This run took 128 seconds.
$ date
--- stdout ---
Fri Mar 27 10:26:47 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-WikibaseLexeme.git /src/repo --depth=1 -b REL1_45
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stderr ---
Submodule 'resources/special/new-lexeme' (https://phabricator.wikimedia.org/diffusion/NLSP/new-lexeme-special-page.git) registered for path 'resources/special/new-lexeme'
Cloning into '/src/repo/resources/special/new-lexeme'...
--- stdout ---
Submodule path 'resources/special/new-lexeme': checked out 'f1e59473e0cab6d03f9f5da82a7ba9b2a2cfbb9e'
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_45
--- stdout ---
d5f4f69acd5a971ec715ab0ad50d1615fd7f6de5 refs/heads/REL1_45
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@eslint/eslintrc": {
"name": "@eslint/eslintrc",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"eslint",
"eslint-plugin-unicorn"
],
"range": "0.0.1 || >=0.1.1",
"nodes": [
"node_modules/@eslint/eslintrc",
"node_modules/eslint-plugin-unicorn/node_modules/@eslint/eslintrc"
],
"fixAvailable": false
},
"@typescript-eslint/eslint-plugin": {
"name": "@typescript-eslint/eslint-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"eslint-plugin-jest",
"typescript-eslint"
],
"range": "<=8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/eslint-plugin",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/eslint-plugin"
],
"fixAvailable": false
},
"@typescript-eslint/parser": {
"name": "@typescript-eslint/parser",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"typescript-eslint"
],
"range": "1.1.1-alpha.0 - 8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/parser",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/parser"
],
"fixAvailable": false
},
"@typescript-eslint/type-utils": {
"name": "@typescript-eslint/type-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin"
],
"range": "5.62.1-alpha.0 - 8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/type-utils",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/type-utils"
],
"fixAvailable": false
},
"@typescript-eslint/typescript-estree": {
"name": "@typescript-eslint/typescript-estree",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils"
],
"range": "6.16.0 - 8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/typescript-estree"
],
"fixAvailable": false
},
"@typescript-eslint/utils": {
"name": "@typescript-eslint/utils",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"eslint"
],
"effects": [
"typescript-eslint"
],
"range": "<=8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/utils",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/utils"
],
"fixAvailable": true
},
"@wmde/eslint-config-wikimedia-typescript": {
"name": "@wmde/eslint-config-wikimedia-typescript",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint-config-wikimedia"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@wmde/eslint-config-wikimedia-typescript"
],
"fixAvailable": false
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115432,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<5.0.5"
}
],
"effects": [
"minimatch"
],
"range": "<5.0.5",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
"node_modules/brace-expansion",
"node_modules/eslint-plugin-n/node_modules/brace-expansion",
"node_modules/jasmine/node_modules/brace-expansion",
"node_modules/mocha/node_modules/brace-expansion",
"node_modules/typescript-eslint/node_modules/brace-expansion"
],
"fixAvailable": false
},
"cypress-parallel": {
"name": "cypress-parallel",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": "0.10.0 - 0.14.0",
"nodes": [
"node_modules/cypress-parallel"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"diff": {
"name": "diff",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1112705,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=5.0.0 <5.2.2"
},
{
"source": 1112706,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <8.0.3"
}
],
"effects": [
"sinon"
],
"range": "5.0.0 - 5.2.1 || 6.0.0 - 8.0.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/diff",
"node_modules/sinon/node_modules/diff"
],
"fixAvailable": {
"name": "sinon",
"version": "21.0.3",
"isSemVerMajor": true
}
},
"eslint": {
"name": "eslint",
"severity": "moderate",
"isDirect": false,
"via": [
"@eslint/eslintrc",
"file-entry-cache",
"minimatch"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils",
"eslint-config-wikimedia",
"eslint-plugin-jest",
"eslint-plugin-jsdoc",
"eslint-plugin-promise",
"eslint-plugin-vue",
"grunt-eslint",
"typescript-eslint"
],
"range": "0.12.0 - 2.0.0-rc.1 || 4.1.0 - 10.0.0-rc.2",
"nodes": [
"node_modules/eslint"
],
"fixAvailable": false
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint",
"eslint-plugin-jest",
"eslint-plugin-jsdoc",
"eslint-plugin-unicorn",
"eslint-plugin-vue"
],
"effects": [
"@wmde/eslint-config-wikimedia-typescript"
],
"range": ">=0.9.0",
"nodes": [
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": false
},
"eslint-plugin-jest": {
"name": "eslint-plugin-jest",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/eslint-plugin",
"eslint"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "25.0.1 - 29.12.2",
"nodes": [
"node_modules/eslint-plugin-jest"
],
"fixAvailable": false
},
"eslint-plugin-jsdoc": {
"name": "eslint-plugin-jsdoc",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "8.4.4 - 62.6.1",
"nodes": [
"node_modules/eslint-plugin-jsdoc"
],
"fixAvailable": false
},
"eslint-plugin-mediawiki": {
"name": "eslint-plugin-mediawiki",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint-plugin-vue"
],
"effects": [],
"range": "0.2.3 - 0.7.0",
"nodes": [
"node_modules/eslint-plugin-mediawiki"
],
"fixAvailable": true
},
"eslint-plugin-n": {
"name": "eslint-plugin-n",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [],
"range": "<=17.21.1",
"nodes": [
"node_modules/eslint-plugin-n"
],
"fixAvailable": true
},
"eslint-plugin-promise": {
"name": "eslint-plugin-promise",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint"
],
"effects": [],
"range": ">=5.0.0",
"nodes": [
"node_modules/eslint-plugin-promise"
],
"fixAvailable": {
"name": "eslint-plugin-promise",
"version": "4.3.1",
"isSemVerMajor": true
}
},
"eslint-plugin-unicorn": {
"name": "eslint-plugin-unicorn",
"severity": "moderate",
"isDirect": false,
"via": [
"@eslint/eslintrc"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "50.0.0 - 54.0.0",
"nodes": [
"node_modules/eslint-plugin-unicorn"
],
"fixAvailable": false
},
"eslint-plugin-vue": {
"name": "eslint-plugin-vue",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint"
],
"effects": [
"eslint-config-wikimedia",
"eslint-plugin-mediawiki"
],
"range": "5.0.0-beta.0 - 10.7.0",
"nodes": [
"node_modules/eslint-plugin-vue"
],
"fixAvailable": false
},
"file-entry-cache": {
"name": "file-entry-cache",
"severity": "moderate",
"isDirect": false,
"via": [
"flat-cache"
],
"effects": [
"eslint"
],
"range": "4.0.0 - 7.0.2",
"nodes": [
"node_modules/file-entry-cache"
],
"fixAvailable": false
},
"flat-cache": {
"name": "flat-cache",
"severity": "moderate",
"isDirect": false,
"via": [
"rimraf"
],
"effects": [
"file-entry-cache"
],
"range": "1.3.4 - 4.0.0",
"nodes": [
"node_modules/flat-cache"
],
"fixAvailable": false
},
"flatted": {
"name": "flatted",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114526,
"name": "flatted",
"dependency": "flatted",
"title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
"severity": "high",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.4.0"
},
{
"source": 1115357,
"name": "flatted",
"dependency": "flatted",
"title": "Prototype Pollution via parse() in NodeJS flatted",
"url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.1"
}
],
"effects": [],
"range": "<=3.4.1",
"nodes": [
"node_modules/flatted"
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/request/node_modules/form-data"
],
"fixAvailable": false
},
"glob": {
"name": "glob",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"grunt",
"grunt-jasmine-nodejs",
"jasmine",
"mocha",
"rimraf"
],
"range": "4.3.0 - 10.5.0",
"nodes": [
"node_modules/cypress-parallel/node_modules/glob",
"node_modules/glob",
"node_modules/jasmine/node_modules/glob",
"node_modules/mocha/node_modules/glob"
],
"fixAvailable": false
},
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"glob",
"minimatch"
],
"effects": [
"grunt-eslint",
"grunt-jasmine-nodejs"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"eslint",
"grunt"
],
"effects": [],
"range": "<=1.0.0 || 4.0.0 - 17.3.2 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-jasmine-nodejs": {
"name": "grunt-jasmine-nodejs",
"severity": "high",
"isDirect": true,
"via": [
"glob",
"grunt"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/grunt-jasmine-nodejs"
],
"fixAvailable": false
},
"jasmine": {
"name": "jasmine",
"severity": "moderate",
"isDirect": true,
"via": [
"glob"
],
"effects": [],
"range": "2.5.1 - 3.5.0 || 3.6.2 - 5.13.0",
"nodes": [
"node_modules/jasmine"
],
"fixAvailable": {
"name": "jasmine",
"version": "6.1.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112715,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [
"mocha"
],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/cypress-parallel/node_modules/js-yaml"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113460,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.2.4"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113539,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.2.5"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
},
{
"source": 1113547,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.2.5"
},
"brace-expansion"
],
"effects": [
"@eslint/eslintrc",
"@typescript-eslint/typescript-estree",
"eslint",
"eslint-plugin-n",
"glob",
"grunt",
"mocha"
],
"range": "<=10.0.2",
"nodes": [
"node_modules/@eslint/eslintrc/node_modules/minimatch",
"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch",
"node_modules/cypress-parallel/node_modules/mocha/node_modules/minimatch",
"node_modules/eslint-plugin-n/node_modules/minimatch",
"node_modules/eslint-plugin-unicorn/node_modules/minimatch",
"node_modules/eslint/node_modules/minimatch",
"node_modules/jasmine/node_modules/minimatch",
"node_modules/minimatch",
"node_modules/mocha/node_modules/minimatch",
"node_modules/typescript-eslint/node_modules/minimatch"
],
"fixAvailable": false
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"diff",
"glob",
"js-yaml",
"minimatch",
"minimatch",
"nanoid",
"serialize-javascript",
"serialize-javascript"
],
"effects": [
"cypress-parallel"
],
"range": ">=3.0.0-0",
"nodes": [
"node_modules/cypress-parallel/node_modules/mocha",
"node_modules/mocha"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [
"mocha"
],
"range": "<3.3.8",
"nodes": [
"node_modules/cypress-parallel/node_modules/nanoid"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115382,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
},
{
"source": 1115394,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"rimraf": {
"name": "rimraf",
"severity": "moderate",
"isDirect": false,
"via": [
"glob"
],
"effects": [
"flat-cache"
],
"range": "2.3.0 - 3.0.2 || 4.2.0 - 5.0.10",
"nodes": [
"node_modules/rimraf"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113197,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Cross-site Scripting (XSS) in serialize-javascript",
"url": "https://github.com/advisories/GHSA-76p7-773f-r4q5",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=6.0.0 <6.0.2"
},
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/serialize-javascript",
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"sinon": {
"name": "sinon",
"severity": "low",
"isDirect": true,
"via": [
"diff"
],
"effects": [],
"range": "19.0.0 - 21.0.0",
"nodes": [
"node_modules/sinon"
],
"fixAvailable": {
"name": "sinon",
"version": "21.0.3",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/request/node_modules/tough-cookie"
],
"fixAvailable": false
},
"typescript-eslint": {
"name": "typescript-eslint",
"severity": "moderate",
"isDirect": true,
"via": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/parser",
"@typescript-eslint/utils",
"eslint"
],
"effects": [],
"range": "<=8.56.1-alpha.2",
"nodes": [
"node_modules/typescript-eslint"
],
"fixAvailable": true
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115369,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=2.0.0 <2.8.3"
}
],
"effects": [],
"range": "2.0.0 - 2.8.2",
"nodes": [
"node_modules/yaml"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 29,
"high": 8,
"critical": 2,
"total": 41
},
"dependencies": {
"prod": 1,
"dev": 845,
"optional": 5,
"peer": 18,
"peerOptional": 0,
"total": 845
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 44 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.9)
- Locking composer/xdebug-handler (3.0.5)
- Locking davidrjonas/composer-lock-diff (1.7.1)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.0)
- Locking doctrine/deprecations (1.1.6)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking giorgiosironi/eris (0.14.1)
- Locking hamcrest/hamcrest-php (v2.1.1)
- Locking mediawiki/mediawiki-codesniffer (v48.0.0)
- Locking mediawiki/mediawiki-phan-config (0.17.0)
- Locking mediawiki/minus-x (1.1.3)
- Locking mediawiki/phan-taint-check-plugin (7.0.0)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking netresearch/jsonmapper (v4.5.0)
- Locking phan/phan (5.5.1)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.1.1)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.6.7)
- Locking phpdocumentor/type-resolver (1.12.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (5.1.7)
- Locking serialization/serialization (4.1.0)
- Locking squizlabs/php_codesniffer (3.13.2)
- Locking symfony/console (v7.4.7)
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.33.0)
- Locking symfony/polyfill-intl-grapheme (v1.33.0)
- Locking symfony/polyfill-intl-normalizer (v1.33.0)
- Locking symfony/polyfill-mbstring (v1.33.0)
- Locking symfony/polyfill-php80 (v1.33.0)
- Locking symfony/service-contracts (v3.6.1)
- Locking symfony/string (v8.0.6)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (2.1.6)
- Locking wikimedia/assert (v0.5.1)
- Locking wmde/php-vuejs-templating (2.1.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 44 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.2): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing davidrjonas/composer-lock-diff (1.7.1): Extracting archive
- Installing giorgiosironi/eris (0.14.1): Extracting archive
- Installing hamcrest/hamcrest-php (v2.1.1): Extracting archive
- Installing phpcsstandards/phpcsutils (1.1.1): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing composer/spdx-licenses (1.5.9): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v48.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-php80 (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.33.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing symfony/string (v8.0.6): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/console (v7.4.7): Extracting archive
- Installing sabre/event (5.1.7): Extracting archive
- Installing netresearch/jsonmapper (v4.5.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (2.1.6): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (1.12.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.6.7): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (5.5.1): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (7.0.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.17.0): Extracting archive
- Installing mediawiki/minus-x (1.1.3): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
- Installing serialization/serialization (4.1.0): Extracting archive
- Installing wikimedia/assert (v0.5.1): Extracting archive
- Installing wmde/php-vuejs-templating (2.1.0): Extracting archive
0/42 [>---------------------------] 0%
28/42 [==================>---------] 66%
41/42 [===========================>] 97%
42/42 [============================] 100%
4 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@eslint/eslintrc": {
"name": "@eslint/eslintrc",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"eslint",
"eslint-plugin-unicorn"
],
"range": "0.0.1 || >=0.1.1",
"nodes": [
"node_modules/@eslint/eslintrc",
"node_modules/eslint-plugin-unicorn/node_modules/@eslint/eslintrc"
],
"fixAvailable": false
},
"@typescript-eslint/eslint-plugin": {
"name": "@typescript-eslint/eslint-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"eslint-plugin-jest"
],
"range": "<=8.55.1-alpha.3",
"nodes": [
"node_modules/@typescript-eslint/eslint-plugin",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/eslint-plugin"
],
"fixAvailable": false
},
"@typescript-eslint/parser": {
"name": "@typescript-eslint/parser",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"typescript-eslint"
],
"range": "1.1.1-alpha.0 - 8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/parser",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/parser"
],
"fixAvailable": false
},
"@typescript-eslint/type-utils": {
"name": "@typescript-eslint/type-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin"
],
"range": "5.9.2-alpha.0 - 8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/type-utils",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/type-utils"
],
"fixAvailable": false
},
"@typescript-eslint/typescript-estree": {
"name": "@typescript-eslint/typescript-estree",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils"
],
"range": "6.16.0 - 8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/typescript-estree"
],
"fixAvailable": false
},
"@typescript-eslint/utils": {
"name": "@typescript-eslint/utils",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/type-utils",
"eslint-plugin-jest",
"typescript-eslint"
],
"range": "<=8.56.1-alpha.2",
"nodes": [
"node_modules/@typescript-eslint/utils",
"node_modules/typescript-eslint/node_modules/@typescript-eslint/utils"
],
"fixAvailable": false
},
"@wmde/eslint-config-wikimedia-typescript": {
"name": "@wmde/eslint-config-wikimedia-typescript",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint-config-wikimedia"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@wmde/eslint-config-wikimedia-typescript"
],
"fixAvailable": false
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115432,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<5.0.5"
}
],
"effects": [
"minimatch"
],
"range": "<5.0.5",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
"node_modules/brace-expansion",
"node_modules/eslint-plugin-n/node_modules/brace-expansion",
"node_modules/jasmine/node_modules/brace-expansion",
"node_modules/mocha/node_modules/brace-expansion",
"node_modules/typescript-eslint/node_modules/brace-expansion"
],
"fixAvailable": false
},
"cypress-parallel": {
"name": "cypress-parallel",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": "0.10.0 - 0.14.0",
"nodes": [
"node_modules/cypress-parallel"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"diff": {
"name": "diff",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1112705,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=5.0.0 <5.2.2"
},
{
"source": 1112706,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <8.0.3"
}
],
"effects": [
"sinon"
],
"range": "5.0.0 - 5.2.1 || 6.0.0 - 8.0.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/diff",
"node_modules/sinon/node_modules/diff"
],
"fixAvailable": {
"name": "sinon",
"version": "21.0.3",
"isSemVerMajor": true
}
},
"eslint": {
"name": "eslint",
"severity": "moderate",
"isDirect": false,
"via": [
"@eslint/eslintrc",
"file-entry-cache",
"minimatch"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils",
"eslint-config-wikimedia",
"eslint-plugin-jest",
"eslint-plugin-jsdoc",
"eslint-plugin-promise",
"eslint-plugin-vue",
"grunt-eslint",
"typescript-eslint"
],
"range": "0.12.0 - 2.0.0-rc.1 || 4.1.0 - 10.0.0-rc.2",
"nodes": [
"node_modules/eslint"
],
"fixAvailable": false
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint",
"eslint-plugin-jest",
"eslint-plugin-jsdoc",
"eslint-plugin-unicorn",
"eslint-plugin-vue"
],
"effects": [
"@wmde/eslint-config-wikimedia-typescript"
],
"range": ">=0.9.0",
"nodes": [
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": false
},
"eslint-plugin-jest": {
"name": "eslint-plugin-jest",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "25.0.1 - 29.12.2",
"nodes": [
"node_modules/eslint-plugin-jest"
],
"fixAvailable": false
},
"eslint-plugin-jsdoc": {
"name": "eslint-plugin-jsdoc",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "8.4.4 - 62.6.1",
"nodes": [
"node_modules/eslint-plugin-jsdoc"
],
"fixAvailable": false
},
"eslint-plugin-mediawiki": {
"name": "eslint-plugin-mediawiki",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint-plugin-vue"
],
"effects": [],
"range": "0.2.3 - 0.7.0",
"nodes": [
"node_modules/eslint-plugin-mediawiki"
],
"fixAvailable": true
},
"eslint-plugin-n": {
"name": "eslint-plugin-n",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [],
"range": "<=17.21.1",
"nodes": [
"node_modules/eslint-plugin-n"
],
"fixAvailable": true
},
"eslint-plugin-promise": {
"name": "eslint-plugin-promise",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint"
],
"effects": [],
"range": ">=5.0.0",
"nodes": [
"node_modules/eslint-plugin-promise"
],
"fixAvailable": {
"name": "eslint-plugin-promise",
"version": "4.3.1",
"isSemVerMajor": true
}
},
"eslint-plugin-unicorn": {
"name": "eslint-plugin-unicorn",
"severity": "moderate",
"isDirect": false,
"via": [
"@eslint/eslintrc"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "50.0.0 - 54.0.0",
"nodes": [
"node_modules/eslint-plugin-unicorn"
],
"fixAvailable": false
},
"eslint-plugin-vue": {
"name": "eslint-plugin-vue",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint"
],
"effects": [
"eslint-config-wikimedia",
"eslint-plugin-mediawiki"
],
"range": "5.0.0-beta.0 - 10.7.0",
"nodes": [
"node_modules/eslint-plugin-vue"
],
"fixAvailable": false
},
"file-entry-cache": {
"name": "file-entry-cache",
"severity": "moderate",
"isDirect": false,
"via": [
"flat-cache"
],
"effects": [
"eslint"
],
"range": "4.0.0 - 7.0.2",
"nodes": [
"node_modules/file-entry-cache"
],
"fixAvailable": false
},
"flat-cache": {
"name": "flat-cache",
"severity": "moderate",
"isDirect": false,
"via": [
"rimraf"
],
"effects": [
"file-entry-cache"
],
"range": "1.3.4 - 4.0.0",
"nodes": [
"node_modules/flat-cache"
],
"fixAvailable": false
},
"flatted": {
"name": "flatted",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114526,
"name": "flatted",
"dependency": "flatted",
"title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
"severity": "high",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.4.0"
},
{
"source": 1115357,
"name": "flatted",
"dependency": "flatted",
"title": "Prototype Pollution via parse() in NodeJS flatted",
"url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.1"
}
],
"effects": [],
"range": "<=3.4.1",
"nodes": [
"node_modules/flatted"
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/request/node_modules/form-data"
],
"fixAvailable": false
},
"glob": {
"name": "glob",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"grunt",
"grunt-jasmine-nodejs",
"jasmine",
"mocha",
"rimraf"
],
"range": "4.3.0 - 10.5.0",
"nodes": [
"node_modules/cypress-parallel/node_modules/glob",
"node_modules/glob",
"node_modules/jasmine/node_modules/glob",
"node_modules/mocha/node_modules/glob"
],
"fixAvailable": false
},
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"glob",
"minimatch"
],
"effects": [
"grunt-eslint",
"grunt-jasmine-nodejs"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"eslint",
"grunt"
],
"effects": [],
"range": "<=1.0.0 || 4.0.0 - 17.3.2 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-jasmine-nodejs": {
"name": "grunt-jasmine-nodejs",
"severity": "high",
"isDirect": true,
"via": [
"glob",
"grunt"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/grunt-jasmine-nodejs"
],
"fixAvailable": false
},
"jasmine": {
"name": "jasmine",
"severity": "moderate",
"isDirect": true,
"via": [
"glob"
],
"effects": [],
"range": "2.5.1 - 3.5.0 || 3.6.2 - 5.13.0",
"nodes": [
"node_modules/jasmine"
],
"fixAvailable": {
"name": "jasmine",
"version": "6.1.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112715,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [
"mocha"
],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/cypress-parallel/node_modules/js-yaml"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113460,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.2.4"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113539,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.2.5"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
},
{
"source": 1113547,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.2.5"
},
"brace-expansion"
],
"effects": [
"@eslint/eslintrc",
"@typescript-eslint/typescript-estree",
"eslint",
"eslint-plugin-n",
"glob",
"grunt",
"mocha"
],
"range": "<=10.0.2",
"nodes": [
"node_modules/@eslint/eslintrc/node_modules/minimatch",
"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch",
"node_modules/cypress-parallel/node_modules/mocha/node_modules/minimatch",
"node_modules/eslint-plugin-n/node_modules/minimatch",
"node_modules/eslint-plugin-unicorn/node_modules/minimatch",
"node_modules/eslint/node_modules/minimatch",
"node_modules/jasmine/node_modules/minimatch",
"node_modules/minimatch",
"node_modules/mocha/node_modules/minimatch",
"node_modules/typescript-eslint/node_modules/minimatch"
],
"fixAvailable": false
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"diff",
"glob",
"js-yaml",
"minimatch",
"minimatch",
"nanoid",
"serialize-javascript",
"serialize-javascript"
],
"effects": [
"cypress-parallel"
],
"range": ">=3.0.0-0",
"nodes": [
"node_modules/cypress-parallel/node_modules/mocha",
"node_modules/mocha"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [
"mocha"
],
"range": "<3.3.8",
"nodes": [
"node_modules/cypress-parallel/node_modules/nanoid"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115382,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
},
{
"source": 1115394,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"rimraf": {
"name": "rimraf",
"severity": "moderate",
"isDirect": false,
"via": [
"glob"
],
"effects": [
"flat-cache"
],
"range": "2.3.0 - 3.0.2 || 4.2.0 - 5.0.10",
"nodes": [
"node_modules/rimraf"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113197,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Cross-site Scripting (XSS) in serialize-javascript",
"url": "https://github.com/advisories/GHSA-76p7-773f-r4q5",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=6.0.0 <6.0.2"
},
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/serialize-javascript",
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"sinon": {
"name": "sinon",
"severity": "low",
"isDirect": true,
"via": [
"diff"
],
"effects": [],
"range": "19.0.0 - 21.0.0",
"nodes": [
"node_modules/sinon"
],
"fixAvailable": {
"name": "sinon",
"version": "21.0.3",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/request/node_modules/tough-cookie"
],
"fixAvailable": false
},
"typescript-eslint": {
"name": "typescript-eslint",
"severity": "moderate",
"isDirect": true,
"via": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/parser",
"@typescript-eslint/utils",
"eslint"
],
"effects": [],
"range": "<=8.55.1-alpha.3",
"nodes": [
"node_modules/typescript-eslint"
],
"fixAvailable": true
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115369,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=2.0.0 <2.8.3"
}
],
"effects": [],
"range": "2.0.0 - 2.8.2",
"nodes": [
"node_modules/yaml"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 29,
"high": 8,
"critical": 2,
"total": 41
},
"dependencies": {
"prod": 1,
"dev": 845,
"optional": 5,
"peer": 18,
"peerOptional": 0,
"total": 845
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 848,
"removed": 0,
"changed": 0,
"audited": 849,
"funding": 190,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@eslint/eslintrc": {
"name": "@eslint/eslintrc",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"eslint",
"eslint-plugin-unicorn"
],
"range": "0.0.1 || >=0.1.1",
"nodes": [
"",
"node_modules/@eslint/eslintrc"
],
"fixAvailable": false
},
"@typescript-eslint/eslint-plugin": {
"name": "@typescript-eslint/eslint-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"eslint-plugin-jest"
],
"range": "<=8.55.1-alpha.3",
"nodes": [
"",
""
],
"fixAvailable": false
},
"@typescript-eslint/parser": {
"name": "@typescript-eslint/parser",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"typescript-eslint"
],
"range": "1.1.1-alpha.0 - 8.56.1-alpha.2",
"nodes": [
"",
""
],
"fixAvailable": false
},
"@typescript-eslint/type-utils": {
"name": "@typescript-eslint/type-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin"
],
"range": "5.9.2-alpha.0 - 8.56.1-alpha.2",
"nodes": [
"",
""
],
"fixAvailable": false
},
"@typescript-eslint/typescript-estree": {
"name": "@typescript-eslint/typescript-estree",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils"
],
"range": "6.16.0 - 8.56.1-alpha.2",
"nodes": [
"",
""
],
"fixAvailable": false
},
"@typescript-eslint/utils": {
"name": "@typescript-eslint/utils",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/typescript-estree",
"eslint"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/type-utils",
"eslint-plugin-jest",
"typescript-eslint"
],
"range": "<=8.56.1-alpha.2",
"nodes": [
"",
""
],
"fixAvailable": false
},
"@wmde/eslint-config-wikimedia-typescript": {
"name": "@wmde/eslint-config-wikimedia-typescript",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint-config-wikimedia"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@wmde/eslint-config-wikimedia-typescript"
],
"fixAvailable": false
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115432,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<5.0.5"
}
],
"effects": [
"minimatch"
],
"range": "<5.0.5",
"nodes": [
"",
"",
"",
"",
"",
""
],
"fixAvailable": false
},
"cypress-parallel": {
"name": "cypress-parallel",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": "0.10.0 - 0.14.0",
"nodes": [
"node_modules/cypress-parallel"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"diff": {
"name": "diff",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1112705,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=5.0.0 <5.2.2"
},
{
"source": 1112706,
"name": "diff",
"dependency": "diff",
"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx",
"severity": "low",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <8.0.3"
}
],
"effects": [
"sinon"
],
"range": "5.0.0 - 5.2.1 || 6.0.0 - 8.0.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/diff",
"node_modules/sinon/node_modules/diff"
],
"fixAvailable": {
"name": "sinon",
"version": "21.0.3",
"isSemVerMajor": true
}
},
"eslint": {
"name": "eslint",
"severity": "moderate",
"isDirect": false,
"via": [
"@eslint/eslintrc",
"file-entry-cache",
"minimatch"
],
"effects": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/parser",
"@typescript-eslint/type-utils",
"@typescript-eslint/utils",
"eslint-config-wikimedia",
"eslint-plugin-jest",
"eslint-plugin-jsdoc",
"eslint-plugin-promise",
"eslint-plugin-vue",
"grunt-eslint",
"typescript-eslint"
],
"range": "0.12.0 - 2.0.0-rc.1 || 4.1.0 - 10.0.0-rc.2",
"nodes": [
"",
"node_modules/eslint"
],
"fixAvailable": false
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint",
"eslint-plugin-jest",
"eslint-plugin-jsdoc",
"eslint-plugin-unicorn",
"eslint-plugin-vue"
],
"effects": [
"@wmde/eslint-config-wikimedia-typescript"
],
"range": ">=0.9.0",
"nodes": [
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": false
},
"eslint-plugin-jest": {
"name": "eslint-plugin-jest",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/utils",
"eslint"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "25.0.1 - 29.12.2",
"nodes": [
""
],
"fixAvailable": false
},
"eslint-plugin-jsdoc": {
"name": "eslint-plugin-jsdoc",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "8.4.4 - 62.6.1",
"nodes": [
"node_modules/eslint-plugin-jsdoc"
],
"fixAvailable": false
},
"eslint-plugin-mediawiki": {
"name": "eslint-plugin-mediawiki",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint-plugin-vue"
],
"effects": [],
"range": "0.2.3 - 0.7.0",
"nodes": [
""
],
"fixAvailable": true
},
"eslint-plugin-n": {
"name": "eslint-plugin-n",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [],
"range": "<=17.21.1",
"nodes": [
""
],
"fixAvailable": true
},
"eslint-plugin-promise": {
"name": "eslint-plugin-promise",
"severity": "moderate",
"isDirect": true,
"via": [
"eslint"
],
"effects": [],
"range": ">=5.0.0",
"nodes": [
"node_modules/eslint-plugin-promise"
],
"fixAvailable": {
"name": "eslint-plugin-promise",
"version": "4.3.1",
"isSemVerMajor": true
}
},
"eslint-plugin-unicorn": {
"name": "eslint-plugin-unicorn",
"severity": "moderate",
"isDirect": false,
"via": [
"@eslint/eslintrc"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "50.0.0 - 54.0.0",
"nodes": [
"node_modules/eslint-plugin-unicorn"
],
"fixAvailable": false
},
"eslint-plugin-vue": {
"name": "eslint-plugin-vue",
"severity": "moderate",
"isDirect": false,
"via": [
"eslint"
],
"effects": [
"eslint-config-wikimedia",
"eslint-plugin-mediawiki"
],
"range": "5.0.0-beta.0 - 10.7.0",
"nodes": [
""
],
"fixAvailable": false
},
"file-entry-cache": {
"name": "file-entry-cache",
"severity": "moderate",
"isDirect": false,
"via": [
"flat-cache"
],
"effects": [
"eslint"
],
"range": "4.0.0 - 7.0.2",
"nodes": [
"node_modules/file-entry-cache"
],
"fixAvailable": false
},
"flat-cache": {
"name": "flat-cache",
"severity": "moderate",
"isDirect": false,
"via": [
"rimraf"
],
"effects": [
"file-entry-cache"
],
"range": "1.3.4 - 4.0.0",
"nodes": [
"node_modules/flat-cache"
],
"fixAvailable": false
},
"flatted": {
"name": "flatted",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114526,
"name": "flatted",
"dependency": "flatted",
"title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
"severity": "high",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.4.0"
},
{
"source": 1115357,
"name": "flatted",
"dependency": "flatted",
"title": "Prototype Pollution via parse() in NodeJS flatted",
"url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.1"
}
],
"effects": [],
"range": "<=3.4.1",
"nodes": [
""
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109540,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.5.4"
}
],
"effects": [
"request"
],
"range": "<2.5.4",
"nodes": [
"node_modules/request/node_modules/form-data"
],
"fixAvailable": false
},
"glob": {
"name": "glob",
"severity": "moderate",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"grunt",
"grunt-jasmine-nodejs",
"jasmine",
"mocha",
"rimraf"
],
"range": "4.3.0 - 10.5.0",
"nodes": [
"",
"node_modules/cypress-parallel/node_modules/glob",
"node_modules/glob",
"node_modules/jasmine/node_modules/glob"
],
"fixAvailable": false
},
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"glob",
"minimatch"
],
"effects": [
"grunt-eslint",
"grunt-jasmine-nodejs"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"eslint",
"grunt"
],
"effects": [],
"range": "<=1.0.0 || 4.0.0 - 17.3.2 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-jasmine-nodejs": {
"name": "grunt-jasmine-nodejs",
"severity": "high",
"isDirect": true,
"via": [
"glob",
"grunt"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/grunt-jasmine-nodejs"
],
"fixAvailable": false
},
"jasmine": {
"name": "jasmine",
"severity": "moderate",
"isDirect": false,
"via": [
"glob"
],
"effects": [],
"range": "2.5.1 - 3.5.0 || 3.6.2 - 5.13.0",
"nodes": [
""
],
"fixAvailable": {
"name": "jasmine",
"version": "6.1.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112715,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [
"mocha"
],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/cypress-parallel/node_modules/js-yaml"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113460,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.2.4"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113539,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.2.5"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
},
{
"source": 1113547,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.2.5"
},
"brace-expansion"
],
"effects": [
"@eslint/eslintrc",
"@typescript-eslint/typescript-estree",
"eslint",
"eslint-plugin-n",
"glob",
"grunt",
"mocha"
],
"range": "<=10.0.2",
"nodes": [
"",
"",
"",
"",
"node_modules/@eslint/eslintrc/node_modules/minimatch",
"node_modules/cypress-parallel/node_modules/mocha/node_modules/minimatch",
"node_modules/eslint-plugin-unicorn/node_modules/minimatch",
"node_modules/eslint/node_modules/minimatch",
"node_modules/jasmine/node_modules/minimatch",
"node_modules/minimatch",
"node_modules/mocha/node_modules/minimatch"
],
"fixAvailable": false
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"diff",
"glob",
"js-yaml",
"minimatch",
"minimatch",
"nanoid",
"serialize-javascript",
"serialize-javascript"
],
"effects": [
"cypress-parallel"
],
"range": ">=3.0.0-0",
"nodes": [
"",
"node_modules/cypress-parallel/node_modules/mocha"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [
"mocha"
],
"range": "<3.3.8",
"nodes": [
"node_modules/cypress-parallel/node_modules/nanoid"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115382,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
},
{
"source": 1115394,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
""
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"request"
],
"range": "<6.14.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": false
},
"request": {
"name": "request",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"form-data",
"qs",
"tough-cookie"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"rimraf": {
"name": "rimraf",
"severity": "moderate",
"isDirect": false,
"via": [
"glob"
],
"effects": [
"flat-cache"
],
"range": "2.3.0 - 3.0.2 || 4.2.0 - 5.0.10",
"nodes": [
"node_modules/rimraf"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113197,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Cross-site Scripting (XSS) in serialize-javascript",
"url": "https://github.com/advisories/GHSA-76p7-773f-r4q5",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=6.0.0 <6.0.2"
},
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/serialize-javascript",
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"sinon": {
"name": "sinon",
"severity": "low",
"isDirect": true,
"via": [
"diff"
],
"effects": [],
"range": "19.0.0 - 21.0.0",
"nodes": [
"node_modules/sinon"
],
"fixAvailable": {
"name": "sinon",
"version": "21.0.3",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/request/node_modules/tough-cookie"
],
"fixAvailable": false
},
"typescript-eslint": {
"name": "typescript-eslint",
"severity": "moderate",
"isDirect": false,
"via": [
"@typescript-eslint/eslint-plugin",
"@typescript-eslint/parser",
"@typescript-eslint/utils",
"eslint"
],
"effects": [],
"range": "<=8.55.1-alpha.3",
"nodes": [
""
],
"fixAvailable": true
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115369,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=2.0.0 <2.8.3"
}
],
"effects": [],
"range": "2.0.0 - 2.8.2",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 29,
"high": 8,
"critical": 2,
"total": 41
},
"dependencies": {
"prod": 1,
"dev": 848,
"optional": 5,
"peer": 14,
"peerOptional": 0,
"total": 848
}
}
}
}
--- end ---
{"added": 848, "removed": 0, "changed": 0, "audited": 849, "funding": 190, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@eslint/eslintrc": {"name": "@eslint/eslintrc", "severity": "moderate", "isDirect": false, "via": ["minimatch"], "effects": ["eslint", "eslint-plugin-unicorn"], "range": "0.0.1 || >=0.1.1", "nodes": ["", "node_modules/@eslint/eslintrc"], "fixAvailable": false}, "@typescript-eslint/eslint-plugin": {"name": "@typescript-eslint/eslint-plugin", "severity": "moderate", "isDirect": false, "via": ["@typescript-eslint/parser", "@typescript-eslint/type-utils", "@typescript-eslint/utils", "eslint"], "effects": ["eslint-plugin-jest"], "range": "<=8.55.1-alpha.3", "nodes": ["", ""], "fixAvailable": false}, "@typescript-eslint/parser": {"name": "@typescript-eslint/parser", "severity": "moderate", "isDirect": false, "via": ["@typescript-eslint/typescript-estree", "eslint"], "effects": ["@typescript-eslint/eslint-plugin", "typescript-eslint"], "range": "1.1.1-alpha.0 - 8.56.1-alpha.2", "nodes": ["", ""], "fixAvailable": false}, "@typescript-eslint/type-utils": {"name": "@typescript-eslint/type-utils", "severity": "moderate", "isDirect": false, "via": ["@typescript-eslint/typescript-estree", "@typescript-eslint/utils", "eslint"], "effects": ["@typescript-eslint/eslint-plugin"], "range": "5.9.2-alpha.0 - 8.56.1-alpha.2", "nodes": ["", ""], "fixAvailable": false}, "@typescript-eslint/typescript-estree": {"name": "@typescript-eslint/typescript-estree", "severity": "moderate", "isDirect": false, "via": ["minimatch"], "effects": ["@typescript-eslint/parser", "@typescript-eslint/type-utils", "@typescript-eslint/utils"], "range": "6.16.0 - 8.56.1-alpha.2", "nodes": ["", ""], "fixAvailable": false}, "@typescript-eslint/utils": {"name": "@typescript-eslint/utils", "severity": "moderate", "isDirect": false, "via": ["@typescript-eslint/typescript-estree", "eslint"], "effects": ["@typescript-eslint/eslint-plugin", "@typescript-eslint/type-utils", "eslint-plugin-jest", "typescript-eslint"], "range": "<=8.56.1-alpha.2", "nodes": ["", ""], "fixAvailable": false}, "@wmde/eslint-config-wikimedia-typescript": {"name": "@wmde/eslint-config-wikimedia-typescript", "severity": "moderate", "isDirect": true, "via": ["eslint-config-wikimedia"], "effects": [], "range": "*", "nodes": ["node_modules/@wmde/eslint-config-wikimedia-typescript"], "fixAvailable": false}, "brace-expansion": {"name": "brace-expansion", "severity": "moderate", "isDirect": false, "via": [{"source": 1115432, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<5.0.5"}], "effects": ["minimatch"], "range": "<5.0.5", "nodes": ["", "", "", "", "", ""], "fixAvailable": false}, "cypress-parallel": {"name": "cypress-parallel", "severity": "moderate", "isDirect": true, "via": ["mocha"], "effects": [], "range": "0.10.0 - 0.14.0", "nodes": ["node_modules/cypress-parallel"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "diff": {"name": "diff", "severity": "low", "isDirect": false, "via": [{"source": 1112705, "name": "diff", "dependency": "diff", "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx", "severity": "low", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": ">=5.0.0 <5.2.2"}, {"source": 1112706, "name": "diff", "dependency": "diff", "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx", "severity": "low", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": ">=6.0.0 <8.0.3"}], "effects": ["sinon"], "range": "5.0.0 - 5.2.1 || 6.0.0 - 8.0.2", "nodes": ["node_modules/cypress-parallel/node_modules/diff", "node_modules/sinon/node_modules/diff"], "fixAvailable": {"name": "sinon", "version": "21.0.3", "isSemVerMajor": true}}, "eslint": {"name": "eslint", "severity": "moderate", "isDirect": false, "via": ["@eslint/eslintrc", "file-entry-cache", "minimatch"], "effects": ["@typescript-eslint/eslint-plugin", "@typescript-eslint/parser", "@typescript-eslint/type-utils", "@typescript-eslint/utils", "eslint-config-wikimedia", "eslint-plugin-jest", "eslint-plugin-jsdoc", "eslint-plugin-promise", "eslint-plugin-vue", "grunt-eslint", "typescript-eslint"], "range": "0.12.0 - 2.0.0-rc.1 || 4.1.0 - 10.0.0-rc.2", "nodes": ["", "node_modules/eslint"], "fixAvailable": false}, "eslint-config-wikimedia": {"name": "eslint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": ["eslint", "eslint-plugin-jest", "eslint-plugin-jsdoc", "eslint-plugin-unicorn", "eslint-plugin-vue"], "effects": ["@wmde/eslint-config-wikimedia-typescript"], "range": ">=0.9.0", "nodes": ["node_modules/eslint-config-wikimedia"], "fixAvailable": false}, "eslint-plugin-jest": {"name": "eslint-plugin-jest", "severity": "moderate", "isDirect": false, "via": ["@typescript-eslint/eslint-plugin", "@typescript-eslint/utils", "eslint"], "effects": ["eslint-config-wikimedia"], "range": "25.0.1 - 29.12.2", "nodes": [""], "fixAvailable": false}, "eslint-plugin-jsdoc": {"name": "eslint-plugin-jsdoc", "severity": "moderate", "isDirect": false, "via": ["eslint"], "effects": ["eslint-config-wikimedia"], "range": "8.4.4 - 62.6.1", "nodes": ["node_modules/eslint-plugin-jsdoc"], "fixAvailable": false}, "eslint-plugin-mediawiki": {"name": "eslint-plugin-mediawiki", "severity": "moderate", "isDirect": false, "via": ["eslint-plugin-vue"], "effects": [], "range": "0.2.3 - 0.7.0", "nodes": [""], "fixAvailable": true}, "eslint-plugin-n": {"name": "eslint-plugin-n", "severity": "moderate", "isDirect": false, "via": ["minimatch"], "effects": [], "range": "<=17.21.1", "nodes": [""], "fixAvailable": true}, "eslint-plugin-promise": {"name": "eslint-plugin-promise", "severity": "moderate", "isDirect": true, "via": ["eslint"], "effects": [], "range": ">=5.0.0", "nodes": ["node_modules/eslint-plugin-promise"], "fixAvailable": {"name": "eslint-plugin-promise", "version": "4.3.1", "isSemVerMajor": true}}, "eslint-plugin-unicorn": {"name": "eslint-plugin-unicorn", "severity": "moderate", "isDirect": false, "via": ["@eslint/eslintrc"], "effects": ["eslint-config-wikimedia"], "range": "50.0.0 - 54.0.0", "nodes": ["node_modules/eslint-plugin-unicorn"], "fixAvailable": false}, "eslint-plugin-vue": {"name": "eslint-plugin-vue", "severity": "moderate", "isDirect": false, "via": ["eslint"], "effects": ["eslint-config-wikimedia", "eslint-plugin-mediawiki"], "range": "5.0.0-beta.0 - 10.7.0", "nodes": [""], "fixAvailable": false}, "file-entry-cache": {"name": "file-entry-cache", "severity": "moderate", "isDirect": false, "via": ["flat-cache"], "effects": ["eslint"], "range": "4.0.0 - 7.0.2", "nodes": ["node_modules/file-entry-cache"], "fixAvailable": false}, "flat-cache": {"name": "flat-cache", "severity": "moderate", "isDirect": false, "via": ["rimraf"], "effects": ["file-entry-cache"], "range": "1.3.4 - 4.0.0", "nodes": ["node_modules/flat-cache"], "fixAvailable": false}, "flatted": {"name": "flatted", "severity": "high", "isDirect": false, "via": [{"source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": ["CWE-674"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.4.0"}, {"source": 1115357, "name": "flatted", "dependency": "flatted", "title": "Prototype Pollution via parse() in NodeJS flatted", "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.4.1"}], "effects": [], "range": "<=3.4.1", "nodes": [""], "fixAvailable": true}, "form-data": {"name": "form-data", "severity": "critical", "isDirect": false, "via": [{"source": 1109540, "name": "form-data", "dependency": "form-data", "title": "form-data uses unsafe random function in form-data for choosing boundary", "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", "severity": "critical", "cwe": ["CWE-330"], "cvss": {"score": 0, "vectorString": null}, "range": "<2.5.4"}], "effects": ["request"], "range": "<2.5.4", "nodes": ["node_modules/request/node_modules/form-data"], "fixAvailable": false}, "glob": {"name": "glob", "severity": "moderate", "isDirect": false, "via": ["minimatch"], "effects": ["grunt", "grunt-jasmine-nodejs", "jasmine", "mocha", "rimraf"], "range": "4.3.0 - 10.5.0", "nodes": ["", "node_modules/cypress-parallel/node_modules/glob", "node_modules/glob", "node_modules/jasmine/node_modules/glob"], "fixAvailable": false}, "grunt": {"name": "grunt", "severity": "high", "isDirect": true, "via": ["glob", "minimatch"], "effects": ["grunt-eslint", "grunt-jasmine-nodejs"], "range": ">=0.4.0-a", "nodes": ["node_modules/grunt"], "fixAvailable": {"name": "grunt-eslint", "version": "18.0.0", "isSemVerMajor": true}}, "grunt-eslint": {"name": "grunt-eslint", "severity": "high", "isDirect": true, "via": ["eslint", "grunt"], "effects": [], "range": "<=1.0.0 || 4.0.0 - 17.3.2 || >=18.1.0", "nodes": ["node_modules/grunt-eslint"], "fixAvailable": {"name": "grunt-eslint", "version": "18.0.0", "isSemVerMajor": true}}, "grunt-jasmine-nodejs": {"name": "grunt-jasmine-nodejs", "severity": "high", "isDirect": true, "via": ["glob", "grunt"], "effects": [], "range": "*", "nodes": ["node_modules/grunt-jasmine-nodejs"], "fixAvailable": false}, "jasmine": {"name": "jasmine", "severity": "moderate", "isDirect": false, "via": ["glob"], "effects": [], "range": "2.5.1 - 3.5.0 || 3.6.2 - 5.13.0", "nodes": [""], "fixAvailable": {"name": "jasmine", "version": "6.1.0", "isSemVerMajor": true}}, "js-yaml": {"name": "js-yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1112715, "name": "js-yaml", "dependency": "js-yaml", "title": "js-yaml has prototype pollution in merge (<<)", "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": ">=4.0.0 <4.1.1"}], "effects": ["mocha"], "range": "4.0.0 - 4.1.0", "nodes": ["node_modules/cypress-parallel/node_modules/js-yaml"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113460, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": ">=4.0.0 <4.2.4"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113539, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <4.2.5"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}, {"source": 1113547, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <4.2.5"}, "brace-expansion"], "effects": ["@eslint/eslintrc", "@typescript-eslint/typescript-estree", "eslint", "eslint-plugin-n", "glob", "grunt", "mocha"], "range": "<=10.0.2", "nodes": ["", "", "", "", "node_modules/@eslint/eslintrc/node_modules/minimatch", "node_modules/cypress-parallel/node_modules/mocha/node_modules/minimatch", "node_modules/eslint-plugin-unicorn/node_modules/minimatch", "node_modules/eslint/node_modules/minimatch", "node_modules/jasmine/node_modules/minimatch", "node_modules/minimatch", "node_modules/mocha/node_modules/minimatch"], "fixAvailable": false}, "mocha": {"name": "mocha", "severity": "high", "isDirect": false, "via": ["diff", "glob", "js-yaml", "minimatch", "minimatch", "nanoid", "serialize-javascript", "serialize-javascript"], "effects": ["cypress-parallel"], "range": ">=3.0.0-0", "nodes": ["", "node_modules/cypress-parallel/node_modules/mocha"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "nanoid": {"name": "nanoid", "severity": "moderate", "isDirect": false, "via": [{"source": 1109563, "name": "nanoid", "dependency": "nanoid", "title": "Predictable results in nanoid generation when given non-integer values", "url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55", "severity": "moderate", "cwe": ["CWE-835"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}, "range": "<3.3.8"}], "effects": ["mocha"], "range": "<3.3.8", "nodes": ["node_modules/cypress-parallel/node_modules/nanoid"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "picomatch": {"name": "picomatch", "severity": "high", "isDirect": false, "via": [{"source": 1115382, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<2.3.2"}, {"source": 1115394, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<2.3.2"}], "effects": [], "range": "<=2.3.1", "nodes": [""], "fixAvailable": true}, "qs": {"name": "qs", "severity": "moderate", "isDirect": false, "via": [{"source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<6.14.1"}], "effects": ["request"], "range": "<6.14.1", "nodes": ["node_modules/qs"], "fixAvailable": false}, "request": {"name": "request", "severity": "critical", "isDirect": true, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "form-data", "qs", "tough-cookie"], "effects": [], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": false}, "rimraf": {"name": "rimraf", "severity": "moderate", "isDirect": false, "via": ["glob"], "effects": ["flat-cache"], "range": "2.3.0 - 3.0.2 || 4.2.0 - 5.0.10", "nodes": ["node_modules/rimraf"], "fixAvailable": false}, "serialize-javascript": {"name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [{"source": 1113197, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Cross-site Scripting (XSS) in serialize-javascript", "url": "https://github.com/advisories/GHSA-76p7-773f-r4q5", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}, "range": ">=6.0.0 <6.0.2"}, {"source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": ["CWE-96"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=7.0.2"}], "effects": ["mocha"], "range": "<=7.0.2", "nodes": ["node_modules/cypress-parallel/node_modules/serialize-javascript", "node_modules/serialize-javascript"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "sinon": {"name": "sinon", "severity": "low", "isDirect": true, "via": ["diff"], "effects": [], "range": "19.0.0 - 21.0.0", "nodes": ["node_modules/sinon"], "fixAvailable": {"name": "sinon", "version": "21.0.3", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/request/node_modules/tough-cookie"], "fixAvailable": false}, "typescript-eslint": {"name": "typescript-eslint", "severity": "moderate", "isDirect": false, "via": ["@typescript-eslint/eslint-plugin", "@typescript-eslint/parser", "@typescript-eslint/utils", "eslint"], "effects": [], "range": "<=8.55.1-alpha.3", "nodes": [""], "fixAvailable": true}, "yaml": {"name": "yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1115369, "name": "yaml", "dependency": "yaml", "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections", "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=2.0.0 <2.8.3"}], "effects": [], "range": "2.0.0 - 2.8.2", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 2, "moderate": 29, "high": 8, "critical": 2, "total": 41}, "dependencies": {"prod": 1, "dev": 848, "optional": 5, "peer": 14, "peerOptional": 0, "total": 848}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated grunt-jasmine-nodejs@1.6.1: Deprecated in favor of npm scripts.
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@6.1.0: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 847 packages, and audited 848 packages in 34s
190 packages are looking for funding
run `npm fund` for details
# npm audit report
brace-expansion <5.0.5
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
No fix available
node_modules/brace-expansion
node_modules/jasmine/node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion
minimatch <=10.0.2
Depends on vulnerable versions of brace-expansion
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/cypress-parallel/node_modules/mocha/node_modules/minimatch
node_modules/eslint-plugin-unicorn/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/jasmine/node_modules/minimatch
node_modules/minimatch
node_modules/mocha/node_modules/minimatch
@eslint/eslintrc 0.0.1 || >=0.1.1
Depends on vulnerable versions of minimatch
node_modules/@eslint/eslintrc
node_modules/eslint-plugin-unicorn/node_modules/@eslint/eslintrc
eslint 0.12.0 - 2.0.0-rc.1 || 4.1.0 - 10.0.0-rc.2
Depends on vulnerable versions of @eslint/eslintrc
Depends on vulnerable versions of file-entry-cache
Depends on vulnerable versions of minimatch
node_modules/eslint
eslint-config-wikimedia >=0.9.0
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-jest
Depends on vulnerable versions of eslint-plugin-jsdoc
Depends on vulnerable versions of eslint-plugin-unicorn
Depends on vulnerable versions of eslint-plugin-vue
node_modules/eslint-config-wikimedia
@wmde/eslint-config-wikimedia-typescript *
Depends on vulnerable versions of eslint-config-wikimedia
node_modules/@wmde/eslint-config-wikimedia-typescript
eslint-plugin-jest 25.0.1 - 29.12.2
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-jest
eslint-plugin-jsdoc 8.4.4 - 62.6.1
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-jsdoc
eslint-plugin-promise >=5.0.0
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-promise
eslint-plugin-vue 5.0.0-beta.0 - 10.7.0
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-vue
grunt-eslint <=1.0.0 || 4.0.0 - 17.3.2 || >=18.1.0
Depends on vulnerable versions of eslint
Depends on vulnerable versions of grunt
node_modules/grunt-eslint
eslint-plugin-unicorn 50.0.0 - 54.0.0
Depends on vulnerable versions of @eslint/eslintrc
node_modules/eslint-plugin-unicorn
glob 4.3.0 - 10.5.0
Depends on vulnerable versions of minimatch
node_modules/cypress-parallel/node_modules/glob
node_modules/glob
node_modules/jasmine/node_modules/glob
node_modules/mocha/node_modules/glob
grunt >=0.4.0-a
Depends on vulnerable versions of glob
Depends on vulnerable versions of minimatch
node_modules/grunt
grunt-jasmine-nodejs *
Depends on vulnerable versions of glob
Depends on vulnerable versions of grunt
node_modules/grunt-jasmine-nodejs
jasmine 2.5.1 - 3.5.0 || 3.6.2 - 5.13.0
Depends on vulnerable versions of glob
node_modules/jasmine
mocha >=3.0.0-0
Depends on vulnerable versions of diff
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of nanoid
Depends on vulnerable versions of serialize-javascript
Depends on vulnerable versions of serialize-javascript
node_modules/cypress-parallel/node_modules/mocha
node_modules/mocha
cypress-parallel 0.10.0 - 0.14.0
Depends on vulnerable versions of mocha
node_modules/cypress-parallel
rimraf 2.3.0 - 3.0.2 || 4.2.0 - 5.0.10
Depends on vulnerable versions of glob
node_modules/rimraf
flat-cache 1.3.4 - 4.0.0
Depends on vulnerable versions of rimraf
node_modules/flat-cache
file-entry-cache 4.0.0 - 7.0.2
Depends on vulnerable versions of flat-cache
node_modules/file-entry-cache
diff 5.0.0 - 5.2.1 || 6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install sinon@21.0.3, which is a breaking change
node_modules/cypress-parallel/node_modules/diff
node_modules/mocha/node_modules/diff
node_modules/sinon/node_modules/diff
sinon 19.0.0 - 21.0.0
Depends on vulnerable versions of diff
node_modules/sinon
form-data <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
No fix available
node_modules/request/node_modules/form-data
request *
Depends on vulnerable versions of form-data
Depends on vulnerable versions of qs
Depends on vulnerable versions of tough-cookie
node_modules/request
js-yaml 4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix --force`
Will install cypress-parallel@0.15.0, which is a breaking change
node_modules/cypress-parallel/node_modules/js-yaml
nanoid <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix --force`
Will install cypress-parallel@0.15.0, which is a breaking change
node_modules/cypress-parallel/node_modules/nanoid
qs <6.14.1
Severity: moderate
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
No fix available
node_modules/qs
serialize-javascript <=7.0.2
Severity: high
Cross-site Scripting (XSS) in serialize-javascript - https://github.com/advisories/GHSA-76p7-773f-r4q5
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install cypress-parallel@0.15.0, which is a breaking change
node_modules/cypress-parallel/node_modules/serialize-javascript
node_modules/serialize-javascript
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/request/node_modules/tough-cookie
30 vulnerabilities (2 low, 20 moderate, 6 high, 2 critical)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated grunt-jasmine-nodejs@1.6.1: Deprecated in favor of npm scripts.
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@6.1.0: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 847 packages, and audited 848 packages in 26s
190 packages are looking for funding
run `npm fund` for details
30 vulnerabilities (2 low, 20 moderate, 6 high, 2 critical)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
ERROR: "test:grunt" exited with 3.
--- stdout ---
> test
> run-s test:*
> test:grunt
> grunt test
Running "eslint:all" (eslint) task
Warning: Cannot read properties of undefined (reading 'type')
Occurred while linting /src/repo/resources/datamodel/Form.js:27
Rule: "mediawiki/no-unlabeled-buttonwidget" Use --force to continue.
Aborted due to warnings.
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1208, in run
self.npm_audit_fix(new_npm_audit)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 239, in npm_audit_fix
self.npm_test()
~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 289, in npm_test
self.check_call(["npm", "test"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 66, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 1.