This run took 81 seconds.
From 9d58360e83ce1c5079b16bd7a33f91fc4f52b1d6 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 9 Apr 2026 01:40:56 +0000
Subject: [PATCH] build: Updating basic-ftp to 5.2.1
* https://github.com/advisories/GHSA-chqc-8p9q-pq6q
Change-Id: I2bc79062fec09e301e5842bb5a8e1c89b8821d86
---
package-lock.json | 31 ++++++++++++++-----------------
1 file changed, 14 insertions(+), 17 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 2325019..7ed5400 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3152,11 +3152,10 @@
}
},
"node_modules/basic-ftp": {
- "version": "5.2.0",
- "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
- "integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+ "version": "5.2.1",
+ "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.1.tgz",
+ "integrity": "sha512-0yaL8JdxTknKDILitVpfYfV2Ob6yb3udX/hK97M7I3jOeznBNxQPtVvTUtnhUkyHlxFWyr5Lvknmgzoc7jf+1Q==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=10.0.0"
}
@@ -6632,13 +6631,12 @@
}
},
"node_modules/grunt-legacy-log-utils": {
- "version": "2.1.0",
- "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.0.tgz",
- "integrity": "sha512-lwquaPXJtKQk0rUM1IQAop5noEpwFqOXasVoedLeNzaibf/OPWjKYvvdqnEHNmU+0T0CaReAXIbGo747ZD+Aaw==",
+ "version": "2.1.3",
+ "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.3.tgz",
+ "integrity": "sha512-sgG+QvKmdb44wZyzJP+ejDsy3jYxG2wzohpol+JTMlXqMUBDoZb01JPQ5jKAedtZBFwhmABAc88T9hEBLy3U+Q==",
"dev": true,
"dependencies": {
- "chalk": "~4.1.0",
- "lodash": "~4.17.19"
+ "chalk": "^4.1.0"
},
"engines": {
"node": ">=10"
@@ -13156,9 +13154,9 @@
"dev": true
},
"basic-ftp": {
- "version": "5.2.0",
- "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
- "integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+ "version": "5.2.1",
+ "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.1.tgz",
+ "integrity": "sha512-0yaL8JdxTknKDILitVpfYfV2Ob6yb3udX/hK97M7I3jOeznBNxQPtVvTUtnhUkyHlxFWyr5Lvknmgzoc7jf+1Q==",
"dev": true
},
"binary-extensions": {
@@ -15574,13 +15572,12 @@
}
},
"grunt-legacy-log-utils": {
- "version": "2.1.0",
- "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.0.tgz",
- "integrity": "sha512-lwquaPXJtKQk0rUM1IQAop5noEpwFqOXasVoedLeNzaibf/OPWjKYvvdqnEHNmU+0T0CaReAXIbGo747ZD+Aaw==",
+ "version": "2.1.3",
+ "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.3.tgz",
+ "integrity": "sha512-sgG+QvKmdb44wZyzJP+ejDsy3jYxG2wzohpol+JTMlXqMUBDoZb01JPQ5jKAedtZBFwhmABAc88T9hEBLy3U+Q==",
"dev": true,
"requires": {
- "chalk": "~4.1.0",
- "lodash": "~4.17.19"
+ "chalk": "^4.1.0"
}
},
"grunt-legacy-util": {
--
2.47.3
$ date
--- stdout ---
Thu Apr 9 01:39:58 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-AdvancedSearch.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
6fd60ac377da21ffd3913229269992e205f842cb refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "high",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=6.1.19",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"basic-ftp": {
"name": "basic-ftp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1116289,
"name": "basic-ftp",
"dependency": "basic-ftp",
"title": "basic-ftp has FTP Command Injection via CRLF",
"url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q",
"severity": "high",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "=5.2.0"
}
],
"effects": [],
"range": "5.2.0",
"nodes": [
"node_modules/basic-ftp"
],
"fixAvailable": true
},
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"grunt-legacy-log",
"grunt-legacy-util",
"minimatch"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-legacy-log": {
"name": "grunt-legacy-log",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"grunt"
],
"range": ">=1.0.1",
"nodes": [
"node_modules/grunt-legacy-log"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-legacy-log-utils": {
"name": "grunt-legacy-log-utils",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0 - 2.1.0",
"nodes": [
"node_modules/grunt-legacy-log-utils"
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"grunt"
],
"range": ">=1.0.0-rc1",
"nodes": [
"node_modules/grunt-legacy-util"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"grunt-legacy-log",
"grunt-legacy-log-utils",
"grunt-legacy-util"
],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"grunt"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 11,
"critical": 0,
"total": 11
},
"dependencies": {
"prod": 1,
"dev": 852,
"optional": 33,
"peer": 1,
"peerOptional": 0,
"total": 852
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 37 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.10)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.0)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v50.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.0.1)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.0.8)
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.33.0)
- Locking symfony/polyfill-intl-grapheme (v1.33.0)
- Locking symfony/polyfill-intl-normalizer (v1.33.0)
- Locking symfony/polyfill-mbstring (v1.33.0)
- Locking symfony/service-contracts (v3.6.1)
- Locking symfony/string (v8.0.8)
- Locking webmozart/assert (2.1.6)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 37 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing composer/spdx-licenses (1.5.10): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.33.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.33.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing symfony/string (v8.0.8): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/console (v8.0.8): Extracting archive
- Installing sabre/event (6.0.1): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.1.6): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/35 [>---------------------------] 0%
28/35 [======================>-----] 80%
35/35 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
16 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "high",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=6.1.19",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"basic-ftp": {
"name": "basic-ftp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1116289,
"name": "basic-ftp",
"dependency": "basic-ftp",
"title": "basic-ftp has FTP Command Injection via CRLF",
"url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q",
"severity": "high",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "=5.2.0"
}
],
"effects": [],
"range": "5.2.0",
"nodes": [
"node_modules/basic-ftp"
],
"fixAvailable": true
},
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"grunt-legacy-log",
"grunt-legacy-util",
"minimatch"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-legacy-log": {
"name": "grunt-legacy-log",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"grunt"
],
"range": ">=1.0.1",
"nodes": [
"node_modules/grunt-legacy-log"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-legacy-log-utils": {
"name": "grunt-legacy-log-utils",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0 - 2.1.0",
"nodes": [
"node_modules/grunt-legacy-log-utils"
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"grunt"
],
"range": ">=1.0.0-rc1",
"nodes": [
"node_modules/grunt-legacy-util"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"grunt-legacy-log",
"grunt-legacy-log-utils",
"grunt-legacy-util"
],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"grunt"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 11,
"critical": 0,
"total": 11
},
"dependencies": {
"prod": 1,
"dev": 852,
"optional": 33,
"peer": 1,
"peerOptional": 0,
"total": 852
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 852,
"removed": 0,
"changed": 0,
"audited": 853,
"funding": 186,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "high",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=6.1.19",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"basic-ftp": {
"name": "basic-ftp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1116289,
"name": "basic-ftp",
"dependency": "basic-ftp",
"title": "basic-ftp has FTP Command Injection via CRLF",
"url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q",
"severity": "high",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 8.6,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "=5.2.0"
}
],
"effects": [],
"range": "5.2.0",
"nodes": [
""
],
"fixAvailable": true
},
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"grunt-legacy-log",
"grunt-legacy-util",
"minimatch"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "high",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"grunt-legacy-log": {
"name": "grunt-legacy-log",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"grunt"
],
"range": ">=1.0.1",
"nodes": [
"node_modules/grunt-legacy-log"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-legacy-log-utils": {
"name": "grunt-legacy-log-utils",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0 - 2.1.0",
"nodes": [
""
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"grunt"
],
"range": ">=1.0.0-rc1",
"nodes": [
"node_modules/grunt-legacy-util"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"grunt-legacy-log",
"grunt-legacy-log-utils",
"grunt-legacy-util"
],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"grunt"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 11,
"critical": 0,
"total": 11
},
"dependencies": {
"prod": 1,
"dev": 852,
"optional": 33,
"peer": 1,
"peerOptional": 0,
"total": 852
}
}
}
}
--- end ---
{"added": 852, "removed": 0, "changed": 0, "audited": 853, "funding": 186, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@wdio/mocha-framework": {"name": "@wdio/mocha-framework", "severity": "high", "isDirect": true, "via": ["mocha"], "effects": [], "range": ">=6.1.19", "nodes": ["node_modules/@wdio/mocha-framework"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "basic-ftp": {"name": "basic-ftp", "severity": "high", "isDirect": false, "via": [{"source": 1116289, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp has FTP Command Injection via CRLF", "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q", "severity": "high", "cwe": ["CWE-93"], "cvss": {"score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "range": "=5.2.0"}], "effects": [], "range": "5.2.0", "nodes": [""], "fixAvailable": true}, "grunt": {"name": "grunt", "severity": "high", "isDirect": true, "via": ["grunt-legacy-log", "grunt-legacy-util", "minimatch"], "effects": ["grunt-eslint"], "range": ">=0.4.0-a", "nodes": ["node_modules/grunt"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "grunt-eslint": {"name": "grunt-eslint", "severity": "high", "isDirect": true, "via": ["grunt"], "effects": [], "range": "<=1.0.0 || >=18.1.0", "nodes": ["node_modules/grunt-eslint"], "fixAvailable": {"name": "grunt-eslint", "version": "18.0.0", "isSemVerMajor": true}}, "grunt-legacy-log": {"name": "grunt-legacy-log", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": ["grunt"], "range": ">=1.0.1", "nodes": ["node_modules/grunt-legacy-log"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "grunt-legacy-log-utils": {"name": "grunt-legacy-log-utils", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.0 - 2.1.0", "nodes": [""], "fixAvailable": true}, "grunt-legacy-util": {"name": "grunt-legacy-util", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": ["grunt"], "range": ">=1.0.0-rc1", "nodes": ["node_modules/grunt-legacy-util"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "lodash": {"name": "lodash", "severity": "high", "isDirect": false, "via": [{"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}], "effects": ["grunt-legacy-log", "grunt-legacy-log-utils", "grunt-legacy-util"], "range": "<=4.17.23", "nodes": ["node_modules/lodash"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}], "effects": ["grunt"], "range": "<=3.1.3", "nodes": ["node_modules/minimatch"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "mocha": {"name": "mocha", "severity": "high", "isDirect": false, "via": ["serialize-javascript"], "effects": ["@wdio/mocha-framework"], "range": "8.0.0 - 12.0.0-beta-2", "nodes": ["node_modules/mocha"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "serialize-javascript": {"name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [{"source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": ["CWE-96"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=7.0.2"}, {"source": 1115723, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects", "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v", "severity": "moderate", "cwe": ["CWE-400", "CWE-834"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.0.5"}], "effects": ["mocha"], "range": "<=7.0.4", "nodes": ["node_modules/serialize-javascript"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 11, "critical": 0, "total": 11}, "dependencies": {"prod": 1, "dev": 852, "optional": 33, "peer": 1, "peerOptional": 0, "total": 852}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated whatwg-encoding@3.1.1: Use @exodus/bytes instead for a more spec-conformant and faster implementation
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 826 packages, and audited 827 packages in 14s
186 packages are looking for funding
run `npm fund` for details
# npm audit report
lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix --force`
Will install grunt@0.3.17, which is a breaking change
node_modules/lodash
grunt-legacy-log >=1.0.1
Depends on vulnerable versions of lodash
node_modules/grunt-legacy-log
grunt >=0.4.0-a
Depends on vulnerable versions of grunt-legacy-log
Depends on vulnerable versions of grunt-legacy-util
Depends on vulnerable versions of minimatch
node_modules/grunt
grunt-eslint <=1.0.0 || >=18.1.0
Depends on vulnerable versions of grunt
node_modules/grunt-eslint
grunt-legacy-util >=1.0.0-rc1
Depends on vulnerable versions of lodash
node_modules/grunt-legacy-util
minimatch <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install grunt@0.3.17, which is a breaking change
node_modules/minimatch
serialize-javascript <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install @wdio/mocha-framework@6.1.17, which is a breaking change
node_modules/serialize-javascript
mocha 8.0.0 - 12.0.0-beta-2
Depends on vulnerable versions of serialize-javascript
node_modules/mocha
@wdio/mocha-framework >=6.1.19
Depends on vulnerable versions of mocha
node_modules/@wdio/mocha-framework
9 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated whatwg-encoding@3.1.1: Use @exodus/bytes instead for a more spec-conformant and faster implementation
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 826 packages, and audited 827 packages in 17s
186 packages are looking for funding
run `npm fund` for details
9 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> grunt test
Running "eslint:all" (eslint) task
/src/repo/modules/dm/ext.advancedSearch.MultiselectLookup.js
44:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
125:2 warning Prefer .then to .done no-jquery/no-done-fail
125:2 warning Prefer .then to .fail no-jquery/no-done-fail
161:2 warning Prefer .then to .done no-jquery/no-done-fail
161:2 warning Prefer .then to .fail no-jquery/no-done-fail
/src/repo/modules/ext.advancedSearch.FieldCollection.js
5:1 warning The type 'SearchField' is undefined jsdoc/no-undefined-types
18:1 warning The type 'SearchField' is undefined jsdoc/no-undefined-types
/src/repo/modules/ext.advancedSearch.FieldElementBuilder.js
7:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
15:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
37:1 warning The type 'SearchField' is undefined jsdoc/no-undefined-types
57:1 warning The type 'FieldCollection' is undefined jsdoc/no-undefined-types
/src/repo/modules/ext.advancedSearch.QueryCompiler.js
5:1 warning The type 'SearchField' is undefined jsdoc/no-undefined-types
8:1 warning The type 'SearchField' is undefined jsdoc/no-undefined-types
16:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
35:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
44:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ext.advancedSearch.SearchField.js
11:1 warning Invalid JSDoc inline tag name "see" jsdoc/check-tag-names
14:1 warning Invalid JSDoc inline tag name "see" jsdoc/check-tag-names
30:1 warning Invalid JSDoc inline tag name "see" jsdoc/check-tag-names
33:1 warning Invalid JSDoc inline tag name "see" jsdoc/check-tag-names
/src/repo/modules/ext.advancedSearch.defaultFields.js
112:11 warning All possible message keys should be documented. See https://w.wiki/4r9a for details mediawiki/msg-doc
122:5 warning All possible message keys should be documented. See https://w.wiki/4r9a for details mediawiki/msg-doc
133:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
142:11 warning All possible message keys should be documented. See https://w.wiki/4r9a for details mediawiki/msg-doc
152:1 warning The type 'FieldCollection' is undefined jsdoc/no-undefined-types
/src/repo/modules/ext.advancedSearch.init.js
109:1 warning Invalid JSDoc inline tag name "see" jsdoc/check-tag-names
199:1 warning The type 'SearchField' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.ArbitraryWordInput.js
8:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.FileTypeSelection.js
7:1 warning The type 'FileTypeOptionProvider' is undefined jsdoc/no-undefined-types
21:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
22:1 warning The type 'FileTypeOptionProvider' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.FormState.js
8:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.ImageDimensionInput.js
12:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.ImageDimensionLayout.js
10:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.LanguageSelection.js
7:1 warning The type 'LanguageOptionProvider' is undefined jsdoc/no-undefined-types
20:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
21:1 warning The type 'LanguageOptionProvider' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.NamespaceFilters.js
10:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.NamespacePresets.js
6:1 warning The type 'NamespacePresetProviders' is undefined jsdoc/no-undefined-types
27:1 warning The type 'NamespacePresetProviders' is undefined jsdoc/no-undefined-types
89:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
90:1 warning The type 'NamespacePresetProviders' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.NamespacesPreview.js
8:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.SearchPreview.js
58:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.SortPreference.js
32:23 warning All possible message keys should be documented. See https://w.wiki/4r9a for details mediawiki/msg-doc
44:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.StoreListener.js
8:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/modules/ui/ext.advancedSearch.TextInput.js
8:1 warning The type 'SearchModel' is undefined jsdoc/no-undefined-types
/src/repo/tests/qunit/dm/MultiselectLookup.test.js
180:3 warning Prefer .then to .done no-jquery/no-done-fail
198:3 warning Prefer .then to .fail no-jquery/no-done-fail
✖ 50 problems (0 errors, 50 warnings)
Running "stylelint:all" (stylelint) task
>> Linted 5 files without errors
Running "banana:AdvancedSearch" (banana) task
>> 1 message directory checked.
Done.
--- end ---
{"1116289": {"source": 1116289, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp has FTP Command Injection via CRLF", "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q", "severity": "high", "cwe": ["CWE-93"], "cvss": {"score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "range": "=5.2.0"}}
Upgrading n:basic-ftp from 5.2.0 -> 5.2.1
{}
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating basic-ftp to 5.2.1
* https://github.com/advisories/GHSA-chqc-8p9q-pq6q
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmp9plq5hfk
--- stdout ---
[master 9d58360] build: Updating basic-ftp to 5.2.1
1 file changed, 14 insertions(+), 17 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 9d58360e83ce1c5079b16bd7a33f91fc4f52b1d6 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 9 Apr 2026 01:40:56 +0000
Subject: [PATCH] build: Updating basic-ftp to 5.2.1
* https://github.com/advisories/GHSA-chqc-8p9q-pq6q
Change-Id: I2bc79062fec09e301e5842bb5a8e1c89b8821d86
---
package-lock.json | 31 ++++++++++++++-----------------
1 file changed, 14 insertions(+), 17 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 2325019..7ed5400 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3152,11 +3152,10 @@
}
},
"node_modules/basic-ftp": {
- "version": "5.2.0",
- "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
- "integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+ "version": "5.2.1",
+ "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.1.tgz",
+ "integrity": "sha512-0yaL8JdxTknKDILitVpfYfV2Ob6yb3udX/hK97M7I3jOeznBNxQPtVvTUtnhUkyHlxFWyr5Lvknmgzoc7jf+1Q==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=10.0.0"
}
@@ -6632,13 +6631,12 @@
}
},
"node_modules/grunt-legacy-log-utils": {
- "version": "2.1.0",
- "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.0.tgz",
- "integrity": "sha512-lwquaPXJtKQk0rUM1IQAop5noEpwFqOXasVoedLeNzaibf/OPWjKYvvdqnEHNmU+0T0CaReAXIbGo747ZD+Aaw==",
+ "version": "2.1.3",
+ "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.3.tgz",
+ "integrity": "sha512-sgG+QvKmdb44wZyzJP+ejDsy3jYxG2wzohpol+JTMlXqMUBDoZb01JPQ5jKAedtZBFwhmABAc88T9hEBLy3U+Q==",
"dev": true,
"dependencies": {
- "chalk": "~4.1.0",
- "lodash": "~4.17.19"
+ "chalk": "^4.1.0"
},
"engines": {
"node": ">=10"
@@ -13156,9 +13154,9 @@
"dev": true
},
"basic-ftp": {
- "version": "5.2.0",
- "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
- "integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+ "version": "5.2.1",
+ "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.1.tgz",
+ "integrity": "sha512-0yaL8JdxTknKDILitVpfYfV2Ob6yb3udX/hK97M7I3jOeznBNxQPtVvTUtnhUkyHlxFWyr5Lvknmgzoc7jf+1Q==",
"dev": true
},
"binary-extensions": {
@@ -15574,13 +15572,12 @@
}
},
"grunt-legacy-log-utils": {
- "version": "2.1.0",
- "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.0.tgz",
- "integrity": "sha512-lwquaPXJtKQk0rUM1IQAop5noEpwFqOXasVoedLeNzaibf/OPWjKYvvdqnEHNmU+0T0CaReAXIbGo747ZD+Aaw==",
+ "version": "2.1.3",
+ "resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.3.tgz",
+ "integrity": "sha512-sgG+QvKmdb44wZyzJP+ejDsy3jYxG2wzohpol+JTMlXqMUBDoZb01JPQ5jKAedtZBFwhmABAc88T9hEBLy3U+Q==",
"dev": true,
"requires": {
- "chalk": "~4.1.0",
- "lodash": "~4.17.19"
+ "chalk": "^4.1.0"
}
},
"grunt-legacy-util": {
--
2.47.3
--- end ---