This run took 430 seconds.
From 8e1f3b46d0ee68749806eb5e58d758bf03123b3e Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 21 May 2026 00:52:14 +0000
Subject: [PATCH] build: Updating npm dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* @babel/plugin-transform-modules-systemjs: 7.27.1 → 7.29.4
* https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
* basic-ftp: 5.3.0 → 5.3.1
* https://github.com/advisories/GHSA-rpmf-866q-6p89
* engine.io: 6.6.4 → 6.6.8
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
* fast-uri: 3.1.0 → 3.1.2
* https://github.com/advisories/GHSA-q3j6-qgpj-74h6
* https://github.com/advisories/GHSA-v39h-62p7-jpjc
* fast-xml-builder: 1.1.5 → 1.2.0
* https://github.com/advisories/GHSA-45c6-75p6-83cc
* https://github.com/advisories/GHSA-5wm8-gmm8-39j9
* ip-address: 10.1.0 → 10.2.0
* https://github.com/advisories/GHSA-v2v4-37r5-5v8g
* socket.io-adapter: 2.5.5 → 2.5.7
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
* ws: 8.17.1 → 8.20.1
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
Change-Id: Ie6f4dce4f5aa89b9078d88131b2e9a88661e3503
---
package-lock.json | 252 +++++++++++++++++++---------------------------
1 file changed, 106 insertions(+), 146 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 52690d5..14bbe4a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -103,13 +103,12 @@
}
},
"node_modules/@babel/code-frame": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz",
- "integrity": "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==",
+ "version": "7.29.0",
+ "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+ "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/helper-validator-identifier": "^7.27.1",
+ "@babel/helper-validator-identifier": "^7.28.5",
"js-tokens": "^4.0.0",
"picocolors": "^1.1.1"
},
@@ -159,14 +158,13 @@
}
},
"node_modules/@babel/generator": {
- "version": "7.28.3",
- "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.28.3.tgz",
- "integrity": "sha512-3lSpxGgvnmZznmBkCRnVREPUFJv2wrv9iAoFDvADJc0ypmdOxdUtcLeBgBJ6zE0PMeTKnxeQzyk0xTBq4Ep7zw==",
+ "version": "7.29.1",
+ "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+ "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/parser": "^7.28.3",
- "@babel/types": "^7.28.2",
+ "@babel/parser": "^7.29.0",
+ "@babel/types": "^7.29.0",
"@jridgewell/gen-mapping": "^0.3.12",
"@jridgewell/trace-mapping": "^0.3.28",
"jsesc": "^3.0.2"
@@ -287,29 +285,27 @@
}
},
"node_modules/@babel/helper-module-imports": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz",
- "integrity": "sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
+ "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/traverse": "^7.27.1",
- "@babel/types": "^7.27.1"
+ "@babel/traverse": "^7.28.6",
+ "@babel/types": "^7.28.6"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-module-transforms": {
- "version": "7.28.3",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.3.tgz",
- "integrity": "sha512-gytXUbs8k2sXS9PnQptz5o0QnpLL51SwASIORY6XaBKF88nsOT0Zw9szLqlSGQDP/4TljBAD5y98p2U1fqkdsw==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
+ "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/helper-module-imports": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.27.1",
- "@babel/traverse": "^7.28.3"
+ "@babel/helper-module-imports": "^7.28.6",
+ "@babel/helper-validator-identifier": "^7.28.5",
+ "@babel/traverse": "^7.28.6"
},
"engines": {
"node": ">=6.9.0"
@@ -332,11 +328,10 @@
}
},
"node_modules/@babel/helper-plugin-utils": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.27.1.tgz",
- "integrity": "sha512-1gn1Up5YXka3YYAHGKpbideQ5Yjf1tDa9qYcgysz+cNCXukyLl6DjPXhD3VRwSb8c0J9tA4b2+rHEZtc6R0tlw==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.28.6.tgz",
+ "integrity": "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=6.9.0"
}
@@ -402,11 +397,10 @@
}
},
"node_modules/@babel/helper-validator-identifier": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.27.1.tgz",
- "integrity": "sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==",
+ "version": "7.28.5",
+ "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+ "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=6.9.0"
}
@@ -451,13 +445,12 @@
}
},
"node_modules/@babel/parser": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.4.tgz",
- "integrity": "sha512-yZbBqeM6TkpP9du/I2pUZnJsRMGGvOuIrhjzC1AwHwW+6he4mni6Bp/m8ijn0iOuZuPI2BfkCoSRunpyjnrQKg==",
+ "version": "7.29.3",
+ "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+ "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/types": "^7.28.4"
+ "@babel/types": "^7.29.0"
},
"bin": {
"parser": "bin/babel-parser.js"
@@ -1266,16 +1259,15 @@
}
},
"node_modules/@babel/plugin-transform-modules-systemjs": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.27.1.tgz",
- "integrity": "sha512-w5N1XzsRbc0PQStASMksmUeqECuzKuTJer7kFagK8AXgpCMkeDMO5S+aaFb7A51ZYDF7XI34qsTX+fkHiIm5yA==",
+ "version": "7.29.4",
+ "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.4.tgz",
+ "integrity": "sha512-N7QmZ0xRZfjHOfZeQLJjwgX2zS9pdGHSVl/cjSGlo4dXMqvurfxXDMKY4RqEKzPozV78VMcd0lxyG13mlbKc4w==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/helper-module-transforms": "^7.27.1",
- "@babel/helper-plugin-utils": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.27.1",
- "@babel/traverse": "^7.27.1"
+ "@babel/helper-module-transforms": "^7.28.6",
+ "@babel/helper-plugin-utils": "^7.28.6",
+ "@babel/helper-validator-identifier": "^7.28.5",
+ "@babel/traverse": "^7.29.0"
},
"engines": {
"node": ">=6.9.0"
@@ -1797,33 +1789,31 @@
}
},
"node_modules/@babel/template": {
- "version": "7.27.2",
- "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz",
- "integrity": "sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+ "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/code-frame": "^7.27.1",
- "@babel/parser": "^7.27.2",
- "@babel/types": "^7.27.1"
+ "@babel/code-frame": "^7.28.6",
+ "@babel/parser": "^7.28.6",
+ "@babel/types": "^7.28.6"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/traverse": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.4.tgz",
- "integrity": "sha512-YEzuboP2qvQavAcjgQNVgsvHIDv6ZpwXvcvjmyySP2DIMuByS/6ioU5G9pYrWHM6T2YDfc7xga9iNzYOs12CFQ==",
+ "version": "7.29.0",
+ "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+ "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/code-frame": "^7.27.1",
- "@babel/generator": "^7.28.3",
+ "@babel/code-frame": "^7.29.0",
+ "@babel/generator": "^7.29.0",
"@babel/helper-globals": "^7.28.0",
- "@babel/parser": "^7.28.4",
- "@babel/template": "^7.27.2",
- "@babel/types": "^7.28.4",
+ "@babel/parser": "^7.29.0",
+ "@babel/template": "^7.28.6",
+ "@babel/types": "^7.29.0",
"debug": "^4.3.1"
},
"engines": {
@@ -1831,14 +1821,13 @@
}
},
"node_modules/@babel/types": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.4.tgz",
- "integrity": "sha512-bkFqkLhh3pMBUQQkpVgWDWq/lqzc2678eUyDlTBhRqhCHFguYYGM0Efga7tYk4TogG/3x0EEl66/OQ+WGbWB/Q==",
+ "version": "7.29.0",
+ "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+ "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
"dev": true,
- "license": "MIT",
"dependencies": {
"@babel/helper-string-parser": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.27.1"
+ "@babel/helper-validator-identifier": "^7.28.5"
},
"engines": {
"node": ">=6.9.0"
@@ -4787,11 +4776,10 @@
}
},
"node_modules/@tootallnate/once": {
- "version": "2.0.0",
- "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz",
- "integrity": "sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==",
+ "version": "2.0.1",
+ "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.1.tgz",
+ "integrity": "sha512-HqmEUIGRJ5fSXchkVgR5F7qn48bDBzv0kWj/Kfu5e6uci4UlEeng4331LnBkWffb++Ei3FOVLxo8JJWMFBDMeQ==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">= 10"
}
@@ -6898,11 +6886,10 @@
}
},
"node_modules/basic-ftp": {
- "version": "5.3.0",
- "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
- "integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
+ "version": "5.3.1",
+ "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz",
+ "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=10.0.0"
}
@@ -9061,21 +9048,21 @@
}
},
"node_modules/engine.io": {
- "version": "6.6.4",
- "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.6.4.tgz",
- "integrity": "sha512-ZCkIjSYNDyGn0R6ewHDtXgns/Zre/NT6Agvq1/WobF7JXgFff4SeDroKiCO3fNJreU9YG429Sc81o4w5ok/W5g==",
+ "version": "6.6.8",
+ "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.6.8.tgz",
+ "integrity": "sha512-2agL3ueZhqxoVrfmntO8yuVj+uNSlIOnhykYHk3Cq0ShYPdUjjUiSJrQvXjq01I9jAuI0Zl2YO8Evv5Mqytm5g==",
"dev": true,
- "license": "MIT",
"dependencies": {
"@types/cors": "^2.8.12",
"@types/node": ">=10.0.0",
+ "@types/ws": "^8.5.12",
"accepts": "~1.3.4",
"base64id": "2.0.0",
"cookie": "~0.7.2",
"cors": "~2.8.5",
- "debug": "~4.3.1",
+ "debug": "~4.4.1",
"engine.io-parser": "~5.2.1",
- "ws": "~8.17.1"
+ "ws": "~8.20.1"
},
"engines": {
"node": ">=10.2.0"
@@ -9091,24 +9078,6 @@
"node": ">=10.0.0"
}
},
- "node_modules/engine.io/node_modules/debug": {
- "version": "4.3.7",
- "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz",
- "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==",
- "dev": true,
- "license": "MIT",
- "dependencies": {
- "ms": "^2.1.3"
- },
- "engines": {
- "node": ">=6.0"
- },
- "peerDependenciesMeta": {
- "supports-color": {
- "optional": true
- }
- }
- },
"node_modules/enhanced-resolve": {
"version": "5.18.3",
"resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.3.tgz",
@@ -10984,9 +10953,9 @@
"license": "MIT"
},
"node_modules/fast-uri": {
- "version": "3.1.0",
- "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
- "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
+ "version": "3.1.2",
+ "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz",
+ "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==",
"dev": true,
"funding": [
{
@@ -10997,13 +10966,12 @@
"type": "opencollective",
"url": "https://opencollective.com/fastify"
}
- ],
- "license": "BSD-3-Clause"
+ ]
},
"node_modules/fast-xml-builder": {
- "version": "1.1.5",
- "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
- "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+ "version": "1.2.0",
+ "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
+ "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
"dev": true,
"funding": [
{
@@ -11011,9 +10979,9 @@
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
- "license": "MIT",
"dependencies": {
- "path-expression-matcher": "^1.1.3"
+ "path-expression-matcher": "^1.5.0",
+ "xml-naming": "^0.1.0"
}
},
"node_modules/fast-xml-parser": {
@@ -12919,9 +12887,9 @@
"license": "MIT"
},
"node_modules/ip-address": {
- "version": "10.1.0",
- "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
- "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
+ "version": "10.2.0",
+ "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
+ "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==",
"dev": true,
"engines": {
"node": ">= 12"
@@ -20247,32 +20215,13 @@
}
},
"node_modules/socket.io-adapter": {
- "version": "2.5.5",
- "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.5.tgz",
- "integrity": "sha512-eLDQas5dzPgOWCk9GuuJC2lBqItuhKI4uxGgo9aIV7MYbk2h9Q6uULEh8WBzThoI7l+qU9Ast9fVUmkqPP9wYg==",
+ "version": "2.5.7",
+ "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.7.tgz",
+ "integrity": "sha512-e0LyK91f3cUxTmv95/KzoLg47+zF+s/sbxRGDNsyG4dmIP8ZSX8ax6byOxfJXeNNtS/8AZlfD+uP7gBeR7DLlg==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "debug": "~4.3.4",
- "ws": "~8.17.1"
- }
- },
- "node_modules/socket.io-adapter/node_modules/debug": {
- "version": "4.3.7",
- "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz",
- "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==",
- "dev": true,
- "license": "MIT",
- "dependencies": {
- "ms": "^2.1.3"
- },
- "engines": {
- "node": ">=6.0"
- },
- "peerDependenciesMeta": {
- "supports-color": {
- "optional": true
- }
+ "debug": "~4.4.1",
+ "ws": "~8.20.1"
}
},
"node_modules/socket.io-parser": {
@@ -22303,8 +22252,10 @@
}
},
"node_modules/wdio-mediawiki": {
- "resolved": "tests/selenium/wdio-mediawiki",
- "link": true
+ "version": "6.5.1",
+ "resolved": "file:tests/selenium/wdio-mediawiki",
+ "dev": true,
+ "license": "MIT"
},
"node_modules/webdriver": {
"version": "9.23.2",
@@ -22675,11 +22626,10 @@
"license": "ISC"
},
"node_modules/ws": {
- "version": "8.17.1",
- "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz",
- "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==",
+ "version": "8.20.1",
+ "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
+ "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=10.0.0"
},
@@ -22706,6 +22656,21 @@
"node": ">=12"
}
},
+ "node_modules/xml-naming": {
+ "version": "0.1.0",
+ "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
+ "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
+ "dev": true,
+ "funding": [
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/NaturalIntelligence"
+ }
+ ],
+ "engines": {
+ "node": ">=16.0.0"
+ }
+ },
"node_modules/xml2js": {
"version": "0.6.2",
"resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz",
@@ -23036,11 +23001,6 @@
"dependencies": {
"safe-buffer": "~5.2.0"
}
- },
- "tests/selenium/wdio-mediawiki": {
- "version": "6.5.1",
- "dev": true,
- "license": "MIT"
}
}
}
--
2.47.3
$ date
--- stdout ---
Thu May 21 00:47:03 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-core.git /src/repo --depth=1 -b REL1_46
--- stderr ---
Cloning into '/src/repo'...
Updating files: 57% (7282/12609)
Updating files: 58% (7314/12609)
Updating files: 59% (7440/12609)
Updating files: 60% (7566/12609)
Updating files: 61% (7692/12609)
Updating files: 62% (7818/12609)
Updating files: 63% (7944/12609)
Updating files: 64% (8070/12609)
Updating files: 65% (8196/12609)
Updating files: 66% (8322/12609)
Updating files: 67% (8449/12609)
Updating files: 68% (8575/12609)
Updating files: 69% (8701/12609)
Updating files: 70% (8827/12609)
Updating files: 71% (8953/12609)
Updating files: 72% (9079/12609)
Updating files: 73% (9205/12609)
Updating files: 74% (9331/12609)
Updating files: 75% (9457/12609)
Updating files: 76% (9583/12609)
Updating files: 77% (9709/12609)
Updating files: 78% (9836/12609)
Updating files: 79% (9962/12609)
Updating files: 80% (10088/12609)
Updating files: 81% (10214/12609)
Updating files: 82% (10340/12609)
Updating files: 83% (10466/12609)
Updating files: 84% (10592/12609)
Updating files: 85% (10718/12609)
Updating files: 86% (10844/12609)
Updating files: 87% (10970/12609)
Updating files: 88% (11096/12609)
Updating files: 89% (11223/12609)
Updating files: 90% (11349/12609)
Updating files: 91% (11475/12609)
Updating files: 92% (11601/12609)
Updating files: 93% (11727/12609)
Updating files: 94% (11853/12609)
Updating files: 95% (11979/12609)
Updating files: 96% (12105/12609)
Updating files: 97% (12231/12609)
Updating files: 98% (12357/12609)
Updating files: 99% (12483/12609)
Updating files: 100% (12609/12609)
Updating files: 100% (12609/12609), done.
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stderr ---
Submodule 'extensions/AbuseFilter' (https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter) registered for path 'extensions/AbuseFilter'
Submodule 'extensions/CategoryTree' (https://gerrit.wikimedia.org/r/mediawiki/extensions/CategoryTree) registered for path 'extensions/CategoryTree'
Submodule 'extensions/CheckUser' (https://gerrit.wikimedia.org/r/mediawiki/extensions/CheckUser) registered for path 'extensions/CheckUser'
Submodule 'extensions/Cite' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Cite) registered for path 'extensions/Cite'
Submodule 'extensions/CiteThisPage' (https://gerrit.wikimedia.org/r/mediawiki/extensions/CiteThisPage) registered for path 'extensions/CiteThisPage'
Submodule 'extensions/CodeEditor' (https://gerrit.wikimedia.org/r/mediawiki/extensions/CodeEditor) registered for path 'extensions/CodeEditor'
Submodule 'extensions/ConfirmEdit' (https://gerrit.wikimedia.org/r/mediawiki/extensions/ConfirmEdit) registered for path 'extensions/ConfirmEdit'
Submodule 'extensions/DiscussionTools' (https://gerrit.wikimedia.org/r/mediawiki/extensions/DiscussionTools) registered for path 'extensions/DiscussionTools'
Submodule 'extensions/Echo' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Echo) registered for path 'extensions/Echo'
Submodule 'extensions/Gadgets' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Gadgets) registered for path 'extensions/Gadgets'
Submodule 'extensions/ImageMap' (https://gerrit.wikimedia.org/r/mediawiki/extensions/ImageMap) registered for path 'extensions/ImageMap'
Submodule 'extensions/InputBox' (https://gerrit.wikimedia.org/r/mediawiki/extensions/InputBox) registered for path 'extensions/InputBox'
Submodule 'extensions/Linter' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Linter) registered for path 'extensions/Linter'
Submodule 'extensions/LoginNotify' (https://gerrit.wikimedia.org/r/mediawiki/extensions/LoginNotify) registered for path 'extensions/LoginNotify'
Submodule 'extensions/Math' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Math) registered for path 'extensions/Math'
Submodule 'extensions/MultimediaViewer' (https://gerrit.wikimedia.org/r/mediawiki/extensions/MultimediaViewer) registered for path 'extensions/MultimediaViewer'
Submodule 'extensions/Nuke' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Nuke) registered for path 'extensions/Nuke'
Submodule 'extensions/OATHAuth' (https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth) registered for path 'extensions/OATHAuth'
Submodule 'extensions/PageImages' (https://gerrit.wikimedia.org/r/mediawiki/extensions/PageImages) registered for path 'extensions/PageImages'
Submodule 'extensions/ParserFunctions' (https://gerrit.wikimedia.org/r/mediawiki/extensions/ParserFunctions) registered for path 'extensions/ParserFunctions'
Submodule 'extensions/PdfHandler' (https://gerrit.wikimedia.org/r/mediawiki/extensions/PdfHandler) registered for path 'extensions/PdfHandler'
Submodule 'extensions/Poem' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Poem) registered for path 'extensions/Poem'
Submodule 'extensions/ReplaceText' (https://gerrit.wikimedia.org/r/mediawiki/extensions/ReplaceText) registered for path 'extensions/ReplaceText'
Submodule 'extensions/Scribunto' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Scribunto) registered for path 'extensions/Scribunto'
Submodule 'extensions/SecureLinkFixer' (https://gerrit.wikimedia.org/r/mediawiki/extensions/SecureLinkFixer) registered for path 'extensions/SecureLinkFixer'
Submodule 'extensions/SpamBlacklist' (https://gerrit.wikimedia.org/r/mediawiki/extensions/SpamBlacklist) registered for path 'extensions/SpamBlacklist'
Submodule 'extensions/SyntaxHighlight_GeSHi' (https://gerrit.wikimedia.org/r/mediawiki/extensions/SyntaxHighlight_GeSHi) registered for path 'extensions/SyntaxHighlight_GeSHi'
Submodule 'extensions/TemplateData' (https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateData) registered for path 'extensions/TemplateData'
Submodule 'extensions/TemplateStyles' (https://gerrit.wikimedia.org/r/mediawiki/extensions/TemplateStyles) registered for path 'extensions/TemplateStyles'
Submodule 'extensions/TextExtracts' (https://gerrit.wikimedia.org/r/mediawiki/extensions/TextExtracts) registered for path 'extensions/TextExtracts'
Submodule 'extensions/Thanks' (https://gerrit.wikimedia.org/r/mediawiki/extensions/Thanks) registered for path 'extensions/Thanks'
Submodule 'extensions/TitleBlacklist' (https://gerrit.wikimedia.org/r/mediawiki/extensions/TitleBlacklist) registered for path 'extensions/TitleBlacklist'
Submodule 'extensions/VisualEditor' (https://gerrit.wikimedia.org/r/mediawiki/extensions/VisualEditor) registered for path 'extensions/VisualEditor'
Submodule 'extensions/WikiEditor' (https://gerrit.wikimedia.org/r/mediawiki/extensions/WikiEditor) registered for path 'extensions/WikiEditor'
Submodule 'skins/MinervaNeue' (https://gerrit.wikimedia.org/r/mediawiki/skins/MinervaNeue) registered for path 'skins/MinervaNeue'
Submodule 'skins/MonoBook' (https://gerrit.wikimedia.org/r/mediawiki/skins/MonoBook) registered for path 'skins/MonoBook'
Submodule 'skins/Timeless' (https://gerrit.wikimedia.org/r/mediawiki/skins/Timeless) registered for path 'skins/Timeless'
Submodule 'skins/Vector' (https://gerrit.wikimedia.org/r/mediawiki/skins/Vector) registered for path 'skins/Vector'
Submodule 'vendor' (https://gerrit.wikimedia.org/r/mediawiki/vendor) registered for path 'vendor'
Cloning into '/src/repo/extensions/AbuseFilter'...
Cloning into '/src/repo/extensions/CategoryTree'...
Cloning into '/src/repo/extensions/CheckUser'...
Cloning into '/src/repo/extensions/Cite'...
Cloning into '/src/repo/extensions/CiteThisPage'...
Cloning into '/src/repo/extensions/CodeEditor'...
Cloning into '/src/repo/extensions/ConfirmEdit'...
Cloning into '/src/repo/extensions/DiscussionTools'...
Cloning into '/src/repo/extensions/Echo'...
Cloning into '/src/repo/extensions/Gadgets'...
Cloning into '/src/repo/extensions/ImageMap'...
Cloning into '/src/repo/extensions/InputBox'...
Cloning into '/src/repo/extensions/Linter'...
Cloning into '/src/repo/extensions/LoginNotify'...
Cloning into '/src/repo/extensions/Math'...
Cloning into '/src/repo/extensions/MultimediaViewer'...
Cloning into '/src/repo/extensions/Nuke'...
Cloning into '/src/repo/extensions/OATHAuth'...
Cloning into '/src/repo/extensions/PageImages'...
Cloning into '/src/repo/extensions/ParserFunctions'...
Cloning into '/src/repo/extensions/PdfHandler'...
Cloning into '/src/repo/extensions/Poem'...
Cloning into '/src/repo/extensions/ReplaceText'...
Cloning into '/src/repo/extensions/Scribunto'...
Cloning into '/src/repo/extensions/SecureLinkFixer'...
Cloning into '/src/repo/extensions/SpamBlacklist'...
Cloning into '/src/repo/extensions/SyntaxHighlight_GeSHi'...
Cloning into '/src/repo/extensions/TemplateData'...
Cloning into '/src/repo/extensions/TemplateStyles'...
Cloning into '/src/repo/extensions/TextExtracts'...
Cloning into '/src/repo/extensions/Thanks'...
Cloning into '/src/repo/extensions/TitleBlacklist'...
Cloning into '/src/repo/extensions/VisualEditor'...
Cloning into '/src/repo/extensions/WikiEditor'...
Cloning into '/src/repo/skins/MinervaNeue'...
Cloning into '/src/repo/skins/MonoBook'...
Cloning into '/src/repo/skins/Timeless'...
Cloning into '/src/repo/skins/Vector'...
Cloning into '/src/repo/vendor'...
--- stdout ---
Submodule path 'extensions/AbuseFilter': checked out '225823345ef6956685372dcc7842267000b5583a'
Submodule path 'extensions/CategoryTree': checked out '3dc17c0e2bd4cb34715334ec9cb2ac01d6343083'
Submodule path 'extensions/CheckUser': checked out 'dfaa316825292c2d073bd01c56e5554327c652fd'
Submodule path 'extensions/Cite': checked out '041677a7bea56c9aba035443cc7374f1136f4c3b'
Submodule path 'extensions/CiteThisPage': checked out 'ba967ad92a5b766ad8a1268111ceadc9aedde4da'
Submodule path 'extensions/CodeEditor': checked out '52fdf72af91e5ddb84b1ccdfe58e0aebfae53f3f'
Submodule path 'extensions/ConfirmEdit': checked out 'a430e745f4bd9afecb400de90564cdfcd1dfa998'
Submodule path 'extensions/DiscussionTools': checked out '035a45eec13fb619f9f1bfc7baafbc3aa04cc6a1'
Submodule path 'extensions/Echo': checked out '4667e8b0727c33ea7f20ec2ee37da5dfa81c6445'
Submodule path 'extensions/Gadgets': checked out 'f21005b35448d42a80c402b2204c1ee3e37697cd'
Submodule path 'extensions/ImageMap': checked out 'b28a292ee7758b3b6a4c9724e5d4850b5f6e2b26'
Submodule path 'extensions/InputBox': checked out '5fffbe455f6d5a42c3d041f7cd5c7d0578cd33a6'
Submodule path 'extensions/Linter': checked out 'a41d8009185e2b93a4487f2fcf6e1419cd2c6cd3'
Submodule path 'extensions/LoginNotify': checked out 'c791322cf3cd0f12d0d2151148423c5a45a3ecd0'
Submodule path 'extensions/Math': checked out '5ac2f8a7dbecf8e9d4b4c751338d3ea651841d36'
Submodule path 'extensions/MultimediaViewer': checked out 'e38e229e27b307ab0d927b31ab8fbde093b1b0bd'
Submodule path 'extensions/Nuke': checked out '1be4b3cafb1cc299e4fd5553ac32c6ffb55a8faa'
Submodule path 'extensions/OATHAuth': checked out 'b5ef19cd41795bb66bc8ba53047d2718c5877083'
Submodule path 'extensions/PageImages': checked out '28f55d361fedd555d9ac294b93d3fc7366fe8ed6'
Submodule path 'extensions/ParserFunctions': checked out '8b89c494893f866d7f38d2782774a1fda7c4ab42'
Submodule path 'extensions/PdfHandler': checked out 'd0beedd10662e85090d27592c96b6d53840affe9'
Submodule path 'extensions/Poem': checked out '682ccbaf82d51bc150815ba895806c7d4ee11a15'
Submodule path 'extensions/ReplaceText': checked out '3074cca3a8b20791882ac56c0609c6f1dddcdf36'
Submodule path 'extensions/Scribunto': checked out 'dc6653b67709192f36e44808593ce56679b76b8e'
Submodule path 'extensions/SecureLinkFixer': checked out '1af6687b91f6c7fef2e86ad1ac6c70943ca92018'
Submodule path 'extensions/SpamBlacklist': checked out '228d463927d334286b22f66391fd14c995217c7b'
Submodule path 'extensions/SyntaxHighlight_GeSHi': checked out 'fc56b288411ded7de42eced3fe34bf0bb6d2e7d3'
Submodule path 'extensions/TemplateData': checked out '203fdffe3543df6e1308759c7c627983feecf7ef'
Submodule path 'extensions/TemplateStyles': checked out '617740ec9b43af5869ddd62a0dde4054e41e9a73'
Submodule path 'extensions/TextExtracts': checked out '2b989169490a309916898fab54fab88b0a17302e'
Submodule path 'extensions/Thanks': checked out '74ffc4776e75b2e7dd76099edef855fe6d38c235'
Submodule path 'extensions/TitleBlacklist': checked out 'd548b277a3cf00203c0664eec10faa05c2dc5a0f'
Submodule path 'extensions/VisualEditor': checked out '8be6d9fe6131572a7f10b6612820ddcadcced27e'
Submodule path 'extensions/WikiEditor': checked out '6594bf2532a4ae4ecc8f3e7b990ccdc926b3ddd0'
Submodule path 'skins/MinervaNeue': checked out 'e024a10ecd36fc7b86a6feb1f697e6c0e378b418'
Submodule path 'skins/MonoBook': checked out 'b2d07f358515b75f561e1900cadf20c263b5537f'
Submodule path 'skins/Timeless': checked out '55f0834453178dd9eba3d2c2176088b9aa4560bd'
Submodule path 'skins/Vector': checked out '2f84c23ba9cc01bc284c02ff16b2d7d9736e16c0'
Submodule path 'vendor': checked out '3244fa3bb079014e5855cd7387aff9ea84a96390'
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_46
--- stdout ---
e769d8a91f0935b0486087ca1a48b29d779ec7a1 refs/heads/REL1_46
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/plugin-transform-modules-systemjs": {
"name": "@babel/plugin-transform-modules-systemjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117908,
"name": "@babel/plugin-transform-modules-systemjs",
"dependency": "@babel/plugin-transform-modules-systemjs",
"title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input",
"url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=7.12.0 <=7.29.3"
}
],
"effects": [],
"range": "7.12.0 - 7.29.0",
"nodes": [
"node_modules/@babel/plugin-transform-modules-systemjs"
],
"fixAvailable": true
},
"@tootallnate/once": {
"name": "@tootallnate/once",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113977,
"name": "@tootallnate/once",
"dependency": "@tootallnate/once",
"title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
"severity": "low",
"cwe": [
"CWE-705"
],
"cvss": {
"score": 3.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<3.0.1"
}
],
"effects": [
"http-proxy-agent"
],
"range": "<3.0.1",
"nodes": [
"node_modules/@tootallnate/once"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "high",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=6.1.19",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
},
{
"source": 1116672,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1117573,
"name": "axios",
"dependency": "axios",
"title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy",
"url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117575,
"name": "axios",
"dependency": "axios",
"title": "Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0",
"url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7",
"severity": "high",
"cwe": [
"CWE-183",
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117579,
"name": "axios",
"dependency": "axios",
"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams",
"url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw",
"severity": "low",
"cwe": [
"CWE-116",
"CWE-626"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117582,
"name": "axios",
"dependency": "axios",
"title": "Axios: no_proxy bypass via IP alias allows SSRF",
"url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117584,
"name": "axios",
"dependency": "axios",
"title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data",
"url": "https://github.com/advisories/GHSA-62hf-57xw-28j9",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.0"
},
{
"source": 1117586,
"name": "axios",
"dependency": "axios",
"title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0",
"url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117588,
"name": "axios",
"dependency": "axios",
"title": "Axios: HTTP adapter streamed responses bypass maxContentLength",
"url": "https://github.com/advisories/GHSA-vf2m-468p-8v99",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117590,
"name": "axios",
"dependency": "axios",
"title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking",
"url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117592,
"name": "axios",
"dependency": "axios",
"title": "Axios: Header Injection via Prototype Pollution",
"url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9",
"severity": "high",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117594,
"name": "axios",
"dependency": "axios",
"title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion",
"url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c",
"severity": "moderate",
"cwe": [
"CWE-183",
"CWE-201"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117857,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.30.2"
},
{
"source": 1119403,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
}
],
"effects": [
"openapi-validator"
],
"range": "<=0.31.0",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"basic-ftp": {
"name": "basic-ftp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118825,
"name": "basic-ftp",
"dependency": "basic-ftp",
"title": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering",
"url": "https://github.com/advisories/GHSA-rpmf-866q-6p89",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=5.3.0"
}
],
"effects": [],
"range": "<=5.3.0",
"nodes": [
"node_modules/basic-ftp"
],
"fixAvailable": true
},
"chai-openapi-response-validator": {
"name": "chai-openapi-response-validator",
"severity": "high",
"isDirect": true,
"via": [
"openapi-validator"
],
"effects": [],
"range": "0.11.2 || >=0.14.2-alpha.0",
"nodes": [
"node_modules/chai-openapi-response-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"engine.io": {
"name": "engine.io",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "0.7.8 - 0.7.9 || 6.0.0 - 6.6.7",
"nodes": [
"node_modules/engine.io"
],
"fixAvailable": true
},
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
"node_modules/fast-uri"
],
"fixAvailable": true
},
"fast-xml-builder": {
"name": "fast-xml-builder",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118965,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes",
"url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9",
"severity": "high",
"cwe": [
"CWE-91",
"CWE-611"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=1.1.6"
},
{
"source": 1118966,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder Comment Value regex can be bypassed",
"url": "https://github.com/advisories/GHSA-45c6-75p6-83cc",
"severity": "moderate",
"cwe": [
"CWE-91"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "=1.1.5"
}
],
"effects": [],
"range": "<=1.1.6",
"nodes": [
"node_modules/fast-xml-builder"
],
"fixAvailable": true
},
"gaze": {
"name": "gaze",
"severity": "high",
"isDirect": false,
"via": [
"globule"
],
"effects": [
"grunt-contrib-watch"
],
"range": ">=0.4.0",
"nodes": [
"node_modules/gaze"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"globule": {
"name": "globule",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"gaze"
],
"range": "*",
"nodes": [
"node_modules/globule"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"grunt-contrib-watch": {
"name": "grunt-contrib-watch",
"severity": "high",
"isDirect": true,
"via": [
"gaze"
],
"effects": [],
"range": ">=0.5.0",
"nodes": [
"node_modules/grunt-contrib-watch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"http-proxy-agent": {
"name": "http-proxy-agent",
"severity": "low",
"isDirect": false,
"via": [
"@tootallnate/once"
],
"effects": [
"jsdom"
],
"range": "4.0.1 - 5.0.0",
"nodes": [
"node_modules/jsdom/node_modules/http-proxy-agent"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"ip-address": {
"name": "ip-address",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1118827,
"name": "ip-address",
"dependency": "ip-address",
"title": "ip-address has XSS in Address6 HTML-emitting methods",
"url": "https://github.com/advisories/GHSA-v2v4-37r5-5v8g",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.1.0"
}
],
"effects": [],
"range": "<=10.1.0",
"nodes": [
"node_modules/ip-address"
],
"fixAvailable": true
},
"jest-environment-jsdom": {
"name": "jest-environment-jsdom",
"severity": "low",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "27.0.1 - 30.0.0-rc.1",
"nodes": [
"node_modules/jest-environment-jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"jsdom": {
"name": "jsdom",
"severity": "low",
"isDirect": false,
"via": [
"http-proxy-agent"
],
"effects": [
"jest-environment-jsdom"
],
"range": "16.6.0 - 22.1.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"globule"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/globule/node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"openapi-validator": {
"name": "openapi-validator",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [
"chai-openapi-response-validator"
],
"range": ">=0.14.2-alpha.0",
"nodes": [
"node_modules/openapi-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"socket.io-adapter": {
"name": "socket.io-adapter",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "2.5.2 - 2.5.6",
"nodes": [
"node_modules/socket.io-adapter"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119108,
"name": "ws",
"dependency": "ws",
"title": "ws: Uninitialized memory disclosure",
"url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx",
"severity": "moderate",
"cwe": [
"CWE-908"
],
"cvss": {
"score": 4.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=8.0.0 <8.20.1"
}
],
"effects": [
"engine.io",
"socket.io-adapter"
],
"range": "8.0.0 - 8.20.0",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 4,
"moderate": 4,
"high": 14,
"critical": 0,
"total": 22
},
"dependencies": {
"prod": 1,
"dev": 1718,
"optional": 38,
"peer": 1,
"peerOptional": 0,
"total": 1718
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
> MediaWiki\Composer\VersionChecker::onEvent
Loading composer repositories with package information
Updating dependencies
Lock file operations: 139 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.9)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
- Locking doctrine/dbal (3.10.5)
- Locking doctrine/deprecations (1.1.6)
- Locking doctrine/event-manager (2.1.1)
- Locking doctrine/instantiator (2.1.0)
- Locking doctrine/sql-formatter (1.5.4)
- Locking ergebnis/phpunit-slow-test-detector (2.24.0)
- Locking giorgiosironi/eris (0.14.1)
- Locking guzzlehttp/guzzle (7.10.0)
- Locking guzzlehttp/promises (2.4.1)
- Locking guzzlehttp/psr7 (2.10.1)
- Locking hamcrest/hamcrest-php (v2.1.1)
- Locking justinrainbow/json-schema (5.3.4)
- Locking lcobucci/jwt (5.6.0)
- Locking liuggio/statsd-php-client (v1.0.18)
- Locking mck89/peast (v1.17.5)
- Locking mediawiki/mediawiki-codesniffer (v50.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking monolog/monolog (2.11.0)
- Locking myclabs/deep-copy (1.13.4)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking nikic/php-parser (v5.7.0)
- Locking okvpn/clock-lts (1.0.0)
- Locking oojs/oojs-ui (v0.53.2)
- Locking pear/console_getopt (v1.4.3)
- Locking pear/mail (v2.0.0)
- Locking pear/mail_mime (1.10.12)
- Locking pear/net_smtp (1.12.2)
- Locking pear/net_socket (v1.2.2)
- Locking pear/net_url2 (v2.2.3)
- Locking pear/pear-core-minimal (v1.10.18)
- Locking pear/pear_exception (v1.0.2)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking phar-io/manifest (2.0.4)
- Locking phar-io/version (3.2.1)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking phpunit/php-code-coverage (9.2.32)
- Locking phpunit/php-file-iterator (3.0.6)
- Locking phpunit/php-invoker (3.1.1)
- Locking phpunit/php-text-template (2.0.4)
- Locking phpunit/php-timer (5.0.3)
- Locking phpunit/phpunit (9.6.34)
- Locking psr/cache (3.0.0)
- Locking psr/clock (1.0.0)
- Locking psr/container (2.0.2)
- Locking psr/http-client (1.0.3)
- Locking psr/http-factory (1.1.0)
- Locking psr/http-message (2.0)
- Locking psr/log (1.1.4)
- Locking psy/psysh (v0.12.22)
- Locking ralouphie/getallheaders (3.0.3)
- Locking sabre/event (6.1.0)
- Locking sebastian/cli-parser (1.0.2)
- Locking sebastian/code-unit (1.0.8)
- Locking sebastian/code-unit-reverse-lookup (2.0.3)
- Locking sebastian/comparator (4.0.10)
- Locking sebastian/complexity (2.0.3)
- Locking sebastian/diff (4.0.6)
- Locking sebastian/environment (5.1.5)
- Locking sebastian/exporter (4.0.8)
- Locking sebastian/global-state (5.0.8)
- Locking sebastian/lines-of-code (1.0.4)
- Locking sebastian/object-enumerator (4.0.4)
- Locking sebastian/object-reflector (2.0.4)
- Locking sebastian/recursion-context (4.0.6)
- Locking sebastian/resource-operations (3.0.4)
- Locking sebastian/type (3.2.1)
- Locking sebastian/version (3.0.2)
- Locking seld/jsonlint (1.11.0)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v7.4.11)
- Locking symfony/deprecation-contracts (v3.7.0)
- Locking symfony/polyfill-php84 (v1.37.0)
- Locking symfony/polyfill-php85 (v1.37.0)
- Locking symfony/service-contracts (v3.7.0)
- Locking symfony/string (v7.3.8)
- Locking symfony/var-dumper (v8.0.8)
- Locking symfony/yaml (v7.4.12)
- Locking theseer/tokenizer (1.3.1)
- Locking webmozart/assert (2.4.0)
- Locking wikimedia/alea (1.0.1)
- Locking wikimedia/assert (v0.5.1)
- Locking wikimedia/at-ease (v3.0.0)
- Locking wikimedia/base-convert (v2.0.2)
- Locking wikimedia/bcp-47-code (v2.0.3)
- Locking wikimedia/cdb (3.0.0)
- Locking wikimedia/cldr-plural-rule-parser (v3.0.0)
- Locking wikimedia/codex (v0.7.1)
- Locking wikimedia/common-passwords (v0.5.1)
- Locking wikimedia/composer-merge-plugin (v2.1.0)
- Locking wikimedia/css-sanitizer (v6.2.1)
- Locking wikimedia/cssjanus (v2.3.0)
- Locking wikimedia/html-formatter (4.1.0)
- Locking wikimedia/idle-dom (v2.1.1)
- Locking wikimedia/ip-utils (6.0.1)
- Locking wikimedia/json-codec (v4.0.0)
- Locking wikimedia/langconv (0.5.0)
- Locking wikimedia/language-data (1.1.13)
- Locking wikimedia/less.php (v5.5.1)
- Locking wikimedia/minify (2.10.0)
- Locking wikimedia/normalized-exception (v2.1.1)
- Locking wikimedia/object-factory (v6.0.0)
- Locking wikimedia/parsoid (v0.23.0)
- Locking wikimedia/php-session-serializer (v3.0.2)
- Locking wikimedia/purtle (v2.0.0)
- Locking wikimedia/relpath (4.1.1)
- Locking wikimedia/remex-html (6.0.0)
- Locking wikimedia/request-timeout (v3.0.0)
- Locking wikimedia/running-stat (v2.2.0)
- Locking wikimedia/scoped-callback (v5.0.0)
- Locking wikimedia/services (4.0.0)
- Locking wikimedia/shellbox (4.4.0)
- Locking wikimedia/testing-access-wrapper (4.0.0)
- Locking wikimedia/timestamp (v5.1.0)
- Locking wikimedia/utfnormal (4.0.0)
- Locking wikimedia/wait-condition-loop (v2.0.2)
- Locking wikimedia/wikipeg (6.1.2)
- Locking wikimedia/wrappedstring (v4.1.0)
- Locking wikimedia/xmp-reader (0.10.3)
- Locking wikimedia/zest-css (4.1.1)
- Locking wmde/hamcrest-html-matchers (v1.1.0)
- Locking zordius/lightncandy (v1.2.6)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 70 installs, 5 updates, 20 removals
- Downloading doctrine/dbal (3.10.5)
- Downloading doctrine/sql-formatter (1.5.4)
- Downloading ergebnis/phpunit-slow-test-detector (2.24.0)
0/3 [>---------------------------] 0%
3/3 [============================] 100%
- Removing wikimedia/equivset (1.7.1)
- Removing web-auth/webauthn-lib (5.2.4)
- Removing web-auth/cose-lib (4.5.0)
- Removing symfony/uid (v7.4.9)
- Removing symfony/type-info (v7.4.9)
- Removing symfony/serializer (v7.4.10)
- Removing symfony/property-info (v7.4.8)
- Removing symfony/property-access (v7.4.8)
- Removing symfony/clock (v7.4.8)
- Removing spomky-labs/pki-framework (1.4.1)
- Removing spomky-labs/cbor-php (3.2.2)
- Removing psr/event-dispatcher (1.0.0)
- Removing paragonie/constant_time_encoding (v3.1.3)
- Removing jakobo/hotp-php (v2.0.0)
- Removing firebase/php-jwt (v7.0.3)
- Removing endroid/qr-code (6.0.9)
- Removing dasprid/enum (1.0.7)
- Removing christian-riesen/base32 (1.6.0)
- Removing brick/math (0.14.8)
- Removing bacon/bacon-qr-code (v3.0.4)
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
0/11 [>---------------------------] 0%
10/11 [=========================>--] 90%
11/11 [============================] 100%
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing psr/cache (3.0.0): Extracting archive
- Installing doctrine/event-manager (2.1.1): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing doctrine/dbal (3.10.5): Extracting archive
- Installing doctrine/sql-formatter (1.5.4): Extracting archive
- Installing sebastian/version (3.0.2): Extracting archive
- Installing sebastian/type (3.2.1): Extracting archive
- Installing sebastian/resource-operations (3.0.4): Extracting archive
- Installing sebastian/recursion-context (4.0.6): Extracting archive
- Installing sebastian/object-reflector (2.0.4): Extracting archive
- Installing sebastian/object-enumerator (4.0.4): Extracting archive
- Installing sebastian/global-state (5.0.8): Extracting archive
- Installing sebastian/exporter (4.0.8): Extracting archive
- Installing sebastian/environment (5.1.5): Extracting archive
- Installing sebastian/diff (4.0.6): Extracting archive
- Installing sebastian/comparator (4.0.10): Extracting archive
- Installing sebastian/code-unit (1.0.8): Extracting archive
- Installing sebastian/cli-parser (1.0.2): Extracting archive
- Installing phpunit/php-timer (5.0.3): Extracting archive
- Installing phpunit/php-text-template (2.0.4): Extracting archive
- Installing phpunit/php-invoker (3.1.1): Extracting archive
- Installing phpunit/php-file-iterator (3.0.6): Extracting archive
- Installing theseer/tokenizer (1.3.1): Extracting archive
- Installing nikic/php-parser (v5.7.0): Extracting archive
- Installing sebastian/lines-of-code (1.0.4): Extracting archive
- Installing sebastian/complexity (2.0.3): Extracting archive
- Installing sebastian/code-unit-reverse-lookup (2.0.3): Extracting archive
- Installing phpunit/php-code-coverage (9.2.32): Extracting archive
- Installing phar-io/version (3.2.1): Extracting archive
- Installing phar-io/manifest (2.0.4): Extracting archive
- Installing myclabs/deep-copy (1.13.4): Extracting archive
- Installing doctrine/instantiator (2.1.0): Extracting archive
- Installing phpunit/phpunit (9.6.34): Extracting archive
- Installing ergebnis/phpunit-slow-test-detector (2.24.0): Extracting archive
- Installing giorgiosironi/eris (0.14.1): Extracting archive
- Upgrading guzzlehttp/promises (2.3.0 => 2.4.1): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing composer/spdx-licenses (1.5.9): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
- Downgrading symfony/string (v7.4.11 => v7.3.8): Extracting archive
- Upgrading symfony/deprecation-contracts (v3.6.0 => v3.7.0): Extracting archive
- Installing symfony/service-contracts (v3.7.0): Extracting archive
- Installing symfony/console (v7.4.11): Extracting archive
- Installing sabre/event (6.1.0): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.4.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
- Installing symfony/var-dumper (v8.0.8): Extracting archive
- Installing psy/psysh (v0.12.22): Extracting archive
- Installing seld/jsonlint (1.11.0): Extracting archive
- Installing wikimedia/alea (1.0.1): Extracting archive
- Upgrading guzzlehttp/psr7 (2.9.0 => 2.10.1): Extracting archive
- Installing wikimedia/langconv (0.5.0): Extracting archive
- Upgrading wikimedia/wikipeg (6.1.1 => 6.1.2): Extracting archive
- Installing wikimedia/testing-access-wrapper (4.0.0): Extracting archive
- Installing hamcrest/hamcrest-php (v2.1.1): Extracting archive
- Installing wmde/hamcrest-html-matchers (v1.1.0): Extracting archive
0/73 [>---------------------------] 0%
9/73 [===>------------------------] 12%
19/73 [=======>--------------------] 26%
30/73 [===========>----------------] 41%
40/73 [===============>------------] 54%
49/73 [==================>---------] 67%
60/73 [=======================>----] 82%
72/73 [===========================>] 98%
73/73 [============================] 100%
21 package suggestions were added by new dependencies, use `composer suggest` to see details.
Package pear/net_socket is abandoned, you should avoid using it. No replacement was suggested.
Generating optimized autoload files
50 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
> MediaWiki\Composer\ComposerVendorHtaccessCreator::onEvent
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/plugin-transform-modules-systemjs": {
"name": "@babel/plugin-transform-modules-systemjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117908,
"name": "@babel/plugin-transform-modules-systemjs",
"dependency": "@babel/plugin-transform-modules-systemjs",
"title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input",
"url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=7.12.0 <=7.29.3"
}
],
"effects": [],
"range": "7.12.0 - 7.29.0",
"nodes": [
"node_modules/@babel/plugin-transform-modules-systemjs"
],
"fixAvailable": true
},
"@tootallnate/once": {
"name": "@tootallnate/once",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113977,
"name": "@tootallnate/once",
"dependency": "@tootallnate/once",
"title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
"severity": "low",
"cwe": [
"CWE-705"
],
"cvss": {
"score": 3.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<3.0.1"
}
],
"effects": [
"http-proxy-agent"
],
"range": "<3.0.1",
"nodes": [
"node_modules/@tootallnate/once"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "high",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=6.1.19",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
},
{
"source": 1116672,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1117573,
"name": "axios",
"dependency": "axios",
"title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy",
"url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117575,
"name": "axios",
"dependency": "axios",
"title": "Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0",
"url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7",
"severity": "high",
"cwe": [
"CWE-183",
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117579,
"name": "axios",
"dependency": "axios",
"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams",
"url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw",
"severity": "low",
"cwe": [
"CWE-116",
"CWE-626"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117582,
"name": "axios",
"dependency": "axios",
"title": "Axios: no_proxy bypass via IP alias allows SSRF",
"url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117584,
"name": "axios",
"dependency": "axios",
"title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data",
"url": "https://github.com/advisories/GHSA-62hf-57xw-28j9",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.0"
},
{
"source": 1117586,
"name": "axios",
"dependency": "axios",
"title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0",
"url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117588,
"name": "axios",
"dependency": "axios",
"title": "Axios: HTTP adapter streamed responses bypass maxContentLength",
"url": "https://github.com/advisories/GHSA-vf2m-468p-8v99",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117590,
"name": "axios",
"dependency": "axios",
"title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking",
"url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117592,
"name": "axios",
"dependency": "axios",
"title": "Axios: Header Injection via Prototype Pollution",
"url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9",
"severity": "high",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117594,
"name": "axios",
"dependency": "axios",
"title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion",
"url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c",
"severity": "moderate",
"cwe": [
"CWE-183",
"CWE-201"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117857,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.30.2"
},
{
"source": 1119403,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
}
],
"effects": [
"openapi-validator"
],
"range": "<=0.31.0",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"basic-ftp": {
"name": "basic-ftp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118825,
"name": "basic-ftp",
"dependency": "basic-ftp",
"title": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering",
"url": "https://github.com/advisories/GHSA-rpmf-866q-6p89",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=5.3.0"
}
],
"effects": [],
"range": "<=5.3.0",
"nodes": [
"node_modules/basic-ftp"
],
"fixAvailable": true
},
"chai-openapi-response-validator": {
"name": "chai-openapi-response-validator",
"severity": "high",
"isDirect": true,
"via": [
"openapi-validator"
],
"effects": [],
"range": "0.11.2 || >=0.14.2-alpha.0",
"nodes": [
"node_modules/chai-openapi-response-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"engine.io": {
"name": "engine.io",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "0.7.8 - 0.7.9 || 6.0.0 - 6.6.7",
"nodes": [
"node_modules/engine.io"
],
"fixAvailable": true
},
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
"node_modules/fast-uri"
],
"fixAvailable": true
},
"fast-xml-builder": {
"name": "fast-xml-builder",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118965,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes",
"url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9",
"severity": "high",
"cwe": [
"CWE-91",
"CWE-611"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=1.1.6"
},
{
"source": 1118966,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder Comment Value regex can be bypassed",
"url": "https://github.com/advisories/GHSA-45c6-75p6-83cc",
"severity": "moderate",
"cwe": [
"CWE-91"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "=1.1.5"
}
],
"effects": [],
"range": "<=1.1.6",
"nodes": [
"node_modules/fast-xml-builder"
],
"fixAvailable": true
},
"gaze": {
"name": "gaze",
"severity": "high",
"isDirect": false,
"via": [
"globule"
],
"effects": [
"grunt-contrib-watch"
],
"range": ">=0.4.0",
"nodes": [
"node_modules/gaze"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"globule": {
"name": "globule",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"gaze"
],
"range": "*",
"nodes": [
"node_modules/globule"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"grunt-contrib-watch": {
"name": "grunt-contrib-watch",
"severity": "high",
"isDirect": true,
"via": [
"gaze"
],
"effects": [],
"range": ">=0.5.0",
"nodes": [
"node_modules/grunt-contrib-watch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"http-proxy-agent": {
"name": "http-proxy-agent",
"severity": "low",
"isDirect": false,
"via": [
"@tootallnate/once"
],
"effects": [
"jsdom"
],
"range": "4.0.1 - 5.0.0",
"nodes": [
"node_modules/jsdom/node_modules/http-proxy-agent"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"ip-address": {
"name": "ip-address",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1118827,
"name": "ip-address",
"dependency": "ip-address",
"title": "ip-address has XSS in Address6 HTML-emitting methods",
"url": "https://github.com/advisories/GHSA-v2v4-37r5-5v8g",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.1.0"
}
],
"effects": [],
"range": "<=10.1.0",
"nodes": [
"node_modules/ip-address"
],
"fixAvailable": true
},
"jest-environment-jsdom": {
"name": "jest-environment-jsdom",
"severity": "low",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "27.0.1 - 30.0.0-rc.1",
"nodes": [
"node_modules/jest-environment-jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"jsdom": {
"name": "jsdom",
"severity": "low",
"isDirect": false,
"via": [
"http-proxy-agent"
],
"effects": [
"jest-environment-jsdom"
],
"range": "16.6.0 - 22.1.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"globule"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/globule/node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"openapi-validator": {
"name": "openapi-validator",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [
"chai-openapi-response-validator"
],
"range": ">=0.14.2-alpha.0",
"nodes": [
"node_modules/openapi-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"socket.io-adapter": {
"name": "socket.io-adapter",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "2.5.2 - 2.5.6",
"nodes": [
"node_modules/socket.io-adapter"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119108,
"name": "ws",
"dependency": "ws",
"title": "ws: Uninitialized memory disclosure",
"url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx",
"severity": "moderate",
"cwe": [
"CWE-908"
],
"cvss": {
"score": 4.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=8.0.0 <8.20.1"
}
],
"effects": [
"engine.io",
"socket.io-adapter"
],
"range": "8.0.0 - 8.20.0",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 4,
"moderate": 4,
"high": 14,
"critical": 0,
"total": 22
},
"dependencies": {
"prod": 1,
"dev": 1718,
"optional": 38,
"peer": 1,
"peerOptional": 0,
"total": 1718
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
"added": 1716,
"removed": 0,
"changed": 0,
"audited": 1717,
"funding": 234,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/plugin-transform-modules-systemjs": {
"name": "@babel/plugin-transform-modules-systemjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117908,
"name": "@babel/plugin-transform-modules-systemjs",
"dependency": "@babel/plugin-transform-modules-systemjs",
"title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input",
"url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=7.12.0 <=7.29.3"
}
],
"effects": [],
"range": "7.12.0 - 7.29.0",
"nodes": [
""
],
"fixAvailable": true
},
"@tootallnate/once": {
"name": "@tootallnate/once",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1113977,
"name": "@tootallnate/once",
"dependency": "@tootallnate/once",
"title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
"severity": "low",
"cwe": [
"CWE-705"
],
"cvss": {
"score": 3.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<3.0.1"
}
],
"effects": [
"http-proxy-agent"
],
"range": "<3.0.1",
"nodes": [
""
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "high",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=6.1.19",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
},
{
"source": 1111034,
"name": "axios",
"dependency": "axios",
"title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
"url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.30.0"
},
{
"source": 1116672,
"name": "axios",
"dependency": "axios",
"title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5",
"severity": "moderate",
"cwe": [
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
},
{
"source": 1117573,
"name": "axios",
"dependency": "axios",
"title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy",
"url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63",
"severity": "moderate",
"cwe": [
"CWE-287",
"CWE-1321"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117575,
"name": "axios",
"dependency": "axios",
"title": "Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0",
"url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7",
"severity": "high",
"cwe": [
"CWE-183",
"CWE-441",
"CWE-918"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117579,
"name": "axios",
"dependency": "axios",
"title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams",
"url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw",
"severity": "low",
"cwe": [
"CWE-116",
"CWE-626"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117582,
"name": "axios",
"dependency": "axios",
"title": "Axios: no_proxy bypass via IP alias allows SSRF",
"url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117584,
"name": "axios",
"dependency": "axios",
"title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data",
"url": "https://github.com/advisories/GHSA-62hf-57xw-28j9",
"severity": "moderate",
"cwe": [
"CWE-674"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.31.0"
},
{
"source": 1117586,
"name": "axios",
"dependency": "axios",
"title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0",
"url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117588,
"name": "axios",
"dependency": "axios",
"title": "Axios: HTTP adapter streamed responses bypass maxContentLength",
"url": "https://github.com/advisories/GHSA-vf2m-468p-8v99",
"severity": "moderate",
"cwe": [
"CWE-770"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=0.31.0"
},
{
"source": 1117590,
"name": "axios",
"dependency": "axios",
"title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking",
"url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117592,
"name": "axios",
"dependency": "axios",
"title": "Axios: Header Injection via Prototype Pollution",
"url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9",
"severity": "high",
"cwe": [
"CWE-113",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117594,
"name": "axios",
"dependency": "axios",
"title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion",
"url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c",
"severity": "moderate",
"cwe": [
"CWE-183",
"CWE-201"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<=0.31.0"
},
{
"source": 1117857,
"name": "axios",
"dependency": "axios",
"title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"url": "https://github.com/advisories/GHSA-43fc-jf86-j433",
"severity": "high",
"cwe": [
"CWE-754",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=0.30.2"
},
{
"source": 1119403,
"name": "axios",
"dependency": "axios",
"title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx",
"severity": "moderate",
"cwe": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"cvss": {
"score": 4.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<0.31.0"
}
],
"effects": [
"openapi-validator"
],
"range": "<=0.31.0",
"nodes": [
"node_modules/axios"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"basic-ftp": {
"name": "basic-ftp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118825,
"name": "basic-ftp",
"dependency": "basic-ftp",
"title": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering",
"url": "https://github.com/advisories/GHSA-rpmf-866q-6p89",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=5.3.0"
}
],
"effects": [],
"range": "<=5.3.0",
"nodes": [
""
],
"fixAvailable": true
},
"chai-openapi-response-validator": {
"name": "chai-openapi-response-validator",
"severity": "high",
"isDirect": true,
"via": [
"openapi-validator"
],
"effects": [],
"range": "0.11.2 || >=0.14.2-alpha.0",
"nodes": [
"node_modules/chai-openapi-response-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"engine.io": {
"name": "engine.io",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "0.7.8 - 0.7.9 || 6.0.0 - 6.6.7",
"nodes": [
""
],
"fixAvailable": true
},
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
""
],
"fixAvailable": true
},
"fast-xml-builder": {
"name": "fast-xml-builder",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1118965,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes",
"url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9",
"severity": "high",
"cwe": [
"CWE-91",
"CWE-611"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=1.1.6"
},
{
"source": 1118966,
"name": "fast-xml-builder",
"dependency": "fast-xml-builder",
"title": "fast-xml-builder Comment Value regex can be bypassed",
"url": "https://github.com/advisories/GHSA-45c6-75p6-83cc",
"severity": "moderate",
"cwe": [
"CWE-91"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "=1.1.5"
}
],
"effects": [],
"range": "<=1.1.6",
"nodes": [
""
],
"fixAvailable": true
},
"gaze": {
"name": "gaze",
"severity": "high",
"isDirect": false,
"via": [
"globule"
],
"effects": [
"grunt-contrib-watch"
],
"range": ">=0.4.0",
"nodes": [
"node_modules/gaze"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"globule": {
"name": "globule",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"gaze"
],
"range": "*",
"nodes": [
"node_modules/globule"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"grunt-contrib-watch": {
"name": "grunt-contrib-watch",
"severity": "high",
"isDirect": true,
"via": [
"gaze"
],
"effects": [],
"range": ">=0.5.0",
"nodes": [
"node_modules/grunt-contrib-watch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"http-proxy-agent": {
"name": "http-proxy-agent",
"severity": "low",
"isDirect": false,
"via": [
"@tootallnate/once"
],
"effects": [
"jsdom"
],
"range": "4.0.1 - 5.0.0",
"nodes": [
"node_modules/jsdom/node_modules/http-proxy-agent"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"ip-address": {
"name": "ip-address",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1118827,
"name": "ip-address",
"dependency": "ip-address",
"title": "ip-address has XSS in Address6 HTML-emitting methods",
"url": "https://github.com/advisories/GHSA-v2v4-37r5-5v8g",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.1.0"
}
],
"effects": [],
"range": "<=10.1.0",
"nodes": [
""
],
"fixAvailable": true
},
"jest-environment-jsdom": {
"name": "jest-environment-jsdom",
"severity": "low",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "27.0.1 - 30.0.0-rc.1",
"nodes": [
"node_modules/jest-environment-jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"jsdom": {
"name": "jsdom",
"severity": "low",
"isDirect": false,
"via": [
"http-proxy-agent"
],
"effects": [
"jest-environment-jsdom"
],
"range": "16.6.0 - 22.1.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jest-environment-jsdom",
"version": "30.4.1",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"globule"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/globule/node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "high",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.0.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"openapi-validator": {
"name": "openapi-validator",
"severity": "high",
"isDirect": false,
"via": [
"axios"
],
"effects": [
"chai-openapi-response-validator"
],
"range": ">=0.14.2-alpha.0",
"nodes": [
"node_modules/openapi-validator"
],
"fixAvailable": {
"name": "chai-openapi-response-validator",
"version": "0.14.1",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1115723,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "6.1.17",
"isSemVerMajor": true
}
},
"socket.io-adapter": {
"name": "socket.io-adapter",
"severity": "moderate",
"isDirect": false,
"via": [
"ws"
],
"effects": [],
"range": "2.5.2 - 2.5.6",
"nodes": [
""
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1119108,
"name": "ws",
"dependency": "ws",
"title": "ws: Uninitialized memory disclosure",
"url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx",
"severity": "moderate",
"cwe": [
"CWE-908"
],
"cvss": {
"score": 4.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=8.0.0 <8.20.1"
}
],
"effects": [
"engine.io",
"socket.io-adapter"
],
"range": "8.0.0 - 8.20.0",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 4,
"moderate": 4,
"high": 14,
"critical": 0,
"total": 22
},
"dependencies": {
"prod": 1,
"dev": 1716,
"optional": 38,
"peer": 1,
"peerOptional": 0,
"total": 1716
}
}
}
}
--- end ---
{"added": 1716, "removed": 0, "changed": 0, "audited": 1717, "funding": 234, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@babel/plugin-transform-modules-systemjs": {"name": "@babel/plugin-transform-modules-systemjs", "severity": "high", "isDirect": false, "via": [{"source": 1117908, "name": "@babel/plugin-transform-modules-systemjs", "dependency": "@babel/plugin-transform-modules-systemjs", "title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input", "url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp", "severity": "high", "cwe": ["CWE-94", "CWE-843"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}, "range": ">=7.12.0 <=7.29.3"}], "effects": [], "range": "7.12.0 - 7.29.0", "nodes": [""], "fixAvailable": true}, "@tootallnate/once": {"name": "@tootallnate/once", "severity": "low", "isDirect": false, "via": [{"source": 1113977, "name": "@tootallnate/once", "dependency": "@tootallnate/once", "title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping", "url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6", "severity": "low", "cwe": ["CWE-705"], "cvss": {"score": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": "<3.0.1"}], "effects": ["http-proxy-agent"], "range": "<3.0.1", "nodes": [""], "fixAvailable": {"name": "jest-environment-jsdom", "version": "30.4.1", "isSemVerMajor": true}}, "@wdio/mocha-framework": {"name": "@wdio/mocha-framework", "severity": "high", "isDirect": true, "via": ["mocha"], "effects": [], "range": ">=6.1.19", "nodes": ["node_modules/@wdio/mocha-framework"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "axios": {"name": "axios", "severity": "high", "isDirect": false, "via": [{"source": 1097679, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": ["CWE-352"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "range": ">=0.8.1 <0.28.0"}, {"source": 1111034, "name": "axios", "dependency": "axios", "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", "severity": "high", "cwe": ["CWE-918"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.30.0"}, {"source": 1116672, "name": "axios", "dependency": "axios", "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF", "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5", "severity": "moderate", "cwe": ["CWE-441", "CWE-918"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<0.31.0"}, {"source": 1117573, "name": "axios", "dependency": "axios", "title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy", "url": "https://github.com/advisories/GHSA-w9j2-pvgh-6h63", "severity": "moderate", "cwe": ["CWE-287", "CWE-1321"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117575, "name": "axios", "dependency": "axios", "title": "Axios: Incomplete Fix for CVE-2025-62718 \u2014 NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0", "url": "https://github.com/advisories/GHSA-pmwg-cvhr-8vh7", "severity": "high", "cwe": ["CWE-183", "CWE-441", "CWE-918"], "cvss": {"score": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117579, "name": "axios", "dependency": "axios", "title": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams", "url": "https://github.com/advisories/GHSA-xhjh-pmcv-23jw", "severity": "low", "cwe": ["CWE-116", "CWE-626"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117582, "name": "axios", "dependency": "axios", "title": "Axios: no_proxy bypass via IP alias allows SSRF", "url": "https://github.com/advisories/GHSA-m7pr-hjqh-92cm", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}, "range": "<=0.31.0"}, {"source": 1117584, "name": "axios", "dependency": "axios", "title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data", "url": "https://github.com/advisories/GHSA-62hf-57xw-28j9", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=0.31.0"}, {"source": 1117586, "name": "axios", "dependency": "axios", "title": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0", "url": "https://github.com/advisories/GHSA-5c9x-8gcm-mpgx", "severity": "moderate", "cwe": ["CWE-770"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<=0.31.0"}, {"source": 1117588, "name": "axios", "dependency": "axios", "title": "Axios: HTTP adapter streamed responses bypass maxContentLength", "url": "https://github.com/advisories/GHSA-vf2m-468p-8v99", "severity": "moderate", "cwe": ["CWE-770"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<=0.31.0"}, {"source": 1117590, "name": "axios", "dependency": "axios", "title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking", "url": "https://github.com/advisories/GHSA-pf86-5x62-jrwf", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<=0.31.0"}, {"source": 1117592, "name": "axios", "dependency": "axios", "title": "Axios: Header Injection via Prototype Pollution", "url": "https://github.com/advisories/GHSA-6chq-wfr3-2hj9", "severity": "high", "cwe": ["CWE-113", "CWE-1321"], "cvss": {"score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<=0.31.0"}, {"source": 1117594, "name": "axios", "dependency": "axios", "title": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion", "url": "https://github.com/advisories/GHSA-xx6v-rp6x-q39c", "severity": "moderate", "cwe": ["CWE-183", "CWE-201"], "cvss": {"score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "range": "<=0.31.0"}, {"source": 1117857, "name": "axios", "dependency": "axios", "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", "url": "https://github.com/advisories/GHSA-43fc-jf86-j433", "severity": "high", "cwe": ["CWE-754", "CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=0.30.2"}, {"source": 1119403, "name": "axios", "dependency": "axios", "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", "severity": "moderate", "cwe": ["CWE-113", "CWE-444", "CWE-918"], "cvss": {"score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<0.31.0"}], "effects": ["openapi-validator"], "range": "<=0.31.0", "nodes": ["node_modules/axios"], "fixAvailable": {"name": "chai-openapi-response-validator", "version": "0.14.1", "isSemVerMajor": true}}, "basic-ftp": {"name": "basic-ftp", "severity": "high", "isDirect": false, "via": [{"source": 1118825, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering", "url": "https://github.com/advisories/GHSA-rpmf-866q-6p89", "severity": "high", "cwe": ["CWE-400", "CWE-770"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=5.3.0"}], "effects": [], "range": "<=5.3.0", "nodes": [""], "fixAvailable": true}, "chai-openapi-response-validator": {"name": "chai-openapi-response-validator", "severity": "high", "isDirect": true, "via": ["openapi-validator"], "effects": [], "range": "0.11.2 || >=0.14.2-alpha.0", "nodes": ["node_modules/chai-openapi-response-validator"], "fixAvailable": {"name": "chai-openapi-response-validator", "version": "0.14.1", "isSemVerMajor": true}}, "engine.io": {"name": "engine.io", "severity": "moderate", "isDirect": false, "via": ["ws"], "effects": [], "range": "0.7.8 - 0.7.9 || 6.0.0 - 6.6.7", "nodes": [""], "fixAvailable": true}, "fast-uri": {"name": "fast-uri", "severity": "high", "isDirect": false, "via": [{"source": 1117870, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to path traversal via percent-encoded dot segments", "url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.0"}, {"source": 1117884, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters", "url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc", "severity": "high", "cwe": ["CWE-436"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.1"}], "effects": [], "range": "<=3.1.1", "nodes": [""], "fixAvailable": true}, "fast-xml-builder": {"name": "fast-xml-builder", "severity": "high", "isDirect": false, "via": [{"source": 1118965, "name": "fast-xml-builder", "dependency": "fast-xml-builder", "title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes", "url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9", "severity": "high", "cwe": ["CWE-91", "CWE-611"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=1.1.6"}, {"source": 1118966, "name": "fast-xml-builder", "dependency": "fast-xml-builder", "title": "fast-xml-builder Comment Value regex can be bypassed", "url": "https://github.com/advisories/GHSA-45c6-75p6-83cc", "severity": "moderate", "cwe": ["CWE-91"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "=1.1.5"}], "effects": [], "range": "<=1.1.6", "nodes": [""], "fixAvailable": true}, "gaze": {"name": "gaze", "severity": "high", "isDirect": false, "via": ["globule"], "effects": ["grunt-contrib-watch"], "range": ">=0.4.0", "nodes": ["node_modules/gaze"], "fixAvailable": {"name": "grunt-contrib-watch", "version": "0.4.4", "isSemVerMajor": true}}, "globule": {"name": "globule", "severity": "high", "isDirect": false, "via": ["minimatch"], "effects": ["gaze"], "range": "*", "nodes": ["node_modules/globule"], "fixAvailable": {"name": "grunt-contrib-watch", "version": "0.4.4", "isSemVerMajor": true}}, "grunt-contrib-watch": {"name": "grunt-contrib-watch", "severity": "high", "isDirect": true, "via": ["gaze"], "effects": [], "range": ">=0.5.0", "nodes": ["node_modules/grunt-contrib-watch"], "fixAvailable": {"name": "grunt-contrib-watch", "version": "0.4.4", "isSemVerMajor": true}}, "http-proxy-agent": {"name": "http-proxy-agent", "severity": "low", "isDirect": false, "via": ["@tootallnate/once"], "effects": ["jsdom"], "range": "4.0.1 - 5.0.0", "nodes": ["node_modules/jsdom/node_modules/http-proxy-agent"], "fixAvailable": {"name": "jest-environment-jsdom", "version": "30.4.1", "isSemVerMajor": true}}, "ip-address": {"name": "ip-address", "severity": "moderate", "isDirect": false, "via": [{"source": 1118827, "name": "ip-address", "dependency": "ip-address", "title": "ip-address has XSS in Address6 HTML-emitting methods", "url": "https://github.com/advisories/GHSA-v2v4-37r5-5v8g", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 0, "vectorString": null}, "range": "<=10.1.0"}], "effects": [], "range": "<=10.1.0", "nodes": [""], "fixAvailable": true}, "jest-environment-jsdom": {"name": "jest-environment-jsdom", "severity": "low", "isDirect": true, "via": ["jsdom"], "effects": [], "range": "27.0.1 - 30.0.0-rc.1", "nodes": ["node_modules/jest-environment-jsdom"], "fixAvailable": {"name": "jest-environment-jsdom", "version": "30.4.1", "isSemVerMajor": true}}, "jsdom": {"name": "jsdom", "severity": "low", "isDirect": false, "via": ["http-proxy-agent"], "effects": ["jest-environment-jsdom"], "range": "16.6.0 - 22.1.0", "nodes": ["node_modules/jsdom"], "fixAvailable": {"name": "jest-environment-jsdom", "version": "30.4.1", "isSemVerMajor": true}}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}], "effects": ["globule"], "range": "<=3.1.3", "nodes": ["node_modules/globule/node_modules/minimatch"], "fixAvailable": {"name": "grunt-contrib-watch", "version": "0.4.4", "isSemVerMajor": true}}, "mocha": {"name": "mocha", "severity": "high", "isDirect": false, "via": ["serialize-javascript"], "effects": ["@wdio/mocha-framework"], "range": "8.0.0 - 12.0.0-beta-2", "nodes": ["node_modules/mocha"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "openapi-validator": {"name": "openapi-validator", "severity": "high", "isDirect": false, "via": ["axios"], "effects": ["chai-openapi-response-validator"], "range": ">=0.14.2-alpha.0", "nodes": ["node_modules/openapi-validator"], "fixAvailable": {"name": "chai-openapi-response-validator", "version": "0.14.1", "isSemVerMajor": true}}, "serialize-javascript": {"name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [{"source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": ["CWE-96"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=7.0.2"}, {"source": 1115723, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects", "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v", "severity": "moderate", "cwe": ["CWE-400", "CWE-834"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.0.5"}], "effects": ["mocha"], "range": "<=7.0.4", "nodes": ["node_modules/serialize-javascript"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "socket.io-adapter": {"name": "socket.io-adapter", "severity": "moderate", "isDirect": false, "via": ["ws"], "effects": [], "range": "2.5.2 - 2.5.6", "nodes": [""], "fixAvailable": true}, "ws": {"name": "ws", "severity": "moderate", "isDirect": false, "via": [{"source": 1119108, "name": "ws", "dependency": "ws", "title": "ws: Uninitialized memory disclosure", "url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx", "severity": "moderate", "cwe": ["CWE-908"], "cvss": {"score": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=8.0.0 <8.20.1"}], "effects": ["engine.io", "socket.io-adapter"], "range": "8.0.0 - 8.20.0", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 4, "moderate": 4, "high": 14, "critical": 0, "total": 22}, "dependencies": {"prod": 1, "dev": 1716, "optional": 38, "peer": 1, "peerOptional": 0, "total": 1716}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated osenv@0.1.5: This package is no longer supported.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated whatwg-encoding@3.1.1: Use @exodus/bytes instead for a more spec-conformant and faster implementation
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated supertest@7.1.0: Please upgrade to supertest v7.1.3+, see release notes at https://github.com/forwardemail/supertest/releases/tag/v7.1.3 - maintenance is supported by Forward Email @ https://forwardemail.net
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated superagent@9.0.2: Please upgrade to superagent v10.2.2+, see release notes at https://github.com/forwardemail/superagent/releases/tag/v10.2.2 - maintenance is supported by Forward Email @ https://forwardemail.net
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 1690 packages, and audited 1691 packages in 27s
234 packages are looking for funding
run `npm fund` for details
# npm audit report
@tootallnate/once <3.0.1
@tootallnate/once vulnerable to Incorrect Control Flow Scoping - https://github.com/advisories/GHSA-vpq2-c234-7xj6
fix available via `npm audit fix --force`
Will install jest-environment-jsdom@30.4.1, which is a breaking change
node_modules/@tootallnate/once
http-proxy-agent 4.0.1 - 5.0.0
Depends on vulnerable versions of @tootallnate/once
node_modules/jsdom/node_modules/http-proxy-agent
jsdom 16.6.0 - 22.1.0
Depends on vulnerable versions of http-proxy-agent
node_modules/jsdom
jest-environment-jsdom 27.0.1 - 30.0.0-rc.1
Depends on vulnerable versions of jsdom
node_modules/jest-environment-jsdom
axios <=0.31.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - https://github.com/advisories/GHSA-w9j2-pvgh-6h63
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - https://github.com/advisories/GHSA-pmwg-cvhr-8vh7
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - https://github.com/advisories/GHSA-xhjh-pmcv-23jw
Axios: no_proxy bypass via IP alias allows SSRF - https://github.com/advisories/GHSA-m7pr-hjqh-92cm
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - https://github.com/advisories/GHSA-62hf-57xw-28j9
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - https://github.com/advisories/GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - https://github.com/advisories/GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - https://github.com/advisories/GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - https://github.com/advisories/GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - https://github.com/advisories/GHSA-xx6v-rp6x-q39c
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix --force`
Will install chai-openapi-response-validator@0.14.1, which is a breaking change
node_modules/axios
openapi-validator >=0.14.2-alpha.0
Depends on vulnerable versions of axios
node_modules/openapi-validator
chai-openapi-response-validator 0.11.2 || >=0.14.2-alpha.0
Depends on vulnerable versions of openapi-validator
node_modules/chai-openapi-response-validator
minimatch <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install grunt-contrib-watch@0.4.4, which is a breaking change
node_modules/globule/node_modules/minimatch
globule *
Depends on vulnerable versions of minimatch
node_modules/globule
gaze >=0.4.0
Depends on vulnerable versions of globule
node_modules/gaze
grunt-contrib-watch >=0.5.0
Depends on vulnerable versions of gaze
node_modules/grunt-contrib-watch
serialize-javascript <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install @wdio/mocha-framework@6.1.17, which is a breaking change
node_modules/serialize-javascript
mocha 8.0.0 - 12.0.0-beta-2
Depends on vulnerable versions of serialize-javascript
node_modules/mocha
@wdio/mocha-framework >=6.1.19
Depends on vulnerable versions of mocha
node_modules/@wdio/mocha-framework
14 vulnerabilities (4 low, 10 high)
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated osenv@0.1.5: This package is no longer supported.
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated whatwg-encoding@3.1.1: Use @exodus/bytes instead for a more spec-conformant and faster implementation
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated supertest@7.1.0: Please upgrade to supertest v7.1.3+, see release notes at https://github.com/forwardemail/supertest/releases/tag/v7.1.3 - maintenance is supported by Forward Email @ https://forwardemail.net
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated superagent@9.0.2: Please upgrade to superagent v10.2.2+, see release notes at https://github.com/forwardemail/superagent/releases/tag/v10.2.2 - maintenance is supported by Forward Email @ https://forwardemail.net
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 1690 packages, and audited 1691 packages in 41s
234 packages are looking for funding
run `npm fund` for details
14 vulnerabilities (4 low, 10 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
PASS tests/jest/mediawiki.special.block/stores/block.test.js
PASS tests/jest/mediawiki.special.block/BlockLog.test.js
PASS tests/jest/mediawiki.languageselector/MultiselectLookupLanguageSelector.test.js
PASS tests/jest/mediawiki.languageselector/useLanguageSelector.test.js
PASS tests/jest/mediawiki.skinning.typeaheadSearch/restSearchClient.test.js
PASS tests/jest/mediawiki.special.block/UserLookup.test.js
PASS tests/jest/mediawiki.languageselector/LookupLanguageSelector.test.js
PASS tests/jest/mediawiki.languageselector/factory.test.js
PASS tests/jest/mediawiki.special.block/ExpiryField.test.js
PASS tests/jest/mediawiki.special.block/util.test.js
PASS tests/jest/mediawiki.skinning.typeaheadSearch/fetch.test.js
PASS tests/jest/mediawiki.special.block/NamespacesField.test.js
PASS tests/jest/mediawiki.skinning.typeaheadSearch/App.test.js
PASS tests/jest/mediawiki.skinning.typeaheadSearch/instrumentation.test.js
PASS tests/jest/mediawiki.page.ready/updateThumbnailsToPreferredSize.test.js
PASS tests/jest/mediawiki.languageselector/languageSearch.test.js
PASS tests/jest/mediawiki.special.block/BlockDetailsField.test.js
PASS tests/jest/mediawiki.special.block/ReasonField.test.js
PASS tests/jest/mediawiki.special.block/init.test.js
PASS tests/jest/mediawiki.special.block/AdditionalDetailsField.test.js
PASS tests/jest/mediawiki.skinning.typeaheadSearch/urlGenerator.test.js
PASS tests/jest/mediawiki.special.block/SpecialBlock.test.js (15.827 s)
Test Suites: 22 passed, 22 total
Tests: 143 passed, 143 total
Snapshots: 3 passed, 3 total
Time: 25.145 s
Ran all test suites.
--- stdout ---
> test
> grunt lint && npm run doc && npm run jest
Running "eslint:all" (eslint) task
/src/repo/resources/src/jquery.lengthLimit.js
41:1 warning Syntax error in namepath: '$.fn.trimByteLength' jsdoc/valid-types
/src/repo/resources/src/jquery/jquery.makeCollapsible.js
441:1 warning Syntax error in namepath: ~'wikipage.collapsibleContent' jsdoc/valid-types
/src/repo/resources/src/mediawiki.action.edit/edit.js
12:1 warning Syntax error in namepath: ~'wikipage.editform' jsdoc/valid-types
/src/repo/resources/src/mediawiki.action/mediawiki.action.view.postEdit.js
21:1 warning Syntax error in namepath: ~'postEdit' jsdoc/valid-types
36:1 warning Syntax error in namepath: ~'postEdit.afterRemoval' jsdoc/valid-types
/src/repo/resources/src/mediawiki.api/index.js
213:1 warning The type 'JSON.parse' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.authenticationPopup/AuthPopup.js
181:1 warning The type 'AuthPopup.CheckLoggedIn' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.base/errorLogger.js
8:1 warning Syntax error in namepath: ~'global.error' jsdoc/valid-types
22:1 warning Syntax error in namepath: ~'error.caught' jsdoc/valid-types
/src/repo/resources/src/mediawiki.base/log.js
14:1 warning Found more than one @return declaration jsdoc/require-returns
14:1 warning Found more than one @return declaration jsdoc/require-returns-check
/src/repo/resources/src/mediawiki.base/mediawiki.base.js
248:1 warning The type 'mediawiki.inspect.runReports' is undefined jsdoc/no-undefined-types
274:1 warning The type 'mediawiki.inspect.js.html' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.diff/inlineFormatToggle.js
150:1 warning Syntax error in namepath: ~'wikipage.diff.wikitextDiffBody' jsdoc/valid-types
162:1 warning Syntax error in namepath: ~'wikipage.diff.diffTypeSwitch' jsdoc/valid-types
/src/repo/resources/src/mediawiki.editRecovery/edit.js
184:1 warning Syntax error in namepath: ~'editRecovery.loadEnd' jsdoc/valid-types
/src/repo/resources/src/mediawiki.htmlform/cond-state.js
48:1 warning Found more than one @return declaration jsdoc/require-returns-check
/src/repo/resources/src/mediawiki.htmlform/htmlform.js
5:1 warning Syntax error in namepath: ~'htmlform.enhance' jsdoc/valid-types
/src/repo/resources/src/mediawiki.inspect.js
112:2 warning Found more than one @return declaration jsdoc/require-returns
112:2 warning Found more than one @return declaration jsdoc/require-returns-check
309:18 warning Avoid direct access to localStorage. Use mw.storage instead mediawiki/no-storage
/src/repo/resources/src/mediawiki.jqueryMsg/mediawiki.jqueryMsg.js
148:1 warning Found more than one @return declaration jsdoc/require-returns
148:1 warning Found more than one @return declaration jsdoc/require-returns-check
/src/repo/resources/src/mediawiki.notification.convertmessagebox.js
13:1 warning Syntax error in namepath: (require("mediawiki.notification.convertmessagebox")) jsdoc/valid-types
/src/repo/resources/src/mediawiki.page.gallery.slideshow.js
138:22 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
143:22 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.page.preview.js
404:1 warning Syntax error in namepath: ~'wikipage.tableOfContents' jsdoc/valid-types
685:1 warning The type 'Hooks.wikipage.categories' is undefined jsdoc/no-undefined-types
686:1 warning The type 'Hooks.wikipage.content' is undefined jsdoc/no-undefined-types
687:1 warning The type 'Hooks.wikipage.diff' is undefined jsdoc/no-undefined-types
688:1 warning The type 'Hooks.wikipage.indicators' is undefined jsdoc/no-undefined-types
689:1 warning The type 'Hooks.wikipage.tableOfContents' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.page.ready/ready.js
73:1 warning Syntax error in namepath: ~'wikipage.indicators' jsdoc/valid-types
93:1 warning Syntax error in namepath: ~'wikipage.content' jsdoc/valid-types
114:1 warning Syntax error in namepath: ~'wikipage.categories' jsdoc/valid-types
127:1 warning The type 'Hooks.wikipage.content' is undefined jsdoc/no-undefined-types
130:1 warning Syntax error in namepath: ~'wikipage.diff' jsdoc/valid-types
161:1 warning Syntax error in namepath: ~'skin.logout' jsdoc/valid-types
306:7 warning Avoid direct access to sessionStorage. Use mw.storage.session instead mediawiki/no-storage
/src/repo/resources/src/mediawiki.page.watch.ajax/watch-ajax.js
131:1 warning Syntax error in namepath: ~'wikipage.watchlistChange' jsdoc/valid-types
155:1 warning The type 'Hooks.wikipage.watchlistChange' is undefined jsdoc/no-undefined-types
181:1 warning The type 'Hooks.wikipage.watchlistChange' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.rcfilters/Controller.js
330:1 warning Found more than one @return declaration jsdoc/require-returns
330:1 warning Found more than one @return declaration jsdoc/require-returns-check
550:1 warning Syntax error in namepath: ~'RcFilters.highlight.enable' jsdoc/valid-types
/src/repo/resources/src/mediawiki.rcfilters/dm/FilterItem.js
81:1 warning Found more than one @return declaration jsdoc/require-returns
81:1 warning Found more than one @return declaration jsdoc/require-returns-check
335:1 warning The type 'update' is undefined jsdoc/no-undefined-types
351:1 warning The type 'update' is undefined jsdoc/no-undefined-types
366:1 warning The type 'update' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.rcfilters/dm/FiltersViewModel.js
1200:1 warning The type 'searchChange' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.rcfilters/mw.rcfilters.js
204:1 warning Syntax error in namepath: ~'structuredChangeFilters.ui.initialized' jsdoc/valid-types
/src/repo/resources/src/mediawiki.rcfilters/ui/FilterTagMultiselectWidget.js
107:21 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
112:24 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
428:1 warning Syntax error in namepath: ~'RcFilters.popup.open' jsdoc/valid-types
/src/repo/resources/src/mediawiki.rcfilters/ui/FilterWrapperWidget.js
69:28 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.rcfilters/ui/HighlightColorPickerWidget.js
36:17 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.rcfilters/ui/SavedLinksListItemWidget.js
27:20 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
59:20 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.router/router.js
211:3 warning Unused eslint-disable directive (no problems were reported from 'prefer-const')
/src/repo/resources/src/mediawiki.skinning.typeaheadSearch/App.vue
76:3 warning Prop 'router' requires default value to be set vue/require-default-prop
225:1 warning The type 'AbortableSearchFetch' is undefined jsdoc/no-undefined-types
310:1 warning The type 'SearchSubmitEvent' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.skinning.typeaheadSearch/fetch.js
21:1 warning The type 'RequestInit' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.skinning.typeaheadSearch/instrumentation.js
2:1 warning The type 'FetchEndEvent' is undefined jsdoc/no-undefined-types
16:1 warning The type 'SuggestionClickEvent' is undefined jsdoc/no-undefined-types
16:1 warning The type 'SearchSubmitEvent' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.skinning.typeaheadSearch/restSearchClient.js
4:1 warning Syntax error in type: import('./urlGenerator.js').UrlGenerator jsdoc/valid-types
17:1 warning The type 'RestResult' is undefined jsdoc/no-undefined-types
24:1 warning The type 'SearchResult' is undefined jsdoc/no-undefined-types
108:1 warning The type 'fetchRecommendationByTitle' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.skinning.typeaheadSearch/urlGenerator.js
2:1 warning The type 'Record' is undefined jsdoc/no-undefined-types
9:1 warning The type 'RestResult' is undefined jsdoc/no-undefined-types
9:1 warning The type 'SearchResult' is undefined jsdoc/no-undefined-types
30:1 warning The type 'RestResult' is undefined jsdoc/no-undefined-types
30:1 warning The type 'SearchResult' is undefined jsdoc/no-undefined-types
/src/repo/resources/src/mediawiki.special.apisandbox/ApiSandbox.js
501:9 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.special.apisandbox/ApiSandboxLayout.js
44:1 warning Found more than one @return declaration jsdoc/require-returns
44:1 warning Found more than one @return declaration jsdoc/require-returns-check
403:19 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
604:7 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.special.block/init.js
26:1 warning Syntax error in namepath: ~'SpecialBlock.block' jsdoc/valid-types
36:1 warning Syntax error in namepath: ~'SpecialBlock.form' jsdoc/valid-types
/src/repo/resources/src/mediawiki.util/util.js
590:1 warning The type 'Hooks.util.addPortlet' is undefined jsdoc/no-undefined-types
629:1 warning Syntax error in namepath: ~'util.addPortlet' jsdoc/valid-types
703:1 warning The type 'Hooks.util.addPortletLink' is undefined jsdoc/no-undefined-types
798:1 warning Syntax error in namepath: ~'util.addPortletLink' jsdoc/valid-types
/src/repo/resources/src/mediawiki.watchstar.widgets/WatchlistPopup.vue
201:3 warning Missing JSDoc @param "e" declaration jsdoc/require-param
/src/repo/resources/src/mediawiki.widgets.datetime/CalendarWidget.js
114:5 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
120:5 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.widgets.datetime/DateTimeInputWidget.js
449:23 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/mediawiki.widgets/mw.widgets.CalendarWidget.js
355:22 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
363:19 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
369:21 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
375:21 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/resources/src/startup/mediawiki.loader.js
61:1 warning Syntax error in namepath: ~'resourceloader.exception' jsdoc/valid-types
/src/repo/tests/selenium/wdio-mediawiki/PrometheusFileReporter.js
227:1 warning This line has a length of 105. Maximum allowed is 100 max-len
✖ 97 problems (0 errors, 97 warnings)
0 errors and 2 warnings potentially fixable with the `--fix` option.
Running "banana:core" (banana) task
>> 1 message directory checked.
Running "banana:botpasswords" (banana) task
>> 1 message directory checked.
Running "banana:codex" (banana) task
>> 1 message directory checked.
Running "banana:datetime" (banana) task
>> 1 message directory checked.
Running "banana:exif" (banana) task
>> 1 message directory checked.
Running "banana:nontranslatable" (banana) task
>> 1 message directory checked.
Running "banana:interwiki" (banana) task
>> 1 message directory checked.
Running "banana:preferences" (banana) task
>> 1 message directory checked.
Running "banana:userrights" (banana) task
>> 1 message directory checked.
Running "banana:languageconverter" (banana) task
>> 1 message directory checked.
Running "banana:api" (banana) task
>> 1 message directory checked.
Running "banana:rest" (banana) task
>> 1 message directory checked.
Running "banana:installer" (banana) task
>> 1 message directory checked.
Running "banana:paramvalidator" (banana) task
>> 1 message directory checked.
Running "stylelint:resources" (stylelint) task
>> resources/src/mediawiki.special.apisandbox/apisandbox.less
>> 123:3 ⚠ Unexpected browser feature "css-resize" is not supported by Safari on iOS 10.0-10.2,10.3,11.0-11.2,11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4,14.5-14.8,15.0-15.1,15.2-15.3,15.4,15.5,15.6-15.8,16.0,16.1,16.2,16.3,16.4,16.5,16.6-16.7,17.0,17.1,17.2,17.3,17.4,17.5,17.6-17.7,18.0,18.1,18.2,18.3,18.4,18.5-18.7,26.0,26.1,26.2,26.3,26.4 plugin/no-unsupported-browser-features
>>
>> resources/src/mediawiki.special.watchlistlabels/labelmanager.less
>> 8:1 ⚠ Unexpected browser feature "flexbox-gap" is not supported by Edge 79,80,81,83, Firefox 49,50,51,52,53,54,55,56,57,58,59,60,61,62, Chrome 49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,83, Safari 10,11,12,13,14,10.1,11.1,12.1,13.1, Safari on iOS 10.0-10.2,10.3,11.0-11.2,11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4 plugin/no-unsupported-browser-features
>>
>> resources/src/mediawiki.special.watchlistlabels/LabelOnboarding.vue
>> 160:1 ⚠ Unexpected browser feature "flexbox-gap" is not supported by Edge 79,80,81,83, Firefox 49,50,51,52,53,54,55,56,57,58,59,60,61,62, Chrome 49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,83, Safari 10,11,12,13,14,10.1,11.1,12.1,13.1, Safari on iOS 10.0-10.2,10.3,11.0-11.2,11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4 plugin/no-unsupported-browser-features
>>
>> resources/src/mediawiki.special/userrights.less
>> 28:4 ⚠ Unexpected browser feature "css-has" is not supported by Edge 79,80,81,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104, Firefox 49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120, Chrome 49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104, Safari 10,11,12,13,14,15,10.1,11.1,12.1,13.1,14.1,15.1,15.2-15.3, Safari on iOS 10.0-10.2,10.3,11.0-11.2,11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4,14.5-14.8,15.0-15.1,15.2-15.3 plugin/no-unsupported-browser-features
>>
>> ⚠ 4 problems (0 errors, 4 warnings)
⚠ 4 warnings
>> Linted 218 files without errors
Running "stylelint:config" (stylelint) task
>> Linted 1 files without errors
Done.
> doc
> jsdoc -c jsdoc.json
> jest
> jest --config tests/jest/jest.config.js
------------------------------------|---------|----------|---------|---------|---------------------------------------------------------------------------------------------------------------------
File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
------------------------------------|---------|----------|---------|---------|---------------------------------------------------------------------------------------------------------------------
All files | 92.95 | 89.37 | 77.22 | 92.95 |
mediawiki.skinning.typeaheadSearch | 86.57 | 82.45 | 56.25 | 86.57 |
App.vue | 76.21 | 69.23 | 16.66 | 76.21 | 176,211-213,218-221,229-253,257-264,273-283,293-306,313-314,318-322,326,330-333,338-341,345-349,354,359-360,366-368
TypeaheadSearchWrapper.vue | 94.24 | 66.66 | 100 | 94.24 | 54-61
fetch.js | 100 | 88.88 | 75 | 100 | 31
instrumentation.js | 82.82 | 100 | 60 | 82.82 | 4-13,18-24
restSearchClient.js | 97.53 | 77.77 | 85.71 | 97.53 | 121-123,142
urlGenerator.js | 100 | 100 | 100 | 100 |
mediawiki.special.block | 92.43 | 91.66 | 82.35 | 92.43 |
SpecialBlock.vue | 91.54 | 91.11 | 72.72 | 91.54 | 271-280,323-328,334-348,455-472,487-488,499-501
init.js | 100 | 100 | 100 | 100 |
util.js | 94.64 | 91.3 | 100 | 94.64 | 82-84,86-88
mediawiki.special.block/components | 95.13 | 91.79 | 88.09 | 95.13 |
AdditionalDetailsField.vue | 100 | 80 | 100 | 100 | 67
BlockDetailsField.vue | 100 | 100 | 100 | 100 |
BlockLog.vue | 98.94 | 100 | 83.33 | 98.94 | 337-340,401
BlockTypeField.vue | 95.04 | 50 | 100 | 95.04 | 73-77
ConfirmationDialog.vue | 96.34 | 100 | 50 | 96.34 | 70-72
ExpiryField.vue | 95.16 | 90 | 100 | 95.16 | 153-154,156-157,185-194,251-252
NamespacesField.vue | 90.42 | 88.88 | 66.66 | 90.42 | 60-68
PagesField.vue | 70.06 | 50 | 50 | 70.06 | 46-47,56-57,72-79,88-90,97-118,127-133
ReasonField.vue | 96.89 | 91.3 | 100 | 96.89 | 64,114-117
UserLookup.vue | 97.75 | 95.23 | 100 | 97.75 | 146-148,197-199,232-233
ValidatingTextInput.js | 100 | 100 | 100 | 100 |
mediawiki.special.block/stores | 95.85 | 86.66 | 90 | 95.85 |
block.js | 95.85 | 86.66 | 90 | 95.85 | 341-342,455-456,458-459,479-480,483-484,487-488,506-521
------------------------------------|---------|----------|---------|---------|---------------------------------------------------------------------------------------------------------------------
--- end ---
{"1117908": {"source": 1117908, "name": "@babel/plugin-transform-modules-systemjs", "dependency": "@babel/plugin-transform-modules-systemjs", "title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input", "url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp", "severity": "high", "cwe": ["CWE-94", "CWE-843"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}, "range": ">=7.12.0 <=7.29.3"}}
Upgrading n:@babel/plugin-transform-modules-systemjs from 7.27.1 -> 7.29.4
{"1118825": {"source": 1118825, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering", "url": "https://github.com/advisories/GHSA-rpmf-866q-6p89", "severity": "high", "cwe": ["CWE-400", "CWE-770"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=5.3.0"}}
Upgrading n:basic-ftp from 5.3.0 -> 5.3.1
{"1119108": {"source": 1119108, "name": "ws", "dependency": "ws", "title": "ws: Uninitialized memory disclosure", "url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx", "severity": "moderate", "cwe": ["CWE-908"], "cvss": {"score": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=8.0.0 <8.20.1"}}
Upgrading n:engine.io from 6.6.4 -> 6.6.8
{"1117870": {"source": 1117870, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to path traversal via percent-encoded dot segments", "url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.0"}, "1117884": {"source": 1117884, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters", "url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc", "severity": "high", "cwe": ["CWE-436"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.1"}}
Upgrading n:fast-uri from 3.1.0 -> 3.1.2
{"1118965": {"source": 1118965, "name": "fast-xml-builder", "dependency": "fast-xml-builder", "title": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes", "url": "https://github.com/advisories/GHSA-5wm8-gmm8-39j9", "severity": "high", "cwe": ["CWE-91", "CWE-611"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=1.1.6"}, "1118966": {"source": 1118966, "name": "fast-xml-builder", "dependency": "fast-xml-builder", "title": "fast-xml-builder Comment Value regex can be bypassed", "url": "https://github.com/advisories/GHSA-45c6-75p6-83cc", "severity": "moderate", "cwe": ["CWE-91"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "=1.1.5"}}
Upgrading n:fast-xml-builder from 1.1.5 -> 1.2.0
{"1118827": {"source": 1118827, "name": "ip-address", "dependency": "ip-address", "title": "ip-address has XSS in Address6 HTML-emitting methods", "url": "https://github.com/advisories/GHSA-v2v4-37r5-5v8g", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 0, "vectorString": null}, "range": "<=10.1.0"}}
Upgrading n:ip-address from 10.1.0 -> 10.2.0
{"1119108": {"source": 1119108, "name": "ws", "dependency": "ws", "title": "ws: Uninitialized memory disclosure", "url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx", "severity": "moderate", "cwe": ["CWE-908"], "cvss": {"score": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=8.0.0 <8.20.1"}}
Upgrading n:socket.io-adapter from 2.5.5 -> 2.5.7
{"1119108": {"source": 1119108, "name": "ws", "dependency": "ws", "title": "ws: Uninitialized memory disclosure", "url": "https://github.com/advisories/GHSA-58qx-3vcg-4xpx", "severity": "moderate", "cwe": ["CWE-908"], "cvss": {"score": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=8.0.0 <8.20.1"}}
Upgrading n:ws from 8.17.1 -> 8.20.1
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating npm dependencies
* @babel/plugin-transform-modules-systemjs: 7.27.1 → 7.29.4
* https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
* basic-ftp: 5.3.0 → 5.3.1
* https://github.com/advisories/GHSA-rpmf-866q-6p89
* engine.io: 6.6.4 → 6.6.8
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
* fast-uri: 3.1.0 → 3.1.2
* https://github.com/advisories/GHSA-q3j6-qgpj-74h6
* https://github.com/advisories/GHSA-v39h-62p7-jpjc
* fast-xml-builder: 1.1.5 → 1.2.0
* https://github.com/advisories/GHSA-45c6-75p6-83cc
* https://github.com/advisories/GHSA-5wm8-gmm8-39j9
* ip-address: 10.1.0 → 10.2.0
* https://github.com/advisories/GHSA-v2v4-37r5-5v8g
* socket.io-adapter: 2.5.5 → 2.5.7
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
* ws: 8.17.1 → 8.20.1
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmp47tfw9md
--- stdout ---
[REL1_46 8e1f3b4] build: Updating npm dependencies
1 file changed, 106 insertions(+), 146 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 8e1f3b46d0ee68749806eb5e58d758bf03123b3e Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 21 May 2026 00:52:14 +0000
Subject: [PATCH] build: Updating npm dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* @babel/plugin-transform-modules-systemjs: 7.27.1 → 7.29.4
* https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
* basic-ftp: 5.3.0 → 5.3.1
* https://github.com/advisories/GHSA-rpmf-866q-6p89
* engine.io: 6.6.4 → 6.6.8
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
* fast-uri: 3.1.0 → 3.1.2
* https://github.com/advisories/GHSA-q3j6-qgpj-74h6
* https://github.com/advisories/GHSA-v39h-62p7-jpjc
* fast-xml-builder: 1.1.5 → 1.2.0
* https://github.com/advisories/GHSA-45c6-75p6-83cc
* https://github.com/advisories/GHSA-5wm8-gmm8-39j9
* ip-address: 10.1.0 → 10.2.0
* https://github.com/advisories/GHSA-v2v4-37r5-5v8g
* socket.io-adapter: 2.5.5 → 2.5.7
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
* ws: 8.17.1 → 8.20.1
* https://github.com/advisories/GHSA-58qx-3vcg-4xpx
Change-Id: Ie6f4dce4f5aa89b9078d88131b2e9a88661e3503
---
package-lock.json | 252 +++++++++++++++++++---------------------------
1 file changed, 106 insertions(+), 146 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 52690d5..14bbe4a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -103,13 +103,12 @@
}
},
"node_modules/@babel/code-frame": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz",
- "integrity": "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==",
+ "version": "7.29.0",
+ "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+ "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/helper-validator-identifier": "^7.27.1",
+ "@babel/helper-validator-identifier": "^7.28.5",
"js-tokens": "^4.0.0",
"picocolors": "^1.1.1"
},
@@ -159,14 +158,13 @@
}
},
"node_modules/@babel/generator": {
- "version": "7.28.3",
- "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.28.3.tgz",
- "integrity": "sha512-3lSpxGgvnmZznmBkCRnVREPUFJv2wrv9iAoFDvADJc0ypmdOxdUtcLeBgBJ6zE0PMeTKnxeQzyk0xTBq4Ep7zw==",
+ "version": "7.29.1",
+ "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+ "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/parser": "^7.28.3",
- "@babel/types": "^7.28.2",
+ "@babel/parser": "^7.29.0",
+ "@babel/types": "^7.29.0",
"@jridgewell/gen-mapping": "^0.3.12",
"@jridgewell/trace-mapping": "^0.3.28",
"jsesc": "^3.0.2"
@@ -287,29 +285,27 @@
}
},
"node_modules/@babel/helper-module-imports": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz",
- "integrity": "sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
+ "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/traverse": "^7.27.1",
- "@babel/types": "^7.27.1"
+ "@babel/traverse": "^7.28.6",
+ "@babel/types": "^7.28.6"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-module-transforms": {
- "version": "7.28.3",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.3.tgz",
- "integrity": "sha512-gytXUbs8k2sXS9PnQptz5o0QnpLL51SwASIORY6XaBKF88nsOT0Zw9szLqlSGQDP/4TljBAD5y98p2U1fqkdsw==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
+ "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/helper-module-imports": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.27.1",
- "@babel/traverse": "^7.28.3"
+ "@babel/helper-module-imports": "^7.28.6",
+ "@babel/helper-validator-identifier": "^7.28.5",
+ "@babel/traverse": "^7.28.6"
},
"engines": {
"node": ">=6.9.0"
@@ -332,11 +328,10 @@
}
},
"node_modules/@babel/helper-plugin-utils": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.27.1.tgz",
- "integrity": "sha512-1gn1Up5YXka3YYAHGKpbideQ5Yjf1tDa9qYcgysz+cNCXukyLl6DjPXhD3VRwSb8c0J9tA4b2+rHEZtc6R0tlw==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.28.6.tgz",
+ "integrity": "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=6.9.0"
}
@@ -402,11 +397,10 @@
}
},
"node_modules/@babel/helper-validator-identifier": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.27.1.tgz",
- "integrity": "sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==",
+ "version": "7.28.5",
+ "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+ "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=6.9.0"
}
@@ -451,13 +445,12 @@
}
},
"node_modules/@babel/parser": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.4.tgz",
- "integrity": "sha512-yZbBqeM6TkpP9du/I2pUZnJsRMGGvOuIrhjzC1AwHwW+6he4mni6Bp/m8ijn0iOuZuPI2BfkCoSRunpyjnrQKg==",
+ "version": "7.29.3",
+ "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+ "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/types": "^7.28.4"
+ "@babel/types": "^7.29.0"
},
"bin": {
"parser": "bin/babel-parser.js"
@@ -1266,16 +1259,15 @@
}
},
"node_modules/@babel/plugin-transform-modules-systemjs": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.27.1.tgz",
- "integrity": "sha512-w5N1XzsRbc0PQStASMksmUeqECuzKuTJer7kFagK8AXgpCMkeDMO5S+aaFb7A51ZYDF7XI34qsTX+fkHiIm5yA==",
+ "version": "7.29.4",
+ "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.4.tgz",
+ "integrity": "sha512-N7QmZ0xRZfjHOfZeQLJjwgX2zS9pdGHSVl/cjSGlo4dXMqvurfxXDMKY4RqEKzPozV78VMcd0lxyG13mlbKc4w==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/helper-module-transforms": "^7.27.1",
- "@babel/helper-plugin-utils": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.27.1",
- "@babel/traverse": "^7.27.1"
+ "@babel/helper-module-transforms": "^7.28.6",
+ "@babel/helper-plugin-utils": "^7.28.6",
+ "@babel/helper-validator-identifier": "^7.28.5",
+ "@babel/traverse": "^7.29.0"
},
"engines": {
"node": ">=6.9.0"
@@ -1797,33 +1789,31 @@
}
},
"node_modules/@babel/template": {
- "version": "7.27.2",
- "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz",
- "integrity": "sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==",
+ "version": "7.28.6",
+ "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+ "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/code-frame": "^7.27.1",
- "@babel/parser": "^7.27.2",
- "@babel/types": "^7.27.1"
+ "@babel/code-frame": "^7.28.6",
+ "@babel/parser": "^7.28.6",
+ "@babel/types": "^7.28.6"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/traverse": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.4.tgz",
- "integrity": "sha512-YEzuboP2qvQavAcjgQNVgsvHIDv6ZpwXvcvjmyySP2DIMuByS/6ioU5G9pYrWHM6T2YDfc7xga9iNzYOs12CFQ==",
+ "version": "7.29.0",
+ "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+ "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "@babel/code-frame": "^7.27.1",
- "@babel/generator": "^7.28.3",
+ "@babel/code-frame": "^7.29.0",
+ "@babel/generator": "^7.29.0",
"@babel/helper-globals": "^7.28.0",
- "@babel/parser": "^7.28.4",
- "@babel/template": "^7.27.2",
- "@babel/types": "^7.28.4",
+ "@babel/parser": "^7.29.0",
+ "@babel/template": "^7.28.6",
+ "@babel/types": "^7.29.0",
"debug": "^4.3.1"
},
"engines": {
@@ -1831,14 +1821,13 @@
}
},
"node_modules/@babel/types": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.4.tgz",
- "integrity": "sha512-bkFqkLhh3pMBUQQkpVgWDWq/lqzc2678eUyDlTBhRqhCHFguYYGM0Efga7tYk4TogG/3x0EEl66/OQ+WGbWB/Q==",
+ "version": "7.29.0",
+ "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+ "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
"dev": true,
- "license": "MIT",
"dependencies": {
"@babel/helper-string-parser": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.27.1"
+ "@babel/helper-validator-identifier": "^7.28.5"
},
"engines": {
"node": ">=6.9.0"
@@ -4787,11 +4776,10 @@
}
},
"node_modules/@tootallnate/once": {
- "version": "2.0.0",
- "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz",
- "integrity": "sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==",
+ "version": "2.0.1",
+ "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.1.tgz",
+ "integrity": "sha512-HqmEUIGRJ5fSXchkVgR5F7qn48bDBzv0kWj/Kfu5e6uci4UlEeng4331LnBkWffb++Ei3FOVLxo8JJWMFBDMeQ==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">= 10"
}
@@ -6898,11 +6886,10 @@
}
},
"node_modules/basic-ftp": {
- "version": "5.3.0",
- "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
- "integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
+ "version": "5.3.1",
+ "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz",
+ "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=10.0.0"
}
@@ -9061,21 +9048,21 @@
}
},
"node_modules/engine.io": {
- "version": "6.6.4",
- "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.6.4.tgz",
- "integrity": "sha512-ZCkIjSYNDyGn0R6ewHDtXgns/Zre/NT6Agvq1/WobF7JXgFff4SeDroKiCO3fNJreU9YG429Sc81o4w5ok/W5g==",
+ "version": "6.6.8",
+ "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.6.8.tgz",
+ "integrity": "sha512-2agL3ueZhqxoVrfmntO8yuVj+uNSlIOnhykYHk3Cq0ShYPdUjjUiSJrQvXjq01I9jAuI0Zl2YO8Evv5Mqytm5g==",
"dev": true,
- "license": "MIT",
"dependencies": {
"@types/cors": "^2.8.12",
"@types/node": ">=10.0.0",
+ "@types/ws": "^8.5.12",
"accepts": "~1.3.4",
"base64id": "2.0.0",
"cookie": "~0.7.2",
"cors": "~2.8.5",
- "debug": "~4.3.1",
+ "debug": "~4.4.1",
"engine.io-parser": "~5.2.1",
- "ws": "~8.17.1"
+ "ws": "~8.20.1"
},
"engines": {
"node": ">=10.2.0"
@@ -9091,24 +9078,6 @@
"node": ">=10.0.0"
}
},
- "node_modules/engine.io/node_modules/debug": {
- "version": "4.3.7",
- "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz",
- "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==",
- "dev": true,
- "license": "MIT",
- "dependencies": {
- "ms": "^2.1.3"
- },
- "engines": {
- "node": ">=6.0"
- },
- "peerDependenciesMeta": {
- "supports-color": {
- "optional": true
- }
- }
- },
"node_modules/enhanced-resolve": {
"version": "5.18.3",
"resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.3.tgz",
@@ -10984,9 +10953,9 @@
"license": "MIT"
},
"node_modules/fast-uri": {
- "version": "3.1.0",
- "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
- "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
+ "version": "3.1.2",
+ "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz",
+ "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==",
"dev": true,
"funding": [
{
@@ -10997,13 +10966,12 @@
"type": "opencollective",
"url": "https://opencollective.com/fastify"
}
- ],
- "license": "BSD-3-Clause"
+ ]
},
"node_modules/fast-xml-builder": {
- "version": "1.1.5",
- "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz",
- "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==",
+ "version": "1.2.0",
+ "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
+ "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
"dev": true,
"funding": [
{
@@ -11011,9 +10979,9 @@
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
- "license": "MIT",
"dependencies": {
- "path-expression-matcher": "^1.1.3"
+ "path-expression-matcher": "^1.5.0",
+ "xml-naming": "^0.1.0"
}
},
"node_modules/fast-xml-parser": {
@@ -12919,9 +12887,9 @@
"license": "MIT"
},
"node_modules/ip-address": {
- "version": "10.1.0",
- "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
- "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
+ "version": "10.2.0",
+ "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
+ "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==",
"dev": true,
"engines": {
"node": ">= 12"
@@ -20247,32 +20215,13 @@
}
},
"node_modules/socket.io-adapter": {
- "version": "2.5.5",
- "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.5.tgz",
- "integrity": "sha512-eLDQas5dzPgOWCk9GuuJC2lBqItuhKI4uxGgo9aIV7MYbk2h9Q6uULEh8WBzThoI7l+qU9Ast9fVUmkqPP9wYg==",
+ "version": "2.5.7",
+ "resolved": "https://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-2.5.7.tgz",
+ "integrity": "sha512-e0LyK91f3cUxTmv95/KzoLg47+zF+s/sbxRGDNsyG4dmIP8ZSX8ax6byOxfJXeNNtS/8AZlfD+uP7gBeR7DLlg==",
"dev": true,
- "license": "MIT",
"dependencies": {
- "debug": "~4.3.4",
- "ws": "~8.17.1"
- }
- },
- "node_modules/socket.io-adapter/node_modules/debug": {
- "version": "4.3.7",
- "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz",
- "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==",
- "dev": true,
- "license": "MIT",
- "dependencies": {
- "ms": "^2.1.3"
- },
- "engines": {
- "node": ">=6.0"
- },
- "peerDependenciesMeta": {
- "supports-color": {
- "optional": true
- }
+ "debug": "~4.4.1",
+ "ws": "~8.20.1"
}
},
"node_modules/socket.io-parser": {
@@ -22303,8 +22252,10 @@
}
},
"node_modules/wdio-mediawiki": {
- "resolved": "tests/selenium/wdio-mediawiki",
- "link": true
+ "version": "6.5.1",
+ "resolved": "file:tests/selenium/wdio-mediawiki",
+ "dev": true,
+ "license": "MIT"
},
"node_modules/webdriver": {
"version": "9.23.2",
@@ -22675,11 +22626,10 @@
"license": "ISC"
},
"node_modules/ws": {
- "version": "8.17.1",
- "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz",
- "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==",
+ "version": "8.20.1",
+ "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
+ "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
"dev": true,
- "license": "MIT",
"engines": {
"node": ">=10.0.0"
},
@@ -22706,6 +22656,21 @@
"node": ">=12"
}
},
+ "node_modules/xml-naming": {
+ "version": "0.1.0",
+ "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
+ "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
+ "dev": true,
+ "funding": [
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/NaturalIntelligence"
+ }
+ ],
+ "engines": {
+ "node": ">=16.0.0"
+ }
+ },
"node_modules/xml2js": {
"version": "0.6.2",
"resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz",
@@ -23036,11 +23001,6 @@
"dependencies": {
"safe-buffer": "~5.2.0"
}
- },
- "tests/selenium/wdio-mediawiki": {
- "version": "6.5.1",
- "dev": true,
- "license": "MIT"
}
}
}
--
2.47.3
--- end ---