This run took 51 seconds.
$ date
--- stdout ---
Mon Apr 27 18:01:29 UTC 2026
--- end ---
$ git clone file:///srv/git/wikibase-new-lexeme-special-page.git /src/repo --depth=1 -b main
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/main
--- stdout ---
f1e59473e0cab6d03f9f5da82a7ba9b2a2cfbb9e refs/heads/main
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/helpers": {
"name": "@babel/helpers",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1104001,
"name": "@babel/helpers",
"dependency": "@babel/helpers",
"title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
"url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 6.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.26.10"
}
],
"effects": [],
"range": "<7.26.10",
"nodes": [
"node_modules/@babel/helpers"
],
"fixAvailable": true
},
"@cypress/request": {
"name": "@cypress/request",
"severity": "moderate",
"isDirect": false,
"via": [
"qs",
"uuid"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@cypress/request"
],
"fixAvailable": true
},
"@tootallnate/once": {
"name": "@tootallnate/once",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113977,
"name": "@tootallnate/once",
"dependency": "@tootallnate/once",
"title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
"severity": "low",
"cwe": [
"CWE-705"
],
"cvss": {
"score": 3.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<3.0.1"
}
],
"effects": [
"http-proxy-agent"
],
"range": "<3.0.1",
"nodes": [
"node_modules/@tootallnate/once"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.3.0",
"isSemVerMajor": true
}
},
"ajv": {
"name": "ajv",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113714,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<6.14.0"
},
{
"source": 1113715,
"name": "ajv",
"dependency": "ajv",
"title": "ajv has ReDoS when using `$data` option",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=7.0.0-alpha.0 <8.18.0"
}
],
"effects": [],
"range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0",
"nodes": [
"node_modules/ajv",
"node_modules/table/node_modules/ajv"
],
"fixAvailable": true
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1111035,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=1.0.0 <1.8.2"
},
{
"source": 1112195,
"name": "axios",
"dependency": "axios",
"title": "Axios is vulnerable to DoS attack through lack of data size check",
"url": "https://github.com/advisories/GHSA-4hjh-wcwx-xvwj",
"severity": "high",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.12.0"
},
{
"source": 1113275,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <=1.13.4"
},
{
"source": 1116673,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": ">=1.0.0 <1.15.0"
},
{
"source": 1116675,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": ">=1.0.0 <1.15.0"
}
],
"effects": [],
"range": "1.0.0 - 1.14.0",
"nodes": [
"node_modules/axios"
],
"fixAvailable": true
},
"brace-expansion": {
"name": "brace-expansion",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1105443,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=1.0.0 <=1.1.11"
},
{
"source": 1105444,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion Regular Expression Denial of Service vulnerability",
"url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=2.0.0 <=2.0.1"
},
{
"source": 1115540,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<1.1.13"
},
{
"source": 1115541,
"name": "brace-expansion",
"dependency": "brace-expansion",
"title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.3"
}
],
"effects": [],
"range": "<=1.1.12 || 2.0.0 - 2.0.2",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
"node_modules/@vue/language-core/node_modules/brace-expansion",
"node_modules/brace-expansion",
"node_modules/editorconfig/node_modules/brace-expansion",
"node_modules/eslint-plugin-n/node_modules/brace-expansion",
"node_modules/filelist/node_modules/brace-expansion",
"node_modules/js-beautify/node_modules/brace-expansion"
],
"fixAvailable": true
},
"cross-spawn": {
"name": "cross-spawn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1104663,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.0.6"
},
{
"source": 1104664,
"name": "cross-spawn",
"dependency": "cross-spawn",
"title": "Regular Expression Denial of Service (ReDoS) in cross-spawn",
"url": "https://github.com/advisories/GHSA-3xgq-45jj-v275",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.0.5"
}
],
"effects": [],
"range": "<6.0.6 || >=7.0.0 <7.0.5",
"nodes": [
"node_modules/cross-spawn",
"node_modules/npm-run-all/node_modules/cross-spawn"
],
"fixAvailable": true
},
"editorconfig": {
"name": "editorconfig",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [],
"range": "1.0.3 - 1.0.4 || 2.0.0",
"nodes": [
"node_modules/editorconfig"
],
"fixAvailable": true
},
"esbuild": {
"name": "esbuild",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102341,
"name": "esbuild",
"dependency": "esbuild",
"title": "esbuild enables any website to send any requests to the development server and read the response",
"url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99",
"severity": "moderate",
"cwe": [
"CWE-346"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": "<=0.24.2"
}
],
"effects": [
"vite"
],
"range": "<=0.24.2",
"nodes": [
"node_modules/esbuild"
],
"fixAvailable": true
},
"flatted": {
"name": "flatted",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1114526,
"name": "flatted",
"dependency": "flatted",
"title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
"severity": "high",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.4.0"
},
{
"source": 1115357,
"name": "flatted",
"dependency": "flatted",
"title": "Prototype Pollution via parse() in NodeJS flatted",
"url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.1"
}
],
"effects": [],
"range": "<=3.4.1",
"nodes": [
"node_modules/flatted"
],
"fixAvailable": true
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1116560,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=1.15.11"
}
],
"effects": [],
"range": "<=1.15.11",
"nodes": [
"node_modules/follow-redirects"
],
"fixAvailable": true
},
"form-data": {
"name": "form-data",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109538,
"name": "form-data",
"dependency": "form-data",
"title": "form-data uses unsafe random function in form-data for choosing boundary",
"url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
"severity": "critical",
"cwe": [
"CWE-330"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.0.4"
}
],
"effects": [],
"range": "4.0.0 - 4.0.3",
"nodes": [
"node_modules/form-data"
],
"fixAvailable": true
},
"glob": {
"name": "glob",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1109842,
"name": "glob",
"dependency": "glob",
"title": "glob CLI: Command injection via -c/--cmd executes matches with shell:true",
"url": "https://github.com/advisories/GHSA-5j98-mcp5-4vw2",
"severity": "high",
"cwe": [
"CWE-78"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=10.2.0 <10.5.0"
}
],
"effects": [],
"range": "10.2.0 - 10.4.5",
"nodes": [
"node_modules/js-beautify/node_modules/glob"
],
"fixAvailable": true
},
"http-proxy-agent": {
"name": "http-proxy-agent",
"severity": "low",
"isDirect": false,
"via": [
"@tootallnate/once"
],
"effects": [
"jsdom"
],
"range": "4.0.1 - 5.0.0",
"nodes": [
"node_modules/http-proxy-agent"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.3.0",
"isSemVerMajor": true
}
},
"immutable": {
"name": "immutable",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117068,
"name": "immutable",
"dependency": "immutable",
"title": "Immutable is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=5.0.0 <5.1.5"
}
],
"effects": [],
"range": "5.0.0 - 5.1.4",
"nodes": [
"node_modules/immutable"
],
"fixAvailable": true
},
"jest-environment-jsdom": {
"name": "jest-environment-jsdom",
"severity": "low",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "27.0.1 - 30.0.0-rc.1",
"nodes": [
"node_modules/jest-environment-jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.3.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1112714,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.14.2"
},
{
"source": 1112715,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "js-yaml has prototype pollution in merge (<<)",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [],
"range": "<3.14.2 || >=4.0.0 <4.1.1",
"nodes": [
"node_modules/@eslint/eslintrc/node_modules/js-yaml",
"node_modules/cosmiconfig/node_modules/js-yaml",
"node_modules/eslint-plugin-unicorn/node_modules/js-yaml",
"node_modules/eslint/node_modules/js-yaml",
"node_modules/js-yaml"
],
"fixAvailable": true
},
"jsdom": {
"name": "jsdom",
"severity": "low",
"isDirect": false,
"via": [
"http-proxy-agent"
],
"effects": [
"jest-environment-jsdom"
],
"range": "16.6.0 - 22.1.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.3.0",
"isSemVerMajor": true
}
},
"lint-staged": {
"name": "lint-staged",
"severity": "moderate",
"isDirect": true,
"via": [
"yaml"
],
"effects": [],
"range": "13.3.0 - 15.4.1 || 16.2.0",
"nodes": [
"node_modules/lint-staged"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1112455,
"name": "lodash",
"dependency": "lodash",
"title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": ">=4.0.0 <=4.17.22"
},
{
"source": 1115806,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Code Injection via `_.template` imports key names",
"url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=4.0.0 <=4.17.23"
},
{
"source": 1115810,
"name": "lodash",
"dependency": "lodash",
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
},
"range": "<=4.17.23"
}
],
"effects": [],
"range": "<=4.17.23",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113461,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=5.0.0 <5.1.7"
},
{
"source": 1113465,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=9.0.0 <9.0.6"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113540,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.0 <5.1.8"
},
{
"source": 1113544,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=9.0.0 <9.0.7"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
},
{
"source": 1113548,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.0 <5.1.8"
},
{
"source": 1113552,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=9.0.0 <9.0.7"
}
],
"effects": [
"editorconfig"
],
"range": "<=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6",
"nodes": [
"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch",
"node_modules/@vue/language-core/node_modules/minimatch",
"node_modules/editorconfig/node_modules/minimatch",
"node_modules/eslint-plugin-n/node_modules/minimatch",
"node_modules/filelist/node_modules/minimatch",
"node_modules/js-beautify/node_modules/minimatch",
"node_modules/minimatch"
],
"fixAvailable": true
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1109563,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [],
"range": "<3.3.8",
"nodes": [
"node_modules/nanoid"
],
"fixAvailable": true
},
"picomatch": {
"name": "picomatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1115549,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<2.3.2"
},
{
"source": 1115552,
"name": "picomatch",
"dependency": "picomatch",
"title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
"url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<2.3.2"
}
],
"effects": [],
"range": "<=2.3.1",
"nodes": [
"node_modules/picomatch"
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1117015,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"url": "https://github.com/advisories/GHSA-qx2v-qp2m-jg93",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<8.5.10"
}
],
"effects": [],
"range": "<8.5.10",
"nodes": [
"node_modules/postcss"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1113161,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in comma parsing allows denial of service",
"url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.7.0 <=6.14.1"
},
{
"source": 1113719,
"name": "qs",
"dependency": "qs",
"title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
"url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
"severity": "moderate",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<6.14.1"
}
],
"effects": [
"@cypress/request"
],
"range": "<=6.14.1",
"nodes": [
"node_modules/qs"
],
"fixAvailable": true
},
"rollup": {
"name": "rollup",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113515,
"name": "rollup",
"dependency": "rollup",
"title": "Rollup 4 has Arbitrary File Write via Path Traversal",
"url": "https://github.com/advisories/GHSA-mw96-cpmx-2vgc",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=4.0.0 <4.59.0"
}
],
"effects": [],
"range": "4.0.0 - 4.58.0",
"nodes": [
"node_modules/rollup"
],
"fixAvailable": true
},
"tmp": {
"name": "tmp",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1109537,
"name": "tmp",
"dependency": "tmp",
"title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
"url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
"severity": "low",
"cwe": [
"CWE-59"
],
"cvss": {
"score": 2.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.2.3"
}
],
"effects": [],
"range": "<=0.2.3",
"nodes": [
"node_modules/tmp"
],
"fixAvailable": true
},
"uuid": {
"name": "uuid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1116970,
"name": "uuid",
"dependency": "uuid",
"title": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"url": "https://github.com/advisories/GHSA-w5hq-g745-h8pq",
"severity": "moderate",
"cwe": [
"CWE-787",
"CWE-1285"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<14.0.0"
}
],
"effects": [
"@cypress/request"
],
"range": "<14.0.0",
"nodes": [
"node_modules/uuid"
],
"fixAvailable": true
},
"vite": {
"name": "vite",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1102438,
"name": "vite",
"dependency": "vite",
"title": "Websites were able to send any requests to the development server and read the response in vite",
"url": "https://github.com/advisories/GHSA-vg6x-rcgg-rjx6",
"severity": "moderate",
"cwe": [
"CWE-346",
"CWE-350",
"CWE-1385"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=6.0.0 <=6.0.8"
},
{
"source": 1103518,
"name": "vite",
"dependency": "vite",
"title": "Vite bypasses server.fs.deny when using ?raw??",
"url": "https://github.com/advisories/GHSA-x574-m823-4x7w",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-284"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=6.0.0 <6.0.12"
},
{
"source": 1103885,
"name": "vite",
"dependency": "vite",
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
"url": "https://github.com/advisories/GHSA-356w-63v5-8wf4",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <6.0.15"
},
{
"source": 1104174,
"name": "vite",
"dependency": "vite",
"title": "Vite's server.fs.deny bypassed with /. for files under project root",
"url": "https://github.com/advisories/GHSA-859w-5945-r5v3",
"severity": "moderate",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <=6.1.5"
},
{
"source": 1104203,
"name": "vite",
"dependency": "vite",
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
"url": "https://github.com/advisories/GHSA-xcj6-pq6g-qj4x",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-284"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=6.0.0 <6.0.14"
},
{
"source": 1107324,
"name": "vite",
"dependency": "vite",
"title": "Vite middleware may serve files starting with the same name with the public directory",
"url": "https://github.com/advisories/GHSA-g4jq-h2w9-997c",
"severity": "low",
"cwe": [
"CWE-22",
"CWE-200",
"CWE-284"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <=6.3.5"
},
{
"source": 1107328,
"name": "vite",
"dependency": "vite",
"title": "Vite's `server.fs` settings were not applied to HTML files",
"url": "https://github.com/advisories/GHSA-jqfw-vq24-v9c3",
"severity": "low",
"cwe": [
"CWE-23",
"CWE-200",
"CWE-284"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <=6.3.5"
},
{
"source": 1109135,
"name": "vite",
"dependency": "vite",
"title": "vite allows server.fs.deny bypass via backslash on Windows",
"url": "https://github.com/advisories/GHSA-93m4-6634-74q7",
"severity": "moderate",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <=6.4.0"
},
{
"source": 1112512,
"name": "vite",
"dependency": "vite",
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
"url": "https://github.com/advisories/GHSA-4r4m-qw57-chr8",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-284"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=6.0.0 <6.0.13"
},
{
"source": 1116229,
"name": "vite",
"dependency": "vite",
"title": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"url": "https://github.com/advisories/GHSA-4w7w-66w2-5vf9",
"severity": "moderate",
"cwe": [
"CWE-22",
"CWE-200"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.4.1"
},
{
"source": 1116234,
"name": "vite",
"dependency": "vite",
"title": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket",
"url": "https://github.com/advisories/GHSA-p9ff-h696-f583",
"severity": "high",
"cwe": [
"CWE-200",
"CWE-306"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": ">=6.0.0 <=6.4.1"
},
"esbuild"
],
"effects": [],
"range": "<=6.4.1",
"nodes": [
"node_modules/vite"
],
"fixAvailable": true
},
"yaml": {
"name": "yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1115556,
"name": "yaml",
"dependency": "yaml",
"title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=2.0.0 <2.8.3"
}
],
"effects": [
"lint-staged"
],
"range": "2.0.0 - 2.8.2",
"nodes": [
"node_modules/yaml"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 5,
"moderate": 13,
"high": 11,
"critical": 1,
"total": 30
},
"dependencies": {
"prod": 161,
"dev": 1051,
"optional": 61,
"peer": 0,
"peerOptional": 0,
"total": 1212
}
}
}
--- end ---
Upgrading n:@wmde/eslint-config-wikimedia-typescript from ^0.2.12 -> 0.2.14
Upgrading n:eslint-config-wikimedia from ^0.28.2 -> 0.32.3
$ /usr/bin/npm install
--- stderr ---
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-wdio@9.27.0
npm WARN Found: eslint@8.57.1
npm WARN node_modules/eslint
npm WARN dev eslint@"^8.57.0" from the root project
npm WARN 33 more (@typescript-eslint/eslint-plugin, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN
npm WARN Conflicting peer dependency: eslint@9.39.4
npm WARN node_modules/eslint
npm WARN peer eslint@"^9.39.2" from eslint-plugin-wdio@9.27.0
npm WARN node_modules/eslint-config-wikimedia/node_modules/eslint-plugin-wdio
npm WARN eslint-plugin-wdio@"^9.16.2" from eslint-config-wikimedia@0.32.3
npm WARN node_modules/eslint-config-wikimedia
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@1.20.0',
npm WARN EBADENGINE required: { node: '>=20', npm: '>=10.8.1' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-design-tokens@1.20.0',
npm WARN EBADENGINE required: { node: '>=20', npm: '>=10.8.1' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@1.20.0',
npm WARN EBADENGINE required: { node: '>=20', npm: '>=10.8.1' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
> new-lexeme-special-page@0.0.1 prepare
> husky
added 1229 packages, and audited 1230 packages in 30s
245 packages are looking for funding
run `npm fund` for details
30 vulnerabilities (5 low, 13 moderate, 11 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
$ ./node_modules/.bin/eslint . --fix
--- stderr ---
Oops! Something went wrong! :(
ESLint: 8.57.1
ESLint couldn't find the config "wikimedia/client-common" to extend from. Please check that the name of the config is correct.
The config "wikimedia/client-common" was referenced from the config file in "/src/repo/.eslintrc.js".
If you still have problems, please stop by https://eslint.org/chat/help to chat with the team.
--- stdout ---
--- end ---
$ ./node_modules/.bin/eslint . -f json
--- stderr ---
Oops! Something went wrong! :(
ESLint: 8.57.1
ESLint couldn't find the config "wikimedia/client-common" to extend from. Please check that the name of the config is correct.
The config "wikimedia/client-common" was referenced from the config file in "/src/repo/.eslintrc.js".
If you still have problems, please stop by https://eslint.org/chat/help to chat with the team.
--- stdout ---
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1202, in run
self.npm_upgrade(plan)
~~~~~~~~~~~~~~~~^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1061, in npm_upgrade
hook(update)
~~~~^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1076, in _handle_eslint
ESLintHandler(self.ctx).handle(update)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 312, in handle
self.do_handle()
~~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/handlers/eslint.py", line 251, in do_handle
errors = json.loads(
self.check_call(
eslint_binary + files + ["-f", "json"], ignore_returncode=True
)
)
File "/usr/lib/python3.13/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
~~~~~~~~~~~~~~~~~~~~~~~^^^
File "/usr/lib/python3.13/json/decoder.py", line 345, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/json/decoder.py", line 363, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)