This run took 121 seconds.
$ date
--- stdout ---
Mon Mar 30 22:56:38 UTC 2026
--- end ---
$ git clone file:///srv/git/labs-xtools.git /src/repo --depth=1 -b main
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/main
--- stdout ---
f47a0f8d539e044b96f0d82b0bac59d19143659f refs/heads/main
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@symfony/webpack-encore": {
"name": "@symfony/webpack-encore",
"severity": "high",
"isDirect": true,
"via": [
"css-minimizer-webpack-plugin",
"webpack-dev-server"
],
"effects": [],
"range": "<=5.3.1",
"nodes": [
"node_modules/@symfony/webpack-encore"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"ajv": {
"name": "ajv",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113714,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<6.14.0"
},
{
"source": 1113715,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=7.0.0-alpha.0 <8.18.0"
}
],
"effects": [],
"range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0",
"nodes": [
"node_modules/ajv",
"node_modules/ajv-formats/node_modules/ajv",
"node_modules/css-minimizer-webpack-plugin/node_modules/ajv",
"node_modules/mini-css-extract-plugin/node_modules/ajv",
"node_modules/webpack-dev-middleware/node_modules/ajv",
"node_modules/webpack-dev-server/node_modules/ajv"
],
"fixAvailable": true
},
"body-parser": {
"name": "body-parser",
"severity": "low",
"isDirect": false,
"via": [
"qs"
],
"effects": [],
"range": "1.19.0 - 1.20.3 || 2.0.0-beta.1 - 2.0.2",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
},
{
"source": 1115540,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<1.1.13"
},
{
"source": 1115541,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1115543,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <5.0.5"
}
],
"effects": [],
"range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
"node_modules/@typescript-eslint/utils/node_modules/brace-expansion",
"node_modules/brace-expansion"
],
"fixAvailable": true
},
"css-minimizer-webpack-plugin": {
"name": "css-minimizer-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@symfony/webpack-encore"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/css-minimizer-webpack-plugin"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"immutable": {
"name": "immutable",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114159,
"name": "immutable",
"dependency": "immutable",
"title": "Immutable is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0-rc.1 <4.3.8"
}
],
"effects": [],
"range": "4.0.0-rc.1 - 4.3.7",
"nodes": [
"node_modules/immutable"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112455,
"name": "lodash",
"dependency": "lodash",
"title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=4.0.0 <=4.17.22"
}
],
"effects": [],
"range": "4.0.0 - 4.17.21",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"node-forge": {
"name": "node-forge",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115545,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)",
"url": "https://github.com/advisories/GHSA-2328-f5f3-gj25",
"severity": "high",
"cwe": [
"CWE-295"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=1.3.3"
},
{
"source": 1115546,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has signature forgery in Ed25519 due to missing S > L check",
"url": "https://github.com/advisories/GHSA-q67f-28xg-22rw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<1.4.0"
},
{
"source": 1115548,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input",
"url": "https://github.com/advisories/GHSA-5m6q-g25r-mvwx",
"severity": "high",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.4.0"
},
{
"source": 1115612,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field ",
"url": "https://github.com/advisories/GHSA-ppp5-5v6c-4jwp",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<1.4.0"
}
],
"effects": [],
"range": "<=1.3.3",
"nodes": [
"node_modules/node-forge"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115527,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"url": "https://github.com/advisories/GHSA-37ch-88jc-xwx2",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.13"
}
],
"effects": [],
"range": "<0.1.13",
"nodes": [
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113161,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in comma parsing allows denial of service",
"url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.7.0 <=6.14.1"
},
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"body-parser"
],
"range": "<=6.14.1",
"nodes": [
"node_modules/express/node_modules/qs",
"node_modules/qs"
],
"fixAvailable": true
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115519,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"css-minimizer-webpack-plugin",
"terser-webpack-plugin"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"svgo": {
"name": "svgo",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114152,
"name": "svgo",
"dependency": "svgo",
"title": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)",
"url": "https://github.com/advisories/GHSA-xpqw-6gx7-v673",
"severity": "high",
"cwe": [
"CWE-776"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.1.0 <2.8.1"
}
],
"effects": [],
"range": "2.1.0 - 2.8.0",
"nodes": [
"node_modules/svgo"
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "<=5.3.16",
"nodes": [
"node_modules/terser-webpack-plugin"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113041,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",
"url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <=5.104.0"
},
{
"source": 1113042,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence",
"url": "https://github.com/advisories/GHSA-38r7-794h-5758",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <5.104.0"
}
],
"effects": [],
"range": "5.49.0 - 5.104.0",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": true
},
"webpack-dev-server": {
"name": "webpack-dev-server",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1108429,
"name": "webpack-dev-server",
"dependency": "webpack-dev-server",
"title": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser",
"url": "https://github.com/advisories/GHSA-9jgg-88mc-972h",
"severity": "moderate",
"cwe": [
"CWE-346"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=5.2.0"
},
{
"source": 1108430,
"name": "webpack-dev-server",
"dependency": "webpack-dev-server",
"title": "webpack-dev-server users' source code may be stolen when they access a malicious web site",
"url": "https://github.com/advisories/GHSA-4v9v-hfq4-rm2v",
"severity": "moderate",
"cwe": [
"CWE-749"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=5.2.0"
}
],
"effects": [
"@symfony/webpack-encore"
],
"range": "<=5.2.0",
"nodes": [
"node_modules/webpack-dev-server"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115555,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <1.10.3"
}
],
"effects": [],
"range": "1.0.0 - 1.10.2",
"nodes": [
"node_modules/yaml"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 6,
"high": 10,
"critical": 0,
"total": 18
},
"dependencies": {
"prod": 1,
"dev": 869,
"optional": 1,
"peer": 170,
"peerOptional": 0,
"total": 869
}
}
}
--- end ---
Upgrading n:grunt-banana-checker from ^0.10.0 -> 0.13.0
$ /usr/bin/npm install
--- stderr ---
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-wdio@9.27.0
npm WARN Found: eslint@8.57.1
npm WARN node_modules/eslint
npm WARN peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.9.1
npm WARN node_modules/@eslint-community/eslint-utils
npm WARN @eslint-community/eslint-utils@"^4.7.0" from @typescript-eslint/utils@8.46.0
npm WARN node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm WARN 9 more (@typescript-eslint/utils, @typescript-eslint/utils, ...)
npm WARN 27 more (@stylistic/eslint-plugin, @symfony/webpack-encore, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN
npm WARN Conflicting peer dependency: eslint@9.39.4
npm WARN node_modules/eslint
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN tarball tarball data for growly@https://registry.npmjs.org/growly/-/growly-1.3.0.tgz (sha512-+xGQY0YyAWCnqy7Cd++hc2JqMYzlm0dG30Jd0beaA64sROr8C4nt8Yc9V5Ro3avlSUDTN0ulqP/VBKi1/lLygw==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for sync-rpc@https://registry.npmjs.org/sync-rpc/-/sync-rpc-1.3.6.tgz (sha512-J8jTXuZzRlvU7HemDgHi3pGnh/rkoqR/OZSjhTyyZrEkkYQbk7Z33AXp37mkPfPpfdOuj7Ex3H/TJM1z48uPQw==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for get-port@https://registry.npmjs.org/get-port/-/get-port-3.2.0.tgz (sha512-x5UJKlgeUiNT8nyo/AcnwLnZuZNcSjSw0kogRB+Whd1fjjFq4B1hySFxSFWWSn4mIBzg3sRNUDFYc4g5gjPoLg==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for @types/mime@https://registry.npmjs.org/@types/mime/-/mime-3.0.1.tgz (sha512-Y4XFY5VJAuw0FgAqPNd6NNoV44jbq9Bz2L7Rh/J6jLTiHBSBJa9fxqQIvkIld4GsoDOcCbvzOUAbLPsSKKg+uA==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for @babel/generator@https://registry.npmjs.org/@babel/generator/-/generator-7.25.9.tgz (sha512-omlUGkr5EaoIJrhLf9CJ0TvjBRpd9+AXRG//0GEQ9THSo8wPiTlbpy1/Ow8ZTrbXpjd9FHXfbFQx32I04ht0FA==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for @babel/core@https://registry.npmjs.org/@babel/core/-/core-7.25.9.tgz (sha512-WYvQviPw+Qyib0v92AwNIrdLISTp7RfDkM7bPqBvpbnhY4wq8HvHBZREVdYDXk98C8BkOIVnHAY3yvj7AVISxQ==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for @babel/compat-data@https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.25.9.tgz (sha512-yD+hEuJ/+wAJ4Ox2/rpNv5HIuPG82x3ZlQvYVn8iYCprdxzE7P1udpGF1jyjQVBU4dgznN+k2h103vxZ7NdPyw==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for @babel/helper-module-transforms@https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.25.9.tgz (sha512-TvLZY/F3+GvdRYFZFyxMvnsKi+4oJdgZzU3BoGN9Uc2d9C6zfNwJcKKhjqLAhK8i46mv93jsO74fDh3ih6rpHA==) seems to be corrupted. Trying again.
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 874 packages, and audited 875 packages in 10s
143 packages are looking for funding
run `npm fund` for details
18 vulnerabilities (2 low, 6 moderate, 10 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
$ /usr/bin/npm ci
--- stderr ---
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-wdio@9.27.0
npm WARN Found: eslint@8.57.1
npm WARN node_modules/eslint
npm WARN peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.9.1
npm WARN node_modules/@eslint-community/eslint-utils
npm WARN @eslint-community/eslint-utils@"^4.7.0" from @typescript-eslint/utils@8.46.0
npm WARN node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm WARN 9 more (@typescript-eslint/utils, @typescript-eslint/utils, ...)
npm WARN 27 more (@stylistic/eslint-plugin, @symfony/webpack-encore, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN
npm WARN Conflicting peer dependency: eslint@9.39.4
npm WARN node_modules/eslint
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 874 packages, and audited 875 packages in 15s
143 packages are looking for funding
run `npm fund` for details
18 vulnerabilities (2 low, 6 moderate, 10 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> banana-checker i18n/
Checked 1 message directory.
--- end ---
Upgrading c:mediawiki/mediawiki-codesniffer from ^48.0.0 -> 50.0.0
Upgrading c:mediawiki/minus-x from ^1.0.0 -> 2.0.1
Upgrading c:phpunit/phpunit from ^10.0 -> 10.5.63
$ /usr/bin/composer update
--- stderr ---
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 6 updates, 0 removals
- Upgrading mediawiki/mediawiki-codesniffer (v48.0.0 => v50.0.0)
- Upgrading mediawiki/minus-x (1.1.3 => 2.0.1)
- Upgrading phpcsstandards/phpcsutils (1.1.1 => 1.2.2)
- Upgrading squizlabs/php_codesniffer (3.13.2 => 3.13.5)
- Upgrading symfony/console (v6.4.35 => v7.4.7)
- Downgrading symfony/framework-bundle (v6.4.35 => v6.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 132 installs, 0 updates, 0 removals
- Downloading symfony/flex (v1.22.0)
- Downloading symfony/runtime (v7.4.1)
- Downloading dms/phpunit-arraysubset-asserts (v0.5.0)
- Downloading doctrine/persistence (4.1.1)
- Downloading doctrine/common (3.5.0)
- Downloading symfony/routing (v6.4.34)
- Downloading symfony/http-foundation (v7.4.7)
- Downloading symfony/event-dispatcher (v7.4.4)
- Downloading symfony/error-handler (v7.4.4)
- Downloading symfony/http-kernel (v6.4.35)
- Downloading symfony/var-exporter (v7.4.0)
- Downloading symfony/dependency-injection (v6.4.35)
- Downloading symfony/config (v6.4.34)
- Downloading symfony/cache-contracts (v3.6.0)
- Downloading symfony/cache (v6.4.35)
- Downloading symfony/framework-bundle (v6.4.1)
- Downloading symfony/stopwatch (v7.4.0)
- Downloading doctrine/dbal (4.4.3)
- Downloading doctrine/migrations (3.9.6)
- Downloading symfony/doctrine-bridge (v7.4.7)
- Downloading doctrine/doctrine-bundle (2.18.2)
- Downloading doctrine/doctrine-migrations-bundle (3.7.0)
- Downloading doctrine/instantiator (2.0.0)
- Downloading symfony/expression-language (v7.4.4)
- Downloading eightpoints/guzzle-bundle (v8.6.0)
- Downloading phpstan/phpdoc-parser (1.33.0)
- Downloading jms/metadata (2.9.0)
- Downloading jms/serializer (3.32.7)
- Downloading jms/serializer-bundle (5.5.2)
- Downloading mediawiki/oauthclient (2.0.0)
- Downloading zircote/swagger-php (5.4.2)
- Downloading symfony/property-info (v6.4.34)
- Downloading symfony/options-resolver (v7.4.0)
- Downloading nelmio/api-doc-bundle (v4.38.7)
- Downloading nelmio/cors-bundle (2.6.1)
- Downloading symfony/dom-crawler (v6.4.34)
- Downloading symfony/browser-kit (v6.4.32)
- Downloading symfony/css-selector (v6.4.34)
- Downloading symfony/dotenv (v6.4.35)
- Downloading symfony/mime (v7.4.7)
- Downloading symfony/mailer (v6.4.34)
- Downloading symfony/monolog-bridge (v6.4.34)
- Downloading symfony/monolog-bundle (v3.11.1)
- Downloading symfony/password-hasher (v7.4.6)
- Downloading symfony/phpunit-bridge (v6.4.35)
- Downloading symfony/property-access (v6.4.32)
- Downloading symfony/security-core (v7.4.4)
- Downloading symfony/security-csrf (v6.4.31)
- Downloading symfony/serializer (v6.4.35)
- Downloading symfony/translation-contracts (v3.6.1)
- Downloading symfony/twig-bridge (v6.4.35)
- Downloading symfony/twig-bundle (v6.4.32)
- Downloading symfony/web-profiler-bundle (v6.4.35)
- Downloading symfony/asset (v6.4.34)
- Downloading symfony/webpack-encore-bundle (v1.17.2)
- Downloading wikimedia/ip-utils (5.0.0)
0/56 [>---------------------------] 0%
15/56 [=======>--------------------] 26%
20/56 [==========>-----------------] 35%
31/56 [===============>------------] 55%
47/56 [=======================>----] 83%
55/56 [===========================>] 98%
56/56 [============================] 100%
- Installing symfony/flex (v1.22.0): Extracting archive
- Installing symfony/runtime (v7.4.1): Extracting archive
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
- Installing sebastian/version (4.0.1): Extracting archive
- Installing sebastian/type (4.0.0): Extracting archive
- Installing sebastian/recursion-context (5.0.1): Extracting archive
- Installing sebastian/object-reflector (3.0.0): Extracting archive
- Installing sebastian/object-enumerator (5.0.0): Extracting archive
- Installing sebastian/global-state (6.0.2): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing sebastian/exporter (5.1.4): Extracting archive
- Installing sebastian/environment (6.1.0): Extracting archive
- Installing sebastian/diff (5.1.1): Extracting archive
- Installing sebastian/comparator (5.0.5): Extracting archive
- Installing sebastian/code-unit (2.0.0): Extracting archive
- Installing sebastian/cli-parser (2.0.1): Extracting archive
- Installing phpunit/php-timer (6.0.0): Extracting archive
- Installing phpunit/php-text-template (3.0.1): Extracting archive
- Installing phpunit/php-invoker (4.0.0): Extracting archive
- Installing phpunit/php-file-iterator (4.1.0): Extracting archive
- Installing theseer/tokenizer (1.3.1): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing nikic/php-parser (v5.7.0): Extracting archive
- Installing sebastian/lines-of-code (2.0.2): Extracting archive
- Installing sebastian/complexity (3.2.0): Extracting archive
- Installing sebastian/code-unit-reverse-lookup (3.0.0): Extracting archive
- Installing phpunit/php-code-coverage (10.1.16): Extracting archive
- Installing phar-io/version (3.2.1): Extracting archive
- Installing phar-io/manifest (2.0.4): Extracting archive
- Installing myclabs/deep-copy (1.13.4): Extracting archive
- Installing phpunit/phpunit (10.5.63): Extracting archive
- Installing dms/phpunit-arraysubset-asserts (v0.5.0): Extracting archive
- Installing psr/cache (3.0.0): Extracting archive
- Installing doctrine/event-manager (2.1.1): Extracting archive
- Installing doctrine/persistence (4.1.1): Extracting archive
- Installing doctrine/common (3.5.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing symfony/routing (v6.4.34): Extracting archive
- Installing symfony/http-foundation (v7.4.7): Extracting archive
- Installing psr/event-dispatcher (1.0.0): Extracting archive
- Installing symfony/event-dispatcher-contracts (v3.6.0): Extracting archive
- Installing symfony/event-dispatcher (v7.4.4): Extracting archive
- Installing symfony/var-dumper (v7.4.6): Extracting archive
- Installing symfony/polyfill-php85 (v1.33.0): Extracting archive
- Installing psr/log (1.1.4): Extracting archive
- Installing symfony/error-handler (v7.4.4): Extracting archive
- Installing symfony/http-kernel (v6.4.35): Extracting archive
- Installing symfony/finder (v7.4.6): Extracting archive
- Installing symfony/filesystem (v7.4.6): Extracting archive
- Installing symfony/var-exporter (v7.4.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/dependency-injection (v6.4.35): Extracting archive
- Installing symfony/config (v6.4.34): Extracting archive
- Installing symfony/cache-contracts (v3.6.0): Extracting archive
- Installing symfony/cache (v6.4.35): Extracting archive
- Installing symfony/framework-bundle (v6.4.1): Extracting archive
- Installing symfony/stopwatch (v7.4.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.33.0): Extracting archive
- Installing symfony/string (v7.4.6): Extracting archive
- Installing symfony/console (v7.4.7): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing doctrine/dbal (4.4.3): Extracting archive
- Installing doctrine/migrations (3.9.6): Extracting archive
- Installing symfony/doctrine-bridge (v7.4.7): Extracting archive
- Installing doctrine/sql-formatter (1.5.4): Extracting archive
- Installing doctrine/doctrine-bundle (2.18.2): Extracting archive
- Installing doctrine/doctrine-migrations-bundle (3.7.0): Extracting archive
- Installing doctrine/instantiator (2.0.0): Extracting archive
- Installing doctrine/lexer (3.0.1): Extracting archive
- Installing symfony/expression-language (v7.4.4): Extracting archive
- Installing ralouphie/getallheaders (3.0.3): Extracting archive
- Installing psr/http-message (2.0): Extracting archive
- Installing psr/http-factory (1.1.0): Extracting archive
- Installing guzzlehttp/psr7 (2.9.0): Extracting archive
- Installing guzzlehttp/promises (2.3.0): Extracting archive
- Installing psr/http-client (1.0.3): Extracting archive
- Installing guzzlehttp/guzzle (7.10.0): Extracting archive
- Installing eightpoints/guzzle-bundle (v8.6.0): Extracting archive
- Installing phpstan/phpdoc-parser (1.33.0): Extracting archive
- Installing jms/metadata (2.9.0): Extracting archive
- Installing jms/serializer (3.32.7): Extracting archive
- Installing jms/serializer-bundle (5.5.2): Extracting archive
- Installing krinkle/intuition (v2.3.6): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing composer/spdx-licenses (1.5.9): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing mediawiki/oauthclient (2.0.0): Extracting archive
- Installing symfony/yaml (v6.4.34): Extracting archive
- Installing zircote/swagger-php (5.4.2): Extracting archive
- Installing symfony/property-info (v6.4.34): Extracting archive
- Installing symfony/options-resolver (v7.4.0): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing phpdocumentor/type-resolver (1.12.0): Extracting archive
- Installing webmozart/assert (2.1.6): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.6.7): Extracting archive
- Installing nelmio/api-doc-bundle (v4.38.7): Extracting archive
- Installing nelmio/cors-bundle (2.6.1): Extracting archive
- Installing masterminds/html5 (2.10.0): Extracting archive
- Installing symfony/dom-crawler (v6.4.34): Extracting archive
- Installing symfony/browser-kit (v6.4.32): Extracting archive
- Installing symfony/css-selector (v6.4.34): Extracting archive
- Installing symfony/dotenv (v6.4.35): Extracting archive
- Installing symfony/polyfill-intl-idn (v1.33.0): Extracting archive
- Installing symfony/mime (v7.4.7): Extracting archive
- Installing egulias/email-validator (4.0.4): Extracting archive
- Installing symfony/mailer (v6.4.34): Extracting archive
- Installing symfony/polyfill-php84 (v1.33.0): Extracting archive
- Installing monolog/monolog (2.11.0): Extracting archive
- Installing symfony/monolog-bridge (v6.4.34): Extracting archive
- Installing symfony/monolog-bundle (v3.11.1): Extracting archive
- Installing symfony/password-hasher (v7.4.6): Extracting archive
- Installing symfony/phpunit-bridge (v6.4.35): Extracting archive
- Installing symfony/property-access (v6.4.32): Extracting archive
- Installing symfony/security-core (v7.4.4): Extracting archive
- Installing symfony/security-csrf (v6.4.31): Extracting archive
- Installing symfony/serializer (v6.4.35): Extracting archive
- Installing twig/twig (v3.24.0): Extracting archive
- Installing symfony/translation-contracts (v3.6.1): Extracting archive
- Installing symfony/twig-bridge (v6.4.35): Extracting archive
- Installing symfony/twig-bundle (v6.4.32): Extracting archive
- Installing symfony/web-profiler-bundle (v6.4.35): Extracting archive
- Installing symfony/polyfill-php80 (v1.33.0): Extracting archive
- Installing symfony/asset (v6.4.34): Extracting archive
- Installing symfony/webpack-encore-bundle (v1.17.2): Extracting archive
- Installing wikimedia/base-convert (v2.0.2): Extracting archive
- Installing wikimedia/ip-utils (5.0.0): Extracting archive
0/128 [>---------------------------] 0%
10/128 [==>-------------------------] 7%
19/128 [====>-----------------------] 14%
27/128 [=====>----------------------] 21%
46/128 [==========>-----------------] 35%
56/128 [============>---------------] 43%
66/128 [==============>-------------] 51%
80/128 [=================>----------] 62%
90/128 [===================>--------] 70%
105/128 [======================>-----] 82%
117/128 [=========================>--] 91%
128/128 [============================] 100%
Generating autoload files
103 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Run composer recipes at any time to see the status of your Symfony recipes.
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Writing lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Generating autoload files
103 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Run composer recipes at any time to see the status of your Symfony recipes.
No security vulnerability advisories found.
No security vulnerability advisories found.
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ vendor/bin/phpcs --report=json
--- stdout ---
{"totals":{"errors":0,"warnings":0,"fixable":0},"files":{"\/src\/repo\/public\/index.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Kernel.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Monolog\/WebProcessorMonolog.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Exception\/BadGatewayException.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Exception\/XtoolsHttpException.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/BlameRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/PageAssessmentsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/EditRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/LargestPagesController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/SimpleEditCounterController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/EditSummaryRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/GlobalContribsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/EditSummaryController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/migrations\/Version20190302022255.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/migrations\/Version20230412051210.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/migrations\/Version20230419221648.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/AuthorshipControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/EventSubscriber\/ExceptionListener.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/SimpleEditCounterControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/migrations\/Version20170623205224.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/AdminStatsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/migrations\/Version20171208040821.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/AdminScoreController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/CategoryEdits.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/PagesControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/CategoryEditsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/EventSubscriber\/DisabledToolSubscriber.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/CategoryEditsControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/EditSummaryControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/GlobalContribs.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/QuoteController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/CategoryEditsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/MetaControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/GlobalContribsControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/UserRightsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/EventSubscriber\/RateLimitSubscriber.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/ControllerTestAdapter.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Exception\/BadGatewayExceptionTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/AdminStatsControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/LargestPagesTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/EditSummary.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/SimpleEditCounter.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/PageAssessments.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/LargestPages.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/TopEditsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/PageInfoControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Repository\/RepositoryTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/BlameController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Authorship.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/config\/preload.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/AdminStats.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/config\/bundles.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/BlameTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/DefaultControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/EditCounterControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/AdminScore.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/SessionHelper.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/ProjectRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Helper\/AutomatedEditsHelper.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/AutomatedEditsControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Twig\/TopNavExtensionTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/migrations\/Version20170623203059.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Blame.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/DefaultController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/UserRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/GlobalContribsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/EditSummaryTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/PageAssessmentsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/PageInfoRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/AuthorshipTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/TestAdapter.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Twig\/TopNavExtension.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/MetaController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Helper\/AutomatedEditsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/Repository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/OverridableXtoolsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/AdminStatsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/AdminStatsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/AdminScoreRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Page.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/TopEdits.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/EditCounterRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/PageRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Helper\/I18nHelperTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/AuthorshipRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/PagesRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/GlobalContribsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/UserRights.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/PagesController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Project.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Model.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/CategoryEditsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/SimpleEditCounterRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/TopEditsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/User.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/XtoolsControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/AutoEditsRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/AutoEditsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Controller\/TopEditsControllerTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/PageInfoController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Pages.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Repository\/LargestPagesRepository.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/UserTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/EditCounterController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/AutoEdits.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Twig\/AppExtension.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/AuthorshipController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/PageTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/EditCounter.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/TopEditsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/PagesTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Twig\/AppExtensionTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/ModelTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/AutomatedEditsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/UserRightsTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/PageInfo.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Helper\/I18nHelper.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/EditCounterTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/Edit.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/PageInfoTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Controller\/XtoolsController.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/EditTest.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/src\/Model\/PageInfoApi.php":{"errors":0,"warnings":0,"messages":[]},"\/src\/repo\/tests\/Model\/ProjectTest.php":{"errors":0,"warnings":0,"messages":[]}}}
--- end ---
$ /usr/bin/composer install
--- stderr ---
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Nothing to install, update or remove
Generating autoload files
103 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Run composer recipes at any time to see the status of your Symfony recipes.
--- stdout ---
--- end ---
$ /usr/bin/composer test
--- stderr ---
> phpunit
> phpcs -p -s
> minus-x check .
--- stdout ---
PHPUnit 10.5.63 by Sebastian Bergmann and contributors.
Runtime: PHP 8.4.18
Configuration: /src/repo/phpunit.xml.dist
D.............................................................. 63 / 278 ( 22%)
............................................................... 126 / 278 ( 45%)
.................................................S............. 189 / 278 ( 67%)
.........S..................................................... 252 / 278 ( 90%)
.......................... 278 / 278 (100%)
Time: 00:05.284, Memory: 64.50 MB
OK, but there were issues!
Tests: 278, Assertions: 952, PHPUnit Deprecations: 24, Skipped: 2.
Remaining self deprecation notices (1)
Remaining direct deprecation notices (776)
Remaining indirect deprecation notices (2153)
............................................................ 60 / 62 (97%)
.. 62 / 62 (100%)
Time: 2.59 secs; Memory: 8MB
MinusX
======
Processing /src/repo...
.............................................................
.............................................................
.............................................................
.............................................................
.............................................................
.............................................................
.............................................................
.......................................
All good!
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@symfony/webpack-encore": {
"name": "@symfony/webpack-encore",
"severity": "high",
"isDirect": true,
"via": [
"css-minimizer-webpack-plugin",
"webpack-dev-server"
],
"effects": [],
"range": "<=5.3.1",
"nodes": [
"node_modules/@symfony/webpack-encore"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"ajv": {
"name": "ajv",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113714,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<6.14.0"
},
{
"source": 1113715,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=7.0.0-alpha.0 <8.18.0"
}
],
"effects": [],
"range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0",
"nodes": [
"node_modules/ajv",
"node_modules/ajv-formats/node_modules/ajv",
"node_modules/css-minimizer-webpack-plugin/node_modules/ajv",
"node_modules/mini-css-extract-plugin/node_modules/ajv",
"node_modules/webpack-dev-middleware/node_modules/ajv",
"node_modules/webpack-dev-server/node_modules/ajv"
],
"fixAvailable": true
},
"body-parser": {
"name": "body-parser",
"severity": "low",
"isDirect": false,
"via": [
"qs"
],
"effects": [],
"range": "1.19.0 - 1.20.3 || 2.0.0-beta.1 - 2.0.2",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
},
{
"source": 1115540,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<1.1.13"
},
{
"source": 1115541,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1115543,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <5.0.5"
}
],
"effects": [],
"range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
"node_modules/@typescript-eslint/utils/node_modules/brace-expansion",
"node_modules/brace-expansion"
],
"fixAvailable": true
},
"css-minimizer-webpack-plugin": {
"name": "css-minimizer-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@symfony/webpack-encore"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/css-minimizer-webpack-plugin"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"immutable": {
"name": "immutable",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114159,
"name": "immutable",
"dependency": "immutable",
"title": "Immutable is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0-rc.1 <4.3.8"
}
],
"effects": [],
"range": "4.0.0-rc.1 - 4.3.7",
"nodes": [
"node_modules/immutable"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112455,
"name": "lodash",
"dependency": "lodash",
"title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=4.0.0 <=4.17.22"
}
],
"effects": [],
"range": "4.0.0 - 4.17.21",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"node-forge": {
"name": "node-forge",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115545,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)",
"url": "https://github.com/advisories/GHSA-2328-f5f3-gj25",
"severity": "high",
"cwe": [
"CWE-295"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=1.3.3"
},
{
"source": 1115546,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has signature forgery in Ed25519 due to missing S > L check",
"url": "https://github.com/advisories/GHSA-q67f-28xg-22rw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<1.4.0"
},
{
"source": 1115548,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input",
"url": "https://github.com/advisories/GHSA-5m6q-g25r-mvwx",
"severity": "high",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.4.0"
},
{
"source": 1115612,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field ",
"url": "https://github.com/advisories/GHSA-ppp5-5v6c-4jwp",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<1.4.0"
}
],
"effects": [],
"range": "<=1.3.3",
"nodes": [
"node_modules/node-forge"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115527,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"url": "https://github.com/advisories/GHSA-37ch-88jc-xwx2",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.13"
}
],
"effects": [],
"range": "<0.1.13",
"nodes": [
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113161,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in comma parsing allows denial of service",
"url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.7.0 <=6.14.1"
},
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"body-parser"
],
"range": "<=6.14.1",
"nodes": [
"node_modules/express/node_modules/qs",
"node_modules/qs"
],
"fixAvailable": true
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115519,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"css-minimizer-webpack-plugin",
"terser-webpack-plugin"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"svgo": {
"name": "svgo",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114152,
"name": "svgo",
"dependency": "svgo",
"title": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)",
"url": "https://github.com/advisories/GHSA-xpqw-6gx7-v673",
"severity": "high",
"cwe": [
"CWE-776"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.1.0 <2.8.1"
}
],
"effects": [],
"range": "2.1.0 - 2.8.0",
"nodes": [
"node_modules/svgo"
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "<=5.3.16",
"nodes": [
"node_modules/terser-webpack-plugin"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113041,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",
"url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <=5.104.0"
},
{
"source": 1113042,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence",
"url": "https://github.com/advisories/GHSA-38r7-794h-5758",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <5.104.0"
}
],
"effects": [],
"range": "5.49.0 - 5.104.0",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": true
},
"webpack-dev-server": {
"name": "webpack-dev-server",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1108429,
"name": "webpack-dev-server",
"dependency": "webpack-dev-server",
"title": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser",
"url": "https://github.com/advisories/GHSA-9jgg-88mc-972h",
"severity": "moderate",
"cwe": [
"CWE-346"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=5.2.0"
},
{
"source": 1108430,
"name": "webpack-dev-server",
"dependency": "webpack-dev-server",
"title": "webpack-dev-server users' source code may be stolen when they access a malicious web site",
"url": "https://github.com/advisories/GHSA-4v9v-hfq4-rm2v",
"severity": "moderate",
"cwe": [
"CWE-749"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=5.2.0"
}
],
"effects": [
"@symfony/webpack-encore"
],
"range": "<=5.2.0",
"nodes": [
"node_modules/webpack-dev-server"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115555,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <1.10.3"
}
],
"effects": [],
"range": "1.0.0 - 1.10.2",
"nodes": [
"node_modules/yaml"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 6,
"high": 10,
"critical": 0,
"total": 18
},
"dependencies": {
"prod": 1,
"dev": 875,
"optional": 1,
"peer": 170,
"peerOptional": 0,
"total": 875
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-wdio@9.27.0
npm WARN Found: eslint@8.57.1
npm WARN node_modules/eslint
npm WARN peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.9.1
npm WARN node_modules/@eslint-community/eslint-utils
npm WARN @eslint-community/eslint-utils@"^4.7.0" from @typescript-eslint/utils@8.46.0
npm WARN node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm WARN 9 more (@typescript-eslint/utils, @typescript-eslint/utils, ...)
npm WARN 27 more (@stylistic/eslint-plugin, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN
npm WARN Conflicting peer dependency: eslint@9.39.4
npm WARN node_modules/eslint
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
--- stdout ---
{
"added": 28,
"removed": 32,
"changed": 93,
"audited": 871,
"funding": 155,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@symfony/webpack-encore": {
"name": "@symfony/webpack-encore",
"severity": "high",
"isDirect": false,
"via": [
"css-minimizer-webpack-plugin",
"webpack-dev-server"
],
"effects": [],
"range": "<=5.3.1",
"nodes": [
""
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"ajv": {
"name": "ajv",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113714,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<6.14.0"
},
{
"source": 1113715,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=7.0.0-alpha.0 <8.18.0"
}
],
"effects": [],
"range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0",
"nodes": [
"",
"",
"",
"",
"",
""
],
"fixAvailable": true
},
"body-parser": {
"name": "body-parser",
"severity": "low",
"isDirect": false,
"via": [
"qs"
],
"effects": [],
"range": "1.19.0 - 1.20.3 || 2.0.0-beta.1 - 2.0.2",
"nodes": [
""
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
},
{
"source": 1115540,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<1.1.13"
},
{
"source": 1115541,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1115543,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <5.0.5"
}
],
"effects": [],
"range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4",
"nodes": [
"",
"",
""
],
"fixAvailable": true
},
"css-minimizer-webpack-plugin": {
"name": "css-minimizer-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@symfony/webpack-encore"
],
"range": "<=7.0.4",
"nodes": [
""
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"immutable": {
"name": "immutable",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114159,
"name": "immutable",
"dependency": "immutable",
"title": "Immutable is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0-rc.1 <4.3.8"
}
],
"effects": [],
"range": "4.0.0-rc.1 - 4.3.7",
"nodes": [
""
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112455,
"name": "lodash",
"dependency": "lodash",
"title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=4.0.0 <=4.17.22"
}
],
"effects": [],
"range": "4.0.0 - 4.17.21",
"nodes": [
""
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [],
"range": "<=3.1.3",
"nodes": [
""
],
"fixAvailable": true
},
"node-forge": {
"name": "node-forge",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115545,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)",
"url": "https://github.com/advisories/GHSA-2328-f5f3-gj25",
"severity": "high",
"cwe": [
"CWE-295"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=1.3.3"
},
{
"source": 1115546,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has signature forgery in Ed25519 due to missing S > L check",
"url": "https://github.com/advisories/GHSA-q67f-28xg-22rw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<1.4.0"
},
{
"source": 1115548,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input",
"url": "https://github.com/advisories/GHSA-5m6q-g25r-mvwx",
"severity": "high",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.4.0"
},
{
"source": 1115612,
"name": "node-forge",
"dependency": "node-forge",
"title": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field ",
"url": "https://github.com/advisories/GHSA-ppp5-5v6c-4jwp",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<1.4.0"
}
],
"effects": [],
"range": "<=1.3.3",
"nodes": [
""
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115527,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"url": "https://github.com/advisories/GHSA-37ch-88jc-xwx2",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.13"
}
],
"effects": [],
"range": "<0.1.13",
"nodes": [
""
],
"fixAvailable": true
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
""
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113161,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in comma parsing allows denial of service",
"url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.7.0 <=6.14.1"
},
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"body-parser"
],
"range": "<=6.14.1",
"nodes": [
"",
""
],
"fixAvailable": true
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115519,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"css-minimizer-webpack-plugin",
"terser-webpack-plugin"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"svgo": {
"name": "svgo",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114152,
"name": "svgo",
"dependency": "svgo",
"title": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)",
"url": "https://github.com/advisories/GHSA-xpqw-6gx7-v673",
"severity": "high",
"cwe": [
"CWE-776"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.1.0 <2.8.1"
}
],
"effects": [],
"range": "2.1.0 - 2.8.0",
"nodes": [
""
],
"fixAvailable": true
},
"terser-webpack-plugin": {
"name": "terser-webpack-plugin",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [],
"range": "<=5.3.16",
"nodes": [
""
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113041,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",
"url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <=5.104.0"
},
{
"source": 1113042,
"name": "webpack",
"dependency": "webpack",
"title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence",
"url": "https://github.com/advisories/GHSA-38r7-794h-5758",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
"range": ">=5.49.0 <5.104.0"
}
],
"effects": [],
"range": "5.49.0 - 5.104.0",
"nodes": [
""
],
"fixAvailable": true
},
"webpack-dev-server": {
"name": "webpack-dev-server",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1108429,
"name": "webpack-dev-server",
"dependency": "webpack-dev-server",
"title": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser",
"url": "https://github.com/advisories/GHSA-9jgg-88mc-972h",
"severity": "moderate",
"cwe": [
"CWE-346"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=5.2.0"
},
{
"source": 1108430,
"name": "webpack-dev-server",
"dependency": "webpack-dev-server",
"title": "webpack-dev-server users' source code may be stolen when they access a malicious web site",
"url": "https://github.com/advisories/GHSA-4v9v-hfq4-rm2v",
"severity": "moderate",
"cwe": [
"CWE-749"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=5.2.0"
}
],
"effects": [
"@symfony/webpack-encore"
],
"range": "<=5.2.0",
"nodes": [
""
],
"fixAvailable": {
"name": "@symfony/webpack-encore",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115555,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <1.10.3"
}
],
"effects": [],
"range": "1.0.0 - 1.10.2",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 6,
"high": 10,
"critical": 0,
"total": 18
},
"dependencies": {
"prod": 1,
"dev": 870,
"optional": 1,
"peer": 173,
"peerOptional": 0,
"total": 870
}
}
}
}
--- end ---
{"added": 28, "removed": 32, "changed": 93, "audited": 871, "funding": 155, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@symfony/webpack-encore": {"name": "@symfony/webpack-encore", "severity": "high", "isDirect": false, "via": ["css-minimizer-webpack-plugin", "webpack-dev-server"], "effects": [], "range": "<=5.3.1", "nodes": [""], "fixAvailable": {"name": "@symfony/webpack-encore", "version": "6.0.0", "isSemVerMajor": true}}, "ajv": {"name": "ajv", "severity": "moderate", "isDirect": false, "via": [{"source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<6.14.0"}, {"source": 1113715, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": ">=7.0.0-alpha.0 <8.18.0"}], "effects": [], "range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0", "nodes": ["", "", "", "", "", ""], "fixAvailable": true}, "body-parser": {"name": "body-parser", "severity": "low", "isDirect": false, "via": ["qs"], "effects": [], "range": "1.19.0 - 1.20.3 || 2.0.0-beta.1 - 2.0.2", "nodes": [""], "fixAvailable": true}, "brace-expansion": {"name": "brace-expansion", "severity": "moderate", "isDirect": false, "via": [{"source": 1105443, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion Regular Expression Denial of Service vulnerability", "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", "severity": "low", "cwe": ["CWE-400"], "cvss": {"score": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=1.0.0 <=1.1.11"}, {"source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<1.1.13"}, {"source": 1115541, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=2.0.0 <2.0.3"}, {"source": 1115543, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <5.0.5"}], "effects": [], "range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4", "nodes": ["", "", ""], "fixAvailable": true}, "css-minimizer-webpack-plugin": {"name": "css-minimizer-webpack-plugin", "severity": "high", "isDirect": false, "via": ["serialize-javascript"], "effects": ["@symfony/webpack-encore"], "range": "<=7.0.4", "nodes": [""], "fixAvailable": {"name": "@symfony/webpack-encore", "version": "6.0.0", "isSemVerMajor": true}}, "immutable": {"name": "immutable", "severity": "high", "isDirect": false, "via": [{"source": 1114159, "name": "immutable", "dependency": "immutable", "title": "Immutable is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": ">=4.0.0-rc.1 <4.3.8"}], "effects": [], "range": "4.0.0-rc.1 - 4.3.7", "nodes": [""], "fixAvailable": true}, "lodash": {"name": "lodash", "severity": "moderate", "isDirect": false, "via": [{"source": 1112455, "name": "lodash", "dependency": "lodash", "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": ">=4.0.0 <=4.17.22"}], "effects": [], "range": "4.0.0 - 4.17.21", "nodes": [""], "fixAvailable": true}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}], "effects": [], "range": "<=3.1.3", "nodes": [""], "fixAvailable": true}, "node-forge": {"name": "node-forge", "severity": "high", "isDirect": false, "via": [{"source": 1115545, "name": "node-forge", "dependency": "node-forge", "title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)", "url": "https://github.com/advisories/GHSA-2328-f5f3-gj25", "severity": "high", "cwe": ["CWE-295"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<=1.3.3"}, {"source": 1115546, "name": "node-forge", "dependency": "node-forge", "title": "Forge has signature forgery in Ed25519 due to missing S > L check", "url": "https://github.com/advisories/GHSA-q67f-28xg-22rw", "severity": "high", "cwe": ["CWE-347"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<1.4.0"}, {"source": 1115548, "name": "node-forge", "dependency": "node-forge", "title": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input", "url": "https://github.com/advisories/GHSA-5m6q-g25r-mvwx", "severity": "high", "cwe": ["CWE-835"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<1.4.0"}, {"source": 1115612, "name": "node-forge", "dependency": "node-forge", "title": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field ", "url": "https://github.com/advisories/GHSA-ppp5-5v6c-4jwp", "severity": "high", "cwe": ["CWE-20", "CWE-347"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<1.4.0"}], "effects": [], "range": "<=1.3.3", "nodes": [""], "fixAvailable": true}, "path-to-regexp": {"name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [{"source": 1115527, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters", "url": "https://github.com/advisories/GHSA-37ch-88jc-xwx2", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.13"}], "effects": [], "range": "<0.1.13", "nodes": [""], "fixAvailable": true}, "picomatch": {"name": "picomatch", "severity": "high", "isDirect": false, "via": [{"source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<2.3.2"}, {"source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<2.3.2"}], "effects": [], "range": "<=2.3.1", "nodes": [""], "fixAvailable": true}, "qs": {"name": "qs", "severity": "moderate", "isDirect": false, "via": [{"source": 1113161, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in comma parsing allows denial of service", "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", "severity": "low", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=6.7.0 <=6.14.1"}, {"source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<6.14.1"}], "effects": ["body-parser"], "range": "<=6.14.1", "nodes": ["", ""], "fixAvailable": true}, "serialize-javascript": {"name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [{"source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": ["CWE-96"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=7.0.2"}, {"source": 1115519, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects", "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v", "severity": "moderate", "cwe": ["CWE-400", "CWE-834"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.0.5"}], "effects": ["css-minimizer-webpack-plugin", "terser-webpack-plugin"], "range": "<=7.0.4", "nodes": ["node_modules/serialize-javascript"], "fixAvailable": {"name": "@symfony/webpack-encore", "version": "6.0.0", "isSemVerMajor": true}}, "svgo": {"name": "svgo", "severity": "high", "isDirect": false, "via": [{"source": 1114152, "name": "svgo", "dependency": "svgo", "title": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)", "url": "https://github.com/advisories/GHSA-xpqw-6gx7-v673", "severity": "high", "cwe": ["CWE-776"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=2.1.0 <2.8.1"}], "effects": [], "range": "2.1.0 - 2.8.0", "nodes": [""], "fixAvailable": true}, "terser-webpack-plugin": {"name": "terser-webpack-plugin", "severity": "high", "isDirect": false, "via": ["serialize-javascript"], "effects": [], "range": "<=5.3.16", "nodes": [""], "fixAvailable": true}, "webpack": {"name": "webpack", "severity": "low", "isDirect": false, "via": [{"source": 1113041, "name": "webpack", "dependency": "webpack", "title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior", "url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x", "severity": "low", "cwe": ["CWE-918"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": ">=5.49.0 <=5.104.0"}, {"source": 1113042, "name": "webpack", "dependency": "webpack", "title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence", "url": "https://github.com/advisories/GHSA-38r7-794h-5758", "severity": "low", "cwe": ["CWE-918"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": ">=5.49.0 <5.104.0"}], "effects": [], "range": "5.49.0 - 5.104.0", "nodes": [""], "fixAvailable": true}, "webpack-dev-server": {"name": "webpack-dev-server", "severity": "moderate", "isDirect": false, "via": [{"source": 1108429, "name": "webpack-dev-server", "dependency": "webpack-dev-server", "title": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser", "url": "https://github.com/advisories/GHSA-9jgg-88mc-972h", "severity": "moderate", "cwe": ["CWE-346"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "range": "<=5.2.0"}, {"source": 1108430, "name": "webpack-dev-server", "dependency": "webpack-dev-server", "title": "webpack-dev-server users' source code may be stolen when they access a malicious web site", "url": "https://github.com/advisories/GHSA-4v9v-hfq4-rm2v", "severity": "moderate", "cwe": ["CWE-749"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "range": "<=5.2.0"}], "effects": ["@symfony/webpack-encore"], "range": "<=5.2.0", "nodes": [""], "fixAvailable": {"name": "@symfony/webpack-encore", "version": "6.0.0", "isSemVerMajor": true}}, "yaml": {"name": "yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1115555, "name": "yaml", "dependency": "yaml", "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections", "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=1.0.0 <1.10.3"}], "effects": [], "range": "1.0.0 - 1.10.2", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 2, "moderate": 6, "high": 10, "critical": 0, "total": 18}, "dependencies": {"prod": 1, "dev": 870, "optional": 1, "peer": 173, "peerOptional": 0, "total": 870}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-wdio@9.27.0
npm WARN Found: eslint@8.57.1
npm WARN node_modules/eslint
npm WARN peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.9.1
npm WARN node_modules/@eslint-community/eslint-utils
npm WARN @eslint-community/eslint-utils@"^4.7.0" from @typescript-eslint/utils@8.46.0
npm WARN node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm WARN 9 more (@typescript-eslint/utils, @typescript-eslint/utils, ...)
npm WARN 27 more (@stylistic/eslint-plugin, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN
npm WARN Conflicting peer dependency: eslint@9.39.4
npm WARN node_modules/eslint
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
--- stdout ---
added 27 packages, removed 32 packages, changed 93 packages, and audited 870 packages in 8s
155 packages are looking for funding
run `npm fund` for details
# npm audit report
serialize-javascript <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install @symfony/webpack-encore@6.0.0, which is a breaking change
node_modules/serialize-javascript
css-minimizer-webpack-plugin <=7.0.4
Depends on vulnerable versions of serialize-javascript
node_modules/css-minimizer-webpack-plugin
@symfony/webpack-encore <=5.3.1
Depends on vulnerable versions of css-minimizer-webpack-plugin
Depends on vulnerable versions of webpack-dev-server
node_modules/@symfony/webpack-encore
webpack-dev-server <=5.2.0
Severity: moderate
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser - https://github.com/advisories/GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site - https://github.com/advisories/GHSA-4v9v-hfq4-rm2v
fix available via `npm audit fix --force`
Will install @symfony/webpack-encore@6.0.0, which is a breaking change
node_modules/webpack-dev-server
4 vulnerabilities (1 moderate, 3 high)
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-wdio@9.27.0
npm WARN Found: eslint@8.57.1
npm WARN node_modules/eslint
npm WARN peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.9.1
npm WARN node_modules/@eslint-community/eslint-utils
npm WARN @eslint-community/eslint-utils@"^4.7.0" from @typescript-eslint/utils@8.46.0
npm WARN node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm WARN 9 more (@typescript-eslint/utils, @typescript-eslint/utils, ...)
npm WARN 27 more (@stylistic/eslint-plugin, @symfony/webpack-encore, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN
npm WARN Conflicting peer dependency: eslint@9.39.4
npm WARN node_modules/eslint
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 869 packages, and audited 870 packages in 12s
155 packages are looking for funding
run `npm fund` for details
4 vulnerabilities (1 moderate, 3 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> banana-checker i18n/
Checked 1 message directory.
--- end ---
{"1113714": {"source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<6.14.0"}, "1113715": {"source": 1113715, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": ">=7.0.0-alpha.0 <8.18.0"}}
Upgrading n:ajv from 6.12.6, 8.12.0 -> 6.14.0, 8.18.0
{"1113161": {"source": 1113161, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in comma parsing allows denial of service", "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", "severity": "low", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=6.7.0 <=6.14.1"}, "1113719": {"source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<6.14.1"}}
Upgrading n:body-parser from 1.20.3 -> 1.20.4
{"1105443": {"source": 1105443, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion Regular Expression Denial of Service vulnerability", "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", "severity": "low", "cwe": ["CWE-400"], "cvss": {"score": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=1.0.0 <=1.1.11"}, "1115540": {"source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<1.1.13"}, "1115541": {"source": 1115541, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=2.0.0 <2.0.3"}, "1115543": {"source": 1115543, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <5.0.5"}}
Upgrading n:brace-expansion from 1.1.11, 2.0.2, 5.0.4 -> 1.1.13, 2.0.3, 5.0.5
{"1114159": {"source": 1114159, "name": "immutable", "dependency": "immutable", "title": "Immutable is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": ">=4.0.0-rc.1 <4.3.8"}}
Upgrading n:immutable from 4.3.0 -> 4.3.8
{"1112455": {"source": 1112455, "name": "lodash", "dependency": "lodash", "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": ">=4.0.0 <=4.17.22"}}
Upgrading n:lodash from 4.17.21 -> 4.17.23
{"1113459": {"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, "1113538": {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, "1113546": {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}}
Upgrading n:minimatch from 10.2.4, 3.1.2, 9.0.9 -> 10.2.4, 3.1.5, 9.0.9
{"1115545": {"source": 1115545, "name": "node-forge", "dependency": "node-forge", "title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)", "url": "https://github.com/advisories/GHSA-2328-f5f3-gj25", "severity": "high", "cwe": ["CWE-295"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<=1.3.3"}, "1115546": {"source": 1115546, "name": "node-forge", "dependency": "node-forge", "title": "Forge has signature forgery in Ed25519 due to missing S > L check", "url": "https://github.com/advisories/GHSA-q67f-28xg-22rw", "severity": "high", "cwe": ["CWE-347"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<1.4.0"}, "1115548": {"source": 1115548, "name": "node-forge", "dependency": "node-forge", "title": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input", "url": "https://github.com/advisories/GHSA-5m6q-g25r-mvwx", "severity": "high", "cwe": ["CWE-835"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<1.4.0"}, "1115612": {"source": 1115612, "name": "node-forge", "dependency": "node-forge", "title": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field ", "url": "https://github.com/advisories/GHSA-ppp5-5v6c-4jwp", "severity": "high", "cwe": ["CWE-20", "CWE-347"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<1.4.0"}}
Upgrading n:node-forge from 1.3.3 -> 1.4.0
{"1115527": {"source": 1115527, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters", "url": "https://github.com/advisories/GHSA-37ch-88jc-xwx2", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.13"}}
Upgrading n:path-to-regexp from 0.1.12 -> 0.1.13
{"1115549": {"source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<2.3.2"}, "1115552": {"source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<2.3.2"}}
Upgrading n:picomatch from 2.3.1, 4.0.4 -> 2.3.2, 4.0.4
{"1113161": {"source": 1113161, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in comma parsing allows denial of service", "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", "severity": "low", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=6.7.0 <=6.14.1"}, "1113719": {"source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<6.14.1"}}
Upgrading n:qs from 6.13.0, 6.14.1 -> 6.14.2
{"1114152": {"source": 1114152, "name": "svgo", "dependency": "svgo", "title": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)", "url": "https://github.com/advisories/GHSA-xpqw-6gx7-v673", "severity": "high", "cwe": ["CWE-776"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=2.1.0 <2.8.1"}}
Upgrading n:svgo from 2.8.0 -> 3.3.3
{}
{"1113041": {"source": 1113041, "name": "webpack", "dependency": "webpack", "title": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior", "url": "https://github.com/advisories/GHSA-8fgc-7cc6-rx7x", "severity": "low", "cwe": ["CWE-918"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": ">=5.49.0 <=5.104.0"}, "1113042": {"source": 1113042, "name": "webpack", "dependency": "webpack", "title": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence", "url": "https://github.com/advisories/GHSA-38r7-794h-5758", "severity": "low", "cwe": ["CWE-918"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": ">=5.49.0 <5.104.0"}}
Upgrading n:webpack from 5.95.0 -> 5.105.4
{"1115555": {"source": 1115555, "name": "yaml", "dependency": "yaml", "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections", "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=1.0.0 <1.10.3"}}
Upgrading n:yaml from 1.10.2, 2.8.3 -> 2.8.3
$ git mv phpcs.xml .phpcs.xml
--- stdout ---
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1223, in run
self.fix_root_eslintrc()
~~~~~~~~~~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 488, in fix_root_eslintrc
source, data = eslint.get_eslint_config()
~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 70, in get_eslint_config
return ".eslintrc.json", load_ordered_json(".eslintrc.json")
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/files.py", line 35, in load_ordered_json
return json.load(f, object_pairs_hook=OrderedDict) # type: ignore
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/json/__init__.py", line 293, in load
return loads(fp.read(),
cls=cls, object_hook=object_hook,
parse_float=parse_float, parse_int=parse_int,
parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
File "/usr/lib/python3.13/json/__init__.py", line 359, in loads
return cls(**kw).decode(s)
~~~~~~~~~~~~~~~~^^^
File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/json/decoder.py", line 361, in raw_decode
obj, end = self.scan_once(s, idx)
~~~~~~~~~~~~~~^^^^^^^^
json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 8 column 3 (char 92)