This run took 49 seconds.
From 62e0f537fccc40079eed8ed4f954c68a99072f3f Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Sat, 4 Apr 2026 05:40:20 +0000
Subject: [PATCH] build: Updating lodash to 4.18.1
* https://github.com/advisories/GHSA-f23m-r3pf-42rh
* https://github.com/advisories/GHSA-r5fr-rjxr-66jc
Change-Id: I3b8f6308cbbf8c42ecacd7c0c3d3b6bff9cd8746
---
package-lock.json | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 0e74a75..e4d6aa6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5161,11 +5161,10 @@
}
},
"node_modules/lodash": {
- "version": "4.17.23",
- "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
- "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
- "dev": true,
- "license": "MIT"
+ "version": "4.18.1",
+ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+ "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+ "dev": true
},
"node_modules/lodash.memoize": {
"version": "4.1.2",
--
2.47.3
$ date
--- stdout ---
Sat Apr 4 05:39:34 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-PersonalDashboard.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
9682b5951d786cdf59c20e035f27d7be3d02f5a6 refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 566,
"optional": 65,
"peer": 182,
"peerOptional": 0,
"total": 566
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 37 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.9)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.0)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v50.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.0.1)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.0.8)
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.33.0)
- Locking symfony/polyfill-intl-grapheme (v1.33.0)
- Locking symfony/polyfill-intl-normalizer (v1.33.0)
- Locking symfony/polyfill-mbstring (v1.33.0)
- Locking symfony/service-contracts (v3.6.1)
- Locking symfony/string (v8.0.8)
- Locking webmozart/assert (2.1.6)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 37 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing composer/spdx-licenses (1.5.9): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.33.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing symfony/string (v8.0.8): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/console (v8.0.8): Extracting archive
- Installing sabre/event (6.0.1): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.1.6): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/35 [>---------------------------] 0%
28/35 [======================>-----] 80%
35/35 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
16 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 566,
"optional": 65,
"peer": 182,
"peerOptional": 0,
"total": 566
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.3.4',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.3.4',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
"added": 566,
"removed": 0,
"changed": 0,
"audited": 567,
"funding": 137,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [],
"range": "<=4.17.23",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 566,
"optional": 65,
"peer": 182,
"peerOptional": 0,
"total": 566
}
}
}
}
--- end ---
{"added": 566, "removed": 0, "changed": 0, "audited": 567, "funding": 137, "audit": {"auditReportVersion": 2, "vulnerabilities": {"lodash": {"name": "lodash", "severity": "high", "isDirect": false, "via": [{"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}], "effects": [], "range": "<=4.17.23", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0, "total": 1}, "dependencies": {"prod": 1, "dev": 566, "optional": 65, "peer": 182, "peerOptional": 0, "total": 566}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.3.4',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.3.4',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 517 packages, and audited 518 packages in 7s
137 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.3.4',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.3.4',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 517 packages, and audited 518 packages in 9s
137 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
$ /usr/bin/npm test
--- stderr ---
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/composables/useFetchActiveDiscussionsResult.test.mjs > fetchActiveDiscussions with key missing
No valid active discussions found
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/composables/useFetchActiveDiscussionsResult.test.mjs > fetchActiveDiscussions with all keys missing
No valid active discussions found
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/composables/useFetchActiveDiscussionsResult.test.mjs > fetchActiveDiscussions with error
An error
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with error
An error
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with revertrisklanguageagnostic model enabled
unable to randomly sample array: only 2 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with damaging model enabled
unable to randomly sample array: only 2 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with no model enabled
unable to randomly sample array: only 2 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with watchlist enabled
unable to randomly sample array: only 2 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with watchlist enabled
unable to randomly sample array: only 1 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with watchlist enabled and two edits from same page
unable to randomly sample array: only 2 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with watchlist enabled and two edits from same page
unable to randomly sample array: only 2 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with watchlist enabled and more than limit
unable to randomly sample array: only 3 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs > fetchRecentActivity with watchlist enabled and more than limit
unable to randomly sample array: only 4 found
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > mount component
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows progress bar when loading
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows error message when there is one
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows up to 5 recent changes with information
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows up to 5 recent changes with information
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows up to 10 recent changes with information when on mobile view
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows up to 10 recent changes with information when on mobile view
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard ref_for=true title="Article Title" type="" ... >
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows header message by default on mobile and updates preference when closed
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows header message by default on mobile and updates preference when closed
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows header message by default on non-mobile
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > shows header message by default on non-mobile
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > does not show header message by default on mobile summary rendermode
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > does not show header message by default on mobile summary rendermode
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > does not show header message if preference is off
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs > does not show header message if preference is off
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
[Vue warn]: Failed to resolve directive: i18n-html
at <App ref="VTU_COMPONENT" >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/components/ListCard.test.mjs > mount component
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard title="TestTitle" type="TestType" ns=0 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/components/ListCard.test.mjs > renders appropriate message when edit is made today
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard title="TestTitle" type="TestType" ns=0 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/components/ListCard.test.mjs > renders timestamp without hours when edit is not made today
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard title="TestTitle" type="TestType" ns=0 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.riskyArticleEdits/components/ListCard.test.mjs > strips all html formatting from parsedcomment
[Vue warn]: Missing required prop: "feedorigin"
at <ListCard title="TestTitle" type="TestType" ns=0 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCardMobile.test.mjs > mount component
[Vue warn]: Missing required prop: "latestReplyId"
at <ListCard discussionTitle="Test Title" discussionPage="Wikipedia:Village Pump" commentCount=12 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCardMobile.test.mjs > renders appropriate message when edit is made today
[Vue warn]: Missing required prop: "latestReplyId"
at <ListCard discussionTitle="Test Title" discussionPage="Wikipedia:Village Pump" commentCount=12 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCardMobile.test.mjs > renders timestamp without hours when edit is not made today
[Vue warn]: Missing required prop: "latestReplyId"
at <ListCard discussionTitle="Test Title" discussionPage="Wikipedia:Village Pump" commentCount=12 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCard.test.mjs > mount component
[Vue warn]: Missing required prop: "latestReplyId"
at <ListCard discussionTitle="Test Title" discussionPage="Wikipedia:Village Pump" commentCount=12 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCard.test.mjs > renders appropriate message when edit is made today
[Vue warn]: Missing required prop: "latestReplyId"
at <ListCard discussionTitle="Test Title" discussionPage="Wikipedia:Village Pump" commentCount=12 ... >
at <VTUROOT>
stderr | tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCard.test.mjs > renders timestamp without hours when edit is not made today
[Vue warn]: Missing required prop: "latestReplyId"
at <ListCard discussionTitle="Test Title" discussionPage="Wikipedia:Village Pump" commentCount=12 ... >
at <VTUROOT>
--- stdout ---
> test
> npm -s run lint && npm -s run test:unit
/src/repo/resources/ext.personalDashboard.activeDiscussions/components/ListCard.vue
23:1 warning This line has a length of 106. Maximum allowed is 100 max-len
24:1 warning This line has a length of 102. Maximum allowed is 100 max-len
/src/repo/resources/ext.personalDashboard.activeDiscussions/composables/useFetchActiveDiscussionsResult.js
27:1 warning This line has a length of 104. Maximum allowed is 100 max-len
35:1 warning This line has a length of 107. Maximum allowed is 100 max-len
/src/repo/resources/ext.personalDashboard.riskyArticleEdits/App.vue
47:1 warning This line has a length of 102. Maximum allowed is 100 max-len
54:1 warning This line has a length of 116. Maximum allowed is 100 max-len
59:1 warning This line has a length of 102. Maximum allowed is 100 max-len
/src/repo/resources/ext.personalDashboard.riskyArticleEdits/components/HeaderMessage.vue
27:1 warning This line has a length of 114. Maximum allowed is 100 max-len
/src/repo/resources/ext.personalDashboard.riskyArticleEdits/components/ListCard.vue
110:1 warning This line has a length of 134. Maximum allowed is 100 max-len
✖ 9 problems (0 errors, 9 warnings)
Checked 8 message directories.
RUN v4.0.18 /src/repo
✓ tests/vitest/ext.personalDashboard.activeDiscussions/composables/useFetchActiveDiscussionsResult.test.mjs (6 tests) 26ms
✓ tests/vitest/ext.personalDashboard.riskyArticleEdits/composables/useFetchActivityResult.test.mjs (10 tests) 43ms
✓ tests/vitest/ext.personalDashboard.riskyArticleEdits/App.test.mjs (9 tests) 282ms
✓ tests/vitest/ext.personalDashboard.riskyArticleEdits/components/HeaderMessage.test.mjs (6 tests) 164ms
✓ tests/vitest/ext.personalDashboard.riskyArticleEdits/components/ListCard.test.mjs (4 tests) 92ms
✓ tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCardMobile.test.mjs (3 tests) 57ms
✓ tests/vitest/ext.personalDashboard.activeDiscussions/components/ListCard.test.mjs (3 tests) 71ms
✓ tests/vitest/ext.personalDashboard.riskyArticleEdits/components/ChangeNumber.test.mjs (4 tests) 76ms
✓ tests/vitest/ext.personalDashboard.riskyArticleEdits/components/CreatorByline.test.mjs (3 tests) 33ms
✓ tests/vitest/ext.personalDashboard.activeDiscussions/App.test.mjs (1 test) 38ms
✓ tests/vitest/ext.personalDashboard.common/utils.test.mjs (1 test) 7ms
✓ tests/vitest/ext.personalDashboard.policiesGuidelines/App.test.mjs (1 test) 89ms
✓ tests/vitest/ext.personalDashboard.impact/App.test.mjs (2 tests) 104ms
✓ tests/vitest/ext.personalDashboard.onboarding/App.test.mjs (1 test) 63ms
Test Files 14 passed (14)
Tests 54 passed (54)
Start at 05:40:14
Duration 6.42s (transform 1.30s, setup 1.99s, import 2.38s, tests 1.15s, environment 7.81s)
--- end ---
{"1115806": {"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, "1115810": {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}}
Upgrading n:lodash from 4.17.23 -> 4.18.1
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating lodash to 4.18.1
* https://github.com/advisories/GHSA-f23m-r3pf-42rh
* https://github.com/advisories/GHSA-r5fr-rjxr-66jc
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmp68w62sk_
--- stdout ---
[master 62e0f53] build: Updating lodash to 4.18.1
1 file changed, 4 insertions(+), 5 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 62e0f537fccc40079eed8ed4f954c68a99072f3f Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Sat, 4 Apr 2026 05:40:20 +0000
Subject: [PATCH] build: Updating lodash to 4.18.1
* https://github.com/advisories/GHSA-f23m-r3pf-42rh
* https://github.com/advisories/GHSA-r5fr-rjxr-66jc
Change-Id: I3b8f6308cbbf8c42ecacd7c0c3d3b6bff9cd8746
---
package-lock.json | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 0e74a75..e4d6aa6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5161,11 +5161,10 @@
}
},
"node_modules/lodash": {
- "version": "4.17.23",
- "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
- "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
- "dev": true,
- "license": "MIT"
+ "version": "4.18.1",
+ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+ "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+ "dev": true
},
"node_modules/lodash.memoize": {
"version": "4.1.2",
--
2.47.3
--- end ---