This run took 52 seconds.
$ date
--- stdout ---
Sun Apr 19 15:14:14 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-WikimediaMessages.git /src/repo --depth=1 -b REL1_43
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_43
--- stdout ---
46f78ba5be912d728b299a206f2fc9e4d2586ed6 refs/heads/REL1_43
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"minimatch"
],
"effects": [],
"range": "0.4.0-a - 1.6.1",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "1.6.2",
"isSemVerMajor": false
}
},
"grunt-legacy-log": {
"name": "grunt-legacy-log",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.1 - 3.0.0",
"nodes": [
"node_modules/grunt-legacy-log"
],
"fixAvailable": true
},
"grunt-legacy-log-utils": {
"name": "grunt-legacy-log-utils",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0 - 2.1.0",
"nodes": [
"node_modules/grunt-legacy-log-utils"
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0-rc1 - 2.0.1",
"nodes": [
"node_modules/grunt-legacy-util"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"grunt-legacy-log",
"grunt-legacy-log-utils",
"grunt-legacy-util"
],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"grunt"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "1.6.2",
"isSemVerMajor": false
}
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 7,
"critical": 0,
"total": 7
},
"dependencies": {
"prod": 1,
"dev": 442,
"optional": 0,
"peer": 1,
"peerOptional": 0,
"total": 442
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 38 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.3)
- Locking composer/spdx-licenses (1.5.10)
- Locking composer/xdebug-handler (3.0.5)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.0)
- Locking doctrine/deprecations (1.1.6)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking mediawiki/mediawiki-codesniffer (v45.0.0)
- Locking mediawiki/mediawiki-phan-config (0.14.0)
- Locking mediawiki/minus-x (1.1.3)
- Locking mediawiki/phan-taint-check-plugin (6.0.0)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking netresearch/jsonmapper (v4.5.0)
- Locking phan/phan (5.4.3)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.2.1)
- Locking phpcsstandards/phpcsutils (1.0.12)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.6.7)
- Locking phpdocumentor/type-resolver (1.12.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (5.1.7)
- Locking squizlabs/php_codesniffer (3.10.3)
- Locking symfony/console (v7.4.8)
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.36.0)
- Locking symfony/polyfill-intl-grapheme (v1.36.0)
- Locking symfony/polyfill-intl-normalizer (v1.36.0)
- Locking symfony/polyfill-mbstring (v1.36.0)
- Locking symfony/polyfill-php80 (v1.36.0)
- Locking symfony/service-contracts (v3.6.1)
- Locking symfony/string (v8.0.8)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (2.3.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 38 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.10.3): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing symfony/polyfill-php80 (v1.36.0): Extracting archive
- Installing phpcsstandards/phpcsutils (1.0.12): Extracting archive
- Installing phpcsstandards/phpcsextra (1.2.1): Extracting archive
- Installing symfony/polyfill-mbstring (v1.36.0): Extracting archive
- Installing composer/spdx-licenses (1.5.10): Extracting archive
- Installing composer/semver (3.4.3): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v45.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.36.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.36.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.36.0): Extracting archive
- Installing symfony/string (v8.0.8): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.6.1): Extracting archive
- Installing symfony/console (v7.4.8): Extracting archive
- Installing sabre/event (5.1.7): Extracting archive
- Installing netresearch/jsonmapper (v4.5.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (2.3.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (1.12.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.6.7): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (5.4.3): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (6.0.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.14.0): Extracting archive
- Installing mediawiki/minus-x (1.1.3): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/36 [>---------------------------] 0%
28/36 [=====================>------] 77%
35/36 [===========================>] 97%
36/36 [============================] 100%
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"minimatch"
],
"effects": [],
"range": "0.4.0-a - 1.6.1",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "1.6.2",
"isSemVerMajor": false
}
},
"grunt-legacy-log": {
"name": "grunt-legacy-log",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.1 - 3.0.0",
"nodes": [
"node_modules/grunt-legacy-log"
],
"fixAvailable": true
},
"grunt-legacy-log-utils": {
"name": "grunt-legacy-log-utils",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0 - 2.1.0",
"nodes": [
"node_modules/grunt-legacy-log-utils"
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0-rc1 - 2.0.1",
"nodes": [
"node_modules/grunt-legacy-util"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"grunt-legacy-log",
"grunt-legacy-log-utils",
"grunt-legacy-util"
],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"grunt"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "1.6.2",
"isSemVerMajor": false
}
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 7,
"critical": 0,
"total": 7
},
"dependencies": {
"prod": 1,
"dev": 442,
"optional": 0,
"peer": 1,
"peerOptional": 0,
"total": 442
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 443,
"removed": 0,
"changed": 0,
"audited": 444,
"funding": 101,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"grunt": {
"name": "grunt",
"severity": "high",
"isDirect": true,
"via": [
"minimatch"
],
"effects": [],
"range": "0.4.0-a - 1.6.1",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "1.6.2",
"isSemVerMajor": false
}
},
"grunt-legacy-log": {
"name": "grunt-legacy-log",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.1 - 3.0.0",
"nodes": [
""
],
"fixAvailable": true
},
"grunt-legacy-log-utils": {
"name": "grunt-legacy-log-utils",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0 - 2.1.0",
"nodes": [
""
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [],
"range": "1.0.0-rc1 - 2.0.1",
"nodes": [
""
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [
"grunt-legacy-log",
"grunt-legacy-log-utils",
"grunt-legacy-util"
],
"range": "<=4.17.23",
"nodes": [
""
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"grunt"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt",
"version": "1.6.2",
"isSemVerMajor": false
}
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 7,
"critical": 0,
"total": 7
},
"dependencies": {
"prod": 1,
"dev": 443,
"optional": 0,
"peer": 1,
"peerOptional": 0,
"total": 443
}
}
}
}
--- end ---
{"added": 443, "removed": 0, "changed": 0, "audited": 444, "funding": 101, "audit": {"auditReportVersion": 2, "vulnerabilities": {"grunt": {"name": "grunt", "severity": "high", "isDirect": true, "via": ["minimatch"], "effects": [], "range": "0.4.0-a - 1.6.1", "nodes": ["node_modules/grunt"], "fixAvailable": {"name": "grunt", "version": "1.6.2", "isSemVerMajor": false}}, "grunt-legacy-log": {"name": "grunt-legacy-log", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.1 - 3.0.0", "nodes": [""], "fixAvailable": true}, "grunt-legacy-log-utils": {"name": "grunt-legacy-log-utils", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.0 - 2.1.0", "nodes": [""], "fixAvailable": true}, "grunt-legacy-util": {"name": "grunt-legacy-util", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.0-rc1 - 2.0.1", "nodes": [""], "fixAvailable": true}, "lodash": {"name": "lodash", "severity": "high", "isDirect": false, "via": [{"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}], "effects": ["grunt-legacy-log", "grunt-legacy-log-utils", "grunt-legacy-util"], "range": "<=4.17.23", "nodes": [""], "fixAvailable": true}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}], "effects": ["grunt"], "range": "<=3.1.3", "nodes": ["node_modules/minimatch"], "fixAvailable": {"name": "grunt", "version": "1.6.2", "isSemVerMajor": false}}, "picomatch": {"name": "picomatch", "severity": "high", "isDirect": false, "via": [{"source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<2.3.2"}, {"source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<2.3.2"}], "effects": [], "range": "<=2.3.1", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 7, "critical": 0, "total": 7}, "dependencies": {"prod": 1, "dev": 443, "optional": 0, "peer": 1, "peerOptional": 0, "total": 443}}}}
{}
Upgrading n:grunt from 1.6.1 -> 1.6.2
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 440 packages, and audited 441 packages in 5s
101 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 440 packages, and audited 441 packages in 5s
101 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> grunt test
Running "eslint:all" (eslint) task
Running "banana:WikimediaMessages" (banana) task
>> The "arc" translation has 1 blank translation:
>> * wm-codeofconduct
Warning: Task "banana:WikimediaMessages" failed. Use --force to continue.
Aborted due to warnings.
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1208, in run
self.npm_audit_fix(new_npm_audit)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 239, in npm_audit_fix
self.npm_test()
~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 289, in npm_test
self.check_call(["npm", "test"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 66, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 3.