✔ bs description (278ms)
✔ cs description (304ms)
✔ de description (198ms)
✔ el description (262ms)
✔ en description (193ms)
✔ fa description (295ms)
✔ he description (316ms)
✔ hu description (256ms)
✔ it description (265ms)
✔ ja description (298ms)
✔ la description (242ms)
✔ no description (258ms)
✔ sco description (279ms)
✔ sd description (294ms)
✔ sv description (263ms)
✔ tr description (288ms)
✔ ur description (240ms)
✔ vi description (251ms)
✔ zh description (258ms)
featured-image
✔ incomplete date should return 404
✔ extra uri path parameter after date should return 404
service information
✔ should get the service name
✔ should get the service version
✔ should redirect to the service home page
✔ should get the service info
most-read articles
✔ Should provide pageviews from day prior when aggregated flag is set (1546ms)
✔ Should drop duplicate pageviews (592ms)
1) Should filter out missing summaries
✔ Should return 204 for fywiki requests
✔ main page filtering RegExp should handle all main page title chars
✔ Should filter out blocked titles from some languages, but not others
✔ Should filter out certain blocked titles from all wikis
most-read articles
✔ Should return 200 even if title has invalid utf8 encoding (673ms)
✔ Should filter-out invalid utf8 encoding (38ms)
news headline selectors
✔ test news headlines should be general not categorical
✔ test news headline topics should be nonnull
✔ bs news headlines should be general not categorical
✔ bs news headline topics should be nonnull
✔ da news headlines should be general not categorical
✔ da news headline topics should be nonnull
✔ de news headlines should be general not categorical
✔ de news headline topics should be nonnull
✔ el news headlines should be general not categorical
✔ el news headline topics should be nonnull
✔ en news headlines should be general not categorical
✔ en news headline topics should be nonnull
✔ es news headlines should be general not categorical
✔ es news headline topics should be nonnull
✔ fi news headlines should be general not categorical
✔ fi news headline topics should be nonnull
✔ fr news headlines should be general not categorical
✔ fr news headline topics should be nonnull
✔ he news headlines should be general not categorical
✔ he news headline topics should be nonnull
✔ ko news headlines should be general not categorical
✔ ko news headline topics should be nonnull
✔ no news headlines should be general not categorical
✔ no news headline topics should be nonnull
✔ pl news headlines should be general not categorical
✔ pl news headline topics should be nonnull
✔ pt news headlines should be general not categorical
✔ pt news headline topics should be nonnull
✔ ru news headlines should be general not categorical
✔ ru news headline topics should be nonnull
✔ sco news headlines should be general not categorical
✔ sco news headline topics should be nonnull
✔ sv news headlines should be general not categorical
✔ sv news headline topics should be nonnull
✔ vi news headlines should be general not categorical
✔ vi news headline topics should be nonnull
✔ news headline topic should be the first bold link
✔ news headline topic should be the first link when no link is bolded
news
✔ test: results list should have expected properties (375ms)
✔ bs: results list should have expected properties (651ms)
✔ da: results list should have expected properties (742ms)
✔ de: results list should have expected properties (200ms)
✔ el: results list should have expected properties (154ms)
✔ en: results list should have expected properties (163ms)
✔ es: results list should have expected properties (261ms)
✔ fi: results list should have expected properties (514ms)
✔ fr: results list should have expected properties (488ms)
✔ he: results list should have expected properties (324ms)
✔ ko: results list should have expected properties (328ms)
✔ no: results list should have expected properties (253ms)
✔ pl: results list should have expected properties (307ms)
✔ pt: results list should have expected properties (3178ms)
✔ ru: results list should have expected properties (263ms)
✔ sco: results list should have expected properties (161ms)
✔ sv: results list should have expected properties (704ms)
✔ vi: results list should have expected properties (607ms)
onthisday
✔ all: unsupported language throws 404
✔ selected: unsupported language throws 404
✔ selected: fetches some results (672ms)
✔ births: unsupported language throws 404
✔ births: fetches some results (5542ms)
✔ deaths: unsupported language throws 404
✔ deaths: fetches some results (1708ms)
✔ events: unsupported language throws 404
✔ events: fetches some results (2249ms)
✔ holidays: unsupported language throws 404
✔ holidays: fetches some results (631ms)
✔ "all" fetches some results for births, deaths, events, holidays and selected (2601ms)
✔ verify contents in events (2825ms)
random/title
✔ pickBestResult should select best-scored title from sample
✔ redirects to the right format with random title - html (72ms)
✔ redirects to the right format with random title - invalid format
✔ returns 404 for yue.wikipedia.org
stopping test server
lib:announcements
✔ should return no announcement for inactive wiki
✔ should return one or more announcements for active wiki
lib:announcements:etc
✔ should return no image_url
✔ should return correct type
✔ countries is an array of strings
✔ should not deliver HTML in certain legacy iOS announcements fields
✔ iOS legacy fundraising announcement should have the proper platform ID
✔ iOS fundraising announcement should have the proper platform ID
✔ should deliver HTML in certain V2 announcements fields
✔ caption_HTML on iOS should be inside a paragraph
✔ caption_HTML on Android should not be inside a paragraph
✔ should return no image_url
✔ should return correct type
✔ countries is an array of strings
✔ should not deliver HTML in certain legacy iOS announcements fields
✔ iOS legacy fundraising announcement should have the proper platform ID
✔ iOS fundraising announcement should have the proper platform ID
✔ should deliver HTML in certain V2 announcements fields
✔ caption_HTML on iOS should be inside a paragraph
✔ caption_HTML on Android should not be inside a paragraph
✔ should return no image_url
✔ should return correct type
✔ countries is an array of strings
✔ should not deliver HTML in certain legacy iOS announcements fields
✔ iOS legacy fundraising announcement should have the proper platform ID
✔ iOS fundraising announcement should have the proper platform ID
✔ should deliver HTML in certain V2 announcements fields
✔ caption_HTML on iOS should be inside a paragraph
✔ caption_HTML on Android should not be inside a paragraph
✔ should return no image_url
✔ should return correct type
✔ countries is an array of strings
✔ should not deliver HTML in certain legacy iOS announcements fields
✔ iOS legacy fundraising announcement should have the proper platform ID
✔ iOS fundraising announcement should have the proper platform ID
✔ should deliver HTML in certain V2 announcements fields
✔ caption_HTML on iOS should be inside a paragraph
✔ caption_HTML on Android should not be inside a paragraph
✔ buildId should not return lower case characters
✔ buildId should not return lower case characters
✔ buildId should not return lower case characters
✔ buildId should not return lower case characters
✔ buildId should not return lower case characters
✔ buildId should not return lower case characters
✔ buildId should not return lower case characters
.hasEnded
✔ invalid endTime
✔ endTime has passed
✔ endTime has not passed yet
announcements-unit-config
✔ all dates should be valid
MW core page HTML
✔ fetches the core page html output only with title in params
✔ fetches the core page html output with revision in params
featured-unit
✔ isSupported should return the correct boolean
✔ findPageTitle should find the first bold link: a inside b
✔ findPageTitle should find the first bold link: b inside a
✔ findPageTitle should return undefined if nothing found
featured-image-unit
✔ structureExtMetadataValue returns description for preferred lang if present
✔ structureExtMetadataValue falls back to en description if preferred lang not present
✔ structureExtMetadataValue returns lang undefined for type of value equals to string
✔ structureExtMetadataValue returns undefined for undefined input
news-unit
✔ news story constructed correctly (duplicate titles handled correctly)
✔ floating spans are removed
onthisday-unit
✔ eventsForYearListElements returns a WMFEvent for only year list elements
✔ Sort year list events in correct BC[E] aware manner
page title generation: titleForDayPageFromMonthDayNumberStrings
✔ 1 digit mm and 1 digit dd
✔ 0 padded mm and 1 digit dd
✔ 0 padded mm and 0 padded dd
day page URI generation: dayTitleForRequest
✔ returns expected title for 0 padded month and 2 digit day
✔ returns expected title for 2 digit month and 0 padded day
✔ returns expected title for 1 digit month and 1 digit day
selected page URI generation: selectedTitleForRequest
✔ returns expected title for 0 padded month and 2 digit day
✔ returns expected title for 2 digit month and 0 padded day
✔ returns expected title for 1 digit month and 1 digit day
anchor to WMFPage transforms: wmfPageFromAnchorElement
✔ WMFPage model object is correctly created from a topic anchor
✔ WMFPage model object is correctly created from a non-topic anchor
wmfEventFromListElement: WMFEvent model object is correctly created
✔ from a selected list element
✔ from a birth list element
✔ from an event list element
✔ from a death list element
✔ from a birth list element
✔ from a selected div element on zhwiki
✔ wmfEventFromListElement should return null for elements not describing events
wmfHolidayFromListElement: WMFHoliday model object is correctly created
✔ WMFHoliday model object is correctly created from a holiday list element
yearListElementRegEx
✔ rejects malformed BC strings
✔ accepts well formed BC strings
✔ accepts well formed BCE strings
✔ accepts well formed CE strings
✔ accepts well formed year strings (no BCE/AD/CE)
✔ accepts well formed AD strings
✔ extracts expected BC/BCE strings
✔ extracts expected BC/BCE strings in Chinese
✔ AD strings should not be negated
✔ rejects non year list strings
✔ rejects strings missing text
listElementsByHeadingID extracts expected number of births from
✔ DE fixture (55ms)
✔ EN fixture (47ms)
✔ AR fixture
✔ BS fixture
nested list element handling
✔ listElementsByHeadingID extracts expected number of holidays from EN fixture
✔ expected textContent for a list item NOT nested within another list item
✔ expected textContent for a list item nested within another list item
✔ expected textContent for list items nested within a year-dash list item
✔ expected textContent for list items nested within a year list item (no dash)
addPrefixFromAncestorListElementsToListElement
✔ expected extraction from ancestor year element
✔ expected extraction from multiline ancestor year element
✔ expected extraction from ancestor year element with dash
✔ expected extraction from ancestor year element with dash space
✔ expected extraction from multiline ancestor year element with dash
✔ expected extraction from multiline non-year ancestor
✔ expected extraction from double-nested list element
✔ expected extraction from triple-nested list element
✔ expected extraction from nested Russian list element with "год"
✔ Prefixed text content from ancestor element is escaped
isAnchorForYear
✔ correctly identifies anchor linking to year article
✔ correctly rejects anchor linking article starting with a year
✔ correctly rejects anchor linking article starting with a number
✔ correctly rejects anchor linking article not starting with a year
✔ correctly identifies anchor linking to year article with an era string
✔ correctly identifies anchor linking to year article with era string w/o space
non-article urls should be excluded
✔ exclude external url from WMFHoliday pages
✔ exclude external url from WMFEvent pages
✔ exclude redlinks from WMFEvent pages
style tags should be dropped
✔ exclude style tags
random
✔ pickBestResult should select best-scored title from sample
util
✔ promiseAwaitAll, ignoreRejected
✔ promiseAwaitAll, propagate rejected
removeDuplicateTitles
✔ deduplicates and applies update function
292 passing (1m)
1 pending
1 failing
1) most-read articles
Should filter out missing summaries:
HTTPError: The date(s) you used are valid, but we either do not have data for those date(s), or the project you asked for is not loaded yet. Please check documentation for more information
at request.then.query (node_modules/preq/index.js:228:23)
at tryCatcher (node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (node_modules/bluebird/js/release/promise.js:547:31)
at Promise._settlePromise (node_modules/bluebird/js/release/promise.js:604:18)
at Promise._settlePromise0 (node_modules/bluebird/js/release/promise.js:649:10)
at Promise._settlePromises (node_modules/bluebird/js/release/promise.js:729:18)
at _drainQueueStep (node_modules/bluebird/js/release/async.js:93:12)
at _drainQueue (node_modules/bluebird/js/release/async.js:86:9)
at Async._drainQueues (node_modules/bluebird/js/release/async.js:102:5)
at Async.drainQueues [as _onImmediate] (node_modules/bluebird/js/release/async.js:15:14)
at process.processImmediate (node:internal/timers:483:21)
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1208, in run
self.npm_audit_fix(new_npm_audit)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 239, in npm_audit_fix
self.npm_test()
~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 289, in npm_test
self.check_call(["npm", "test"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 66, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 1.