This run took 41 seconds.
From 15a4d28c3d779040a8ebed6416d2a9cd065c00f7 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 21 May 2026 03:40:51 +0000
Subject: [PATCH] build: Updating fast-uri to 3.1.2
* https://github.com/advisories/GHSA-q3j6-qgpj-74h6
* https://github.com/advisories/GHSA-v39h-62p7-jpjc
Change-Id: I4ce6e1cd996d526bcc399cce952bc8116ba664bb
---
package-lock.json | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index b5e9bdd..3861837 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3451,9 +3451,9 @@
"dev": true
},
"node_modules/fast-uri": {
- "version": "3.0.5",
- "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.5.tgz",
- "integrity": "sha512-5JnBCWpFlMo0a3ciDy/JckMzzv1U9coZrIhedq+HXxxUfDTAiS0LA8OKVao4G9BxmCVck/jtA5r3KAtRWEyD8Q==",
+ "version": "3.1.2",
+ "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz",
+ "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==",
"dev": true,
"funding": [
{
--
2.47.3
$ date
--- stdout ---
Thu May 21 03:40:14 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-Chart.git /src/repo --depth=1 -b REL1_46
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_46
--- stdout ---
54fe4297f68ffd54e98ad33b1637190bcf60243c refs/heads/REL1_46
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
"node_modules/fast-uri"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 548,
"optional": 1,
"peer": 1,
"peerOptional": 0,
"total": 548
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 37 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.5.10)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v50.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.4.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.1.0)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.0.11)
- Locking symfony/deprecation-contracts (v3.7.0)
- Locking symfony/polyfill-ctype (v1.37.0)
- Locking symfony/polyfill-intl-grapheme (v1.37.0)
- Locking symfony/polyfill-intl-normalizer (v1.37.0)
- Locking symfony/polyfill-mbstring (v1.37.0)
- Locking symfony/service-contracts (v3.7.0)
- Locking symfony/string (v8.0.11)
- Locking webmozart/assert (2.4.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 37 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.37.0): Extracting archive
- Installing composer/spdx-licenses (1.5.10): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.37.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.37.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
- Installing symfony/string (v8.0.11): Extracting archive
- Installing symfony/deprecation-contracts (v3.7.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.7.0): Extracting archive
- Installing symfony/console (v8.0.11): Extracting archive
- Installing sabre/event (6.1.0): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.4.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/35 [>---------------------------] 0%
29/35 [=======================>----] 82%
35/35 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
16 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
"node_modules/fast-uri"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 548,
"optional": 1,
"peer": 1,
"peerOptional": 0,
"total": 548
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 548,
"removed": 0,
"changed": 0,
"audited": 549,
"funding": 119,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 548,
"optional": 1,
"peer": 1,
"peerOptional": 0,
"total": 548
}
}
}
}
--- end ---
{"added": 548, "removed": 0, "changed": 0, "audited": 549, "funding": 119, "audit": {"auditReportVersion": 2, "vulnerabilities": {"fast-uri": {"name": "fast-uri", "severity": "high", "isDirect": false, "via": [{"source": 1117870, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to path traversal via percent-encoded dot segments", "url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.0"}, {"source": 1117884, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters", "url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc", "severity": "high", "cwe": ["CWE-436"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.1"}], "effects": [], "range": "<=3.1.1", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0, "total": 1}, "dependencies": {"prod": 1, "dev": 548, "optional": 1, "peer": 1, "peerOptional": 0, "total": 548}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 547 packages, and audited 548 packages in 5s
119 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 547 packages, and audited 548 packages in 6s
119 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
$ /usr/bin/npm test
--- stderr ---
PASS tests/jest/render.test.js
numberFormatter
✓ formats numbers to minimum of 2 decimal places (21 ms)
✓ formats 1000 as 1K
✓ formats to four figures between 100 and 1000 as expected
✓ formats large numbers on axis to nearest integers
getFormatter
✓ formats integers correctly with formatMode none (7 ms)
✓ formats floats correctly with formatMode none (1 ms)
✓ formats integers correctly with formatMode none and no comma separator (1 ms)
✓ formats integers correctly with formatMode auto
✓ formats floats correctly with formatMode auto
✓ formats integers correctly with formatMode auto and comma separator
Failed to collect coverage from /src/repo/resources/ext.chart.visualEditMode/ChartVisualEditor.vue
ERROR: /src/repo/resources/ext.chart.visualEditMode/ChartVisualEditor.vue: Support for the experimental syntax 'jsx' isn't currently enabled (1:1):
> 1 | <template>
| ^
2 | <div>Chart Visual Editor Form</div>
3 | </template>
4 |
Add @babel/preset-react (https://github.com/babel/babel/tree/main/packages/babel-preset-react) to the 'presets' section of your Babel config to enable transformation.
If you want to leave it as-is, add @babel/plugin-syntax-jsx (https://github.com/babel/babel/tree/main/packages/babel-plugin-syntax-jsx) to the 'plugins' section to enable parsing.
If you already added the plugin for this syntax to your config, it's possible that your config isn't being loaded.
You can re-run Babel with the BABEL_SHOW_CONFIG_FOR environment variable to show the loaded configuration:
npx cross-env BABEL_SHOW_CONFIG_FOR=/src/repo/resources/ext.chart.visualEditMode/ChartVisualEditor.vue <your build command>
See https://babeljs.io/docs/configuration#print-effective-configs for more info.
STACK: SyntaxError: /src/repo/resources/ext.chart.visualEditMode/ChartVisualEditor.vue: Support for the experimental syntax 'jsx' isn't currently enabled (1:1):
> 1 | <template>
| ^
2 | <div>Chart Visual Editor Form</div>
3 | </template>
4 |
Add @babel/preset-react (https://github.com/babel/babel/tree/main/packages/babel-preset-react) to the 'presets' section of your Babel config to enable transformation.
If you want to leave it as-is, add @babel/plugin-syntax-jsx (https://github.com/babel/babel/tree/main/packages/babel-plugin-syntax-jsx) to the 'plugins' section to enable parsing.
If you already added the plugin for this syntax to your config, it's possible that your config isn't being loaded.
You can re-run Babel with the BABEL_SHOW_CONFIG_FOR environment variable to show the loaded configuration:
npx cross-env BABEL_SHOW_CONFIG_FOR=/src/repo/resources/ext.chart.visualEditMode/ChartVisualEditor.vue <your build command>
See https://babeljs.io/docs/configuration#print-effective-configs for more info.
at constructor (/src/repo/node_modules/@babel/parser/lib/index.js:360:19)
at Parser.raise (/src/repo/node_modules/@babel/parser/lib/index.js:3327:19)
at Parser.expectOnePlugin (/src/repo/node_modules/@babel/parser/lib/index.js:3361:18)
at Parser.parseExprAtom (/src/repo/node_modules/@babel/parser/lib/index.js:11085:18)
at Parser.parseExprSubscripts (/src/repo/node_modules/@babel/parser/lib/index.js:10759:23)
at Parser.parseUpdate (/src/repo/node_modules/@babel/parser/lib/index.js:10744:21)
at Parser.parseMaybeUnary (/src/repo/node_modules/@babel/parser/lib/index.js:10724:23)
at Parser.parseMaybeUnaryOrPrivate (/src/repo/node_modules/@babel/parser/lib/index.js:10577:61)
at Parser.parseExprOps (/src/repo/node_modules/@babel/parser/lib/index.js:10582:23)
at Parser.parseMaybeConditional (/src/repo/node_modules/@babel/parser/lib/index.js:10559:23)
at Parser.parseMaybeAssign (/src/repo/node_modules/@babel/parser/lib/index.js:10522:21)
at Parser.parseExpressionBase (/src/repo/node_modules/@babel/parser/lib/index.js:10477:23)
at /src/repo/node_modules/@babel/parser/lib/index.js:10473:39
at Parser.allowInAnd (/src/repo/node_modules/@babel/parser/lib/index.js:12096:16)
at Parser.parseExpression (/src/repo/node_modules/@babel/parser/lib/index.js:10473:17)
at Parser.parseStatementContent (/src/repo/node_modules/@babel/parser/lib/index.js:12534:23)
at Parser.parseStatementLike (/src/repo/node_modules/@babel/parser/lib/index.js:12407:17)
at Parser.parseModuleItem (/src/repo/node_modules/@babel/parser/lib/index.js:12384:17)
at Parser.parseBlockOrModuleBlockBody (/src/repo/node_modules/@babel/parser/lib/index.js:12955:36)
at Parser.parseBlockBody (/src/repo/node_modules/@babel/parser/lib/index.js:12948:10)
at Parser.parseProgram (/src/repo/node_modules/@babel/parser/lib/index.js:12281:10)
at Parser.parseTopLevel (/src/repo/node_modules/@babel/parser/lib/index.js:12271:25)
at Parser.parse (/src/repo/node_modules/@babel/parser/lib/index.js:14123:10)
at parse (/src/repo/node_modules/@babel/parser/lib/index.js:14157:38)
at parser (/src/repo/node_modules/@babel/core/lib/parser/index.js:41:34)
at parser.next (<anonymous>)
at normalizeFile (/src/repo/node_modules/@babel/core/lib/transformation/normalize-file.js:64:37)
at normalizeFile.next (<anonymous>)
at run (/src/repo/node_modules/@babel/core/lib/transformation/index.js:22:50)
at run.next (<anonymous>)
at transform (/src/repo/node_modules/@babel/core/lib/transform.js:22:33)
at transform.next (<anonymous>)
at evaluateSync (/src/repo/node_modules/gensync/index.js:251:28)
at sync (/src/repo/node_modules/gensync/index.js:89:14)
at stopHiding - secret - don't use this - v1 (/src/repo/node_modules/@babel/core/lib/errors/rewrite-stack-trace.js:47:12)
at transformSync (/src/repo/node_modules/@babel/core/lib/transform.js:42:76)
at ScriptTransformer._instrumentFile (/src/repo/node_modules/@jest/transform/build/ScriptTransformer.js:389:46)
at ScriptTransformer._buildTransformResult (/src/repo/node_modules/@jest/transform/build/ScriptTransformer.js:491:33)
at ScriptTransformer.transformSourceAsync (/src/repo/node_modules/@jest/transform/build/ScriptTransformer.js:608:17)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async generateEmptyCoverage (/src/repo/node_modules/@jest/reporters/build/generateEmptyCoverage.js:127:20)
Test Suites: 1 passed, 1 total
Tests: 10 passed, 10 total
Snapshots: 0 total
Time: 5.979 s
Ran all test suites.
--- stdout ---
> chart@0.0.0 test
> npm run lint && npm run test:unit
> chart@0.0.0 lint
> npm -s run lint:js && npm -s run lint:styles && npm -s run lint:i18n
Checked 1 message directory.
> chart@0.0.0 test:unit
> jest
------------------------------|---------|----------|---------|---------|-----------------------------------------------------------------
File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
------------------------------|---------|----------|---------|---------|-----------------------------------------------------------------
All files | 10.72 | 11.4 | 10.81 | 10.38 |
ext.chart | 19.23 | 13.54 | 19.04 | 18.75 |
bootstrap.js | 0 | 0 | 0 | 0 | 3-59
render.js | 25 | 16.25 | 25 | 24.48 | 5-8,20,40-76,91,115-124,142-145,148-151,160-162,175-200,223-281
ext.chart.visualEditMode | 0 | 0 | 100 | 0 |
init.js | 0 | 0 | 100 | 0 | 3-8
ext.chart.visualEditor | 0 | 0 | 0 | 0 |
ve.ce.MWChartNode.js | 0 | 100 | 0 | 0 | 18-52
ve.dm.MWChartNode.js | 0 | 0 | 0 | 0 | 17-58
ve.ui.MWChartContextItem.js | 0 | 100 | 0 | 0 | 17-55
ve.ui.MWChartDialog.js | 0 | 0 | 0 | 0 | 17-145
ve.ui.MWChartDialogTool.js | 0 | 100 | 0 | 0 | 18-43
------------------------------|---------|----------|---------|---------|-----------------------------------------------------------------
--- end ---
{"1117870": {"source": 1117870, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to path traversal via percent-encoded dot segments", "url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.0"}, "1117884": {"source": 1117884, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters", "url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc", "severity": "high", "cwe": ["CWE-436"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.1"}}
Upgrading n:fast-uri from 3.0.5 -> 3.1.2
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating fast-uri to 3.1.2
* https://github.com/advisories/GHSA-q3j6-qgpj-74h6
* https://github.com/advisories/GHSA-v39h-62p7-jpjc
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmpnxj_q9r2
--- stdout ---
[REL1_46 15a4d28] build: Updating fast-uri to 3.1.2
1 file changed, 3 insertions(+), 3 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 15a4d28c3d779040a8ebed6416d2a9cd065c00f7 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 21 May 2026 03:40:51 +0000
Subject: [PATCH] build: Updating fast-uri to 3.1.2
* https://github.com/advisories/GHSA-q3j6-qgpj-74h6
* https://github.com/advisories/GHSA-v39h-62p7-jpjc
Change-Id: I4ce6e1cd996d526bcc399cce952bc8116ba664bb
---
package-lock.json | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index b5e9bdd..3861837 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3451,9 +3451,9 @@
"dev": true
},
"node_modules/fast-uri": {
- "version": "3.0.5",
- "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.5.tgz",
- "integrity": "sha512-5JnBCWpFlMo0a3ciDy/JckMzzv1U9coZrIhedq+HXxxUfDTAiS0LA8OKVao4G9BxmCVck/jtA5r3KAtRWEyD8Q==",
+ "version": "3.1.2",
+ "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz",
+ "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==",
"dev": true,
"funding": [
{
--
2.47.3
--- end ---