This run took 72 seconds.
From 51a50f8d59a0da41567281760f0c9ca8ad42da11 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Fri, 22 May 2026 14:05:37 +0000
Subject: [PATCH] build: Updating js-cookie to 3.0.7
* https://github.com/advisories/GHSA-qjx8-664m-686j
Change-Id: I84f94295a4c1a5077621facfd8743b1923d8eaee
---
package-lock.json | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index b5862df..950ac7a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -8011,13 +8011,12 @@
}
},
"node_modules/js-cookie": {
- "version": "3.0.5",
- "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz",
- "integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==",
+ "version": "3.0.7",
+ "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.7.tgz",
+ "integrity": "sha512-z/wZZgDrkNV1eA0ULjM/F9/50Ya8fbzgKneSpoPsXSGd0KnpdtHfOZWK+GcwLk+EZbS4F9RBhU+K2RgzuDaItw==",
"dev": true,
- "license": "MIT",
"engines": {
- "node": ">=14"
+ "node": ">=20"
}
},
"node_modules/js-tokens": {
--
2.47.3
$ date
--- stdout ---
Fri May 22 14:04:43 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-ReadingLists.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
4cb8abfe9ff5bc532fbf3c13bbf0b587774b048b refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"js-cookie": {
"name": "js-cookie",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119459,
"name": "js-cookie",
"dependency": "js-cookie",
"title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection",
"url": "https://github.com/advisories/GHSA-qjx8-664m-686j",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.0.5"
}
],
"effects": [],
"range": "<=3.0.5",
"nodes": [
"node_modules/js-cookie"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 830,
"optional": 3,
"peer": 29,
"peerOptional": 0,
"total": 830
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 38 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.6.0)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v51.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.5.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking pleonasm/bloom-filter (1.0.4)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.1.0)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.0.11)
- Locking symfony/deprecation-contracts (v3.7.0)
- Locking symfony/polyfill-ctype (v1.37.0)
- Locking symfony/polyfill-intl-grapheme (v1.37.0)
- Locking symfony/polyfill-intl-normalizer (v1.37.0)
- Locking symfony/polyfill-mbstring (v1.37.0)
- Locking symfony/service-contracts (v3.7.0)
- Locking symfony/string (v8.0.11)
- Locking webmozart/assert (2.4.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 38 installs, 0 updates, 0 removals
- Downloading pleonasm/bloom-filter (1.0.4)
0/1 [>---------------------------] 0%
1/1 [============================] 100%
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.5.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.37.0): Extracting archive
- Installing composer/spdx-licenses (1.6.0): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v51.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.37.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.37.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
- Installing symfony/string (v8.0.11): Extracting archive
- Installing symfony/deprecation-contracts (v3.7.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.7.0): Extracting archive
- Installing symfony/console (v8.0.11): Extracting archive
- Installing sabre/event (6.1.0): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.4.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
- Installing pleonasm/bloom-filter (1.0.4): Extracting archive
0/36 [>---------------------------] 0%
27/36 [=====================>------] 75%
36/36 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
16 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"js-cookie": {
"name": "js-cookie",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119459,
"name": "js-cookie",
"dependency": "js-cookie",
"title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection",
"url": "https://github.com/advisories/GHSA-qjx8-664m-686j",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.0.5"
}
],
"effects": [],
"range": "<=3.0.5",
"nodes": [
"node_modules/js-cookie"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 830,
"optional": 3,
"peer": 29,
"peerOptional": 0,
"total": 830
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.4.0',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.4.0',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
"added": 830,
"removed": 0,
"changed": 0,
"audited": 831,
"funding": 164,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"js-cookie": {
"name": "js-cookie",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119459,
"name": "js-cookie",
"dependency": "js-cookie",
"title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection",
"url": "https://github.com/advisories/GHSA-qjx8-664m-686j",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.0.5"
}
],
"effects": [],
"range": "<=3.0.5",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 830,
"optional": 3,
"peer": 29,
"peerOptional": 0,
"total": 830
}
}
}
}
--- end ---
{"added": 830, "removed": 0, "changed": 0, "audited": 831, "funding": 164, "audit": {"auditReportVersion": 2, "vulnerabilities": {"js-cookie": {"name": "js-cookie", "severity": "high", "isDirect": false, "via": [{"source": 1119459, "name": "js-cookie", "dependency": "js-cookie", "title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection", "url": "https://github.com/advisories/GHSA-qjx8-664m-686j", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.0.5"}], "effects": [], "range": "<=3.0.5", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0, "total": 1}, "dependencies": {"prod": 1, "dev": 830, "optional": 3, "peer": 29, "peerOptional": 0, "total": 830}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.4.0',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.4.0',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 829 packages, and audited 830 packages in 8s
164 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex@2.4.0',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-icons@2.4.0',
npm WARN EBADENGINE required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 829 packages, and audited 830 packages in 11s
164 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
$ /usr/bin/npm test
--- stderr ---
14 sources checked
/src/repo/resources/ext.readingLists.bookmark.anonymous/CtaDialog.vue
/src/repo/resources/ext.readingLists.bookmark.anonymous/pulsatingDot.less
/src/repo/resources/ext.readingLists.bookmark.confirmPopover/ConfirmUnsavePopover.vue
/src/repo/resources/ext.readingLists.onboarding.desktop/OnboardingPopover.vue
/src/repo/resources/ext.readingLists.onboarding.mobile/MobileOnboardingPopover.vue
/src/repo/resources/ext.readingLists.special/styles.less
/src/repo/resources/ext.readingLists.special/components/DisplayButton.vue
/src/repo/resources/ext.readingLists.special/components/EmptyList.vue
/src/repo/resources/ext.readingLists.special/components/EntryItem.vue
/src/repo/resources/ext.readingLists.special/components/ImportDialog.vue
/src/repo/resources/ext.readingLists.special/components/ListItem.vue
/src/repo/resources/ext.readingLists.special/components/Survey.vue
/src/repo/resources/ext.readingLists.special/pages/Entries.vue
/src/repo/resources/ext.readingLists.special/pages/Lists.vue
0 problems found
PASS tests/jest/ext.readingLists.api/index.test.js
setup
✓ returns inserted list (8 ms)
getLists
✓ returns array of multiple lists (2 ms)
✓ paginates with continue token (1 ms)
✓ sets up default list if missing (2 ms)
✓ throws on unhandled error (1 ms)
getList
✓ returns metadata of one list (1 ms)
✓ translates default list name/description (1 ms)
✓ sets up default list if missing (1 ms)
✓ throws on unhandled error (1 ms)
getEntries
✓ returns array of list entries (2 ms)
✓ paginates with continue token (1 ms)
✓ sets up default list if missing (2 ms)
✓ throws on unhandled error (1 ms)
getPagesFromManifest
✓ returns array of page metadata (1 ms)
✓ transforms language code to url (1 ms)
✓ resolves page ids to titles (2 ms)
✓ matches entries by title when API response has no normalized or redirects data (1 ms)
✓ resolves entry title through normalization and redirect (1 ms)
✓ returns fallback on error (1 ms)
createEntry
✓ returns inserted entry (1 ms)
deleteEntry
✓ returns success message (1 ms)
deleteEntryByPageTitle
✓ returns success message (1 ms)
fromBase64
✓ returns entries with resolved pages (2 ms)
✓ returns error message (2 ms)
✓ preserves name when already present in encoded data (2 ms)
toBase64
✓ returns a base64 string that decodes to the original values (1 ms)
✓ throws on characters outside Latin-1 range in name (1 ms)
✓ produces output that fromBase64 can parse back (2 ms)
PASS tests/jest/ext.readingLists.onboarding.desktop/OnboardingPopover.test.js
OnboardingPopover
rendering behavior
✓ matches the snapshot (121 ms)
✓ renders with custom title, body message keys, and banner image (24 ms)
✓ renders close button with aria-label (12 ms)
popover dismiss behavior
✓ closes popover and calls onDismiss when close button is clicked (15 ms)
✓ calls onDismiss when popover is closed externally (23 ms)
PASS tests/jest/ext.readingLists.bookmark.confirmPopover/ConfirmUnsavePopover.test.js
ConfirmUnsavePopover
ConfirmUnsavePopover rendering
✓ matches the snapshot (126 ms)
ConfirmUnsavePopover props
✓ primaryAction has a destructive action type (6 ms)
✓ placement is bottom-start when isMinerva is true (4 ms)
ConfirmUnsavePopover actions
✓ calls onConfirm when the primary action is clicked (17 ms)
✓ calls onCancel when the default action is clicked (14 ms)
✓ calls onCancel when the popover is closed externally (9 ms)
✓ does not call onCancel when the popover emits open (4 ms)
PASS tests/jest/ext.readingLists.special/Survey.test.js
Survey
✓ matches the snapshot (22 ms)
when the positive button is clicked
✓ opens the dialog and renders dialog content (81 ms)
when the negative button is clicked
✓ opens the dialog (28 ms)
when the dialog is closed
via the primary action button
✓ closes the dialog and shows the thank you message (42 ms)
via the close button
✓ closes the dialog and shows the thank you message (31 ms)
when the survey is completed
✓ contains the correct (20 ms)
PASS tests/jest/ext.readingLists.onboarding.mobile/MobileOnboardingPopover.test.js
MobileOnboardingPopover
rendering behavior
✓ matches the snapshot (27 ms)
✓ renders popover content when the popover is open (20 ms)
popover dismiss behavior
✓ closes popover and calls onDismiss when user clicks the primary action (5 ms)
✓ calls onDismiss when user clicks outside the popover (3 ms)
PASS tests/jest/ext.readingLists.bookmark/bookmark.test.js
initBookmark
initialization
Vector skin initBookmark
✓ sets outline icon and add bookmark label for unsaved page (666 ms)
✓ sets solid icon and remove bookmark label for saved page (7 ms)
Minerva skin initBookmark
✓ uses Minerva icon classes (5 ms)
✓ sets solid icon and remove bookmark label for saved page (5 ms)
click bookmark button to save page
Vector skin bookmark click to save
✓ calls createEntry, updates icon, fires hook (18 ms)
✓ triggers onboarding popover on first save when not yet seen (994 ms)
✓ shows notify success when onboarding already seen (6 ms)
Minerva skin bookmark button click to save
✓ calls createEntry, updates icon, fires hook (5 ms)
✓ triggers onboarding popover on first save when not yet seen (102 ms)
✓ shows notify success when onboarding already seen (9 ms)
click bookmark button to unsave page
✓ calls deleteEntryByPageTitle, updates icon, fires hook on Vector skin (6 ms)
✓ calls deleteEntryByPageTitle, updates icon, fires hook on Minerva skin (5 ms)
✓ loads confirm popover before removing page from a custom list (6 ms)
✓ does not remove page when custom list confirmation is cancelled (4 ms)
ReadingLists list setup flow
✓ calls api.setup() first when no listId, then calls createEntry on Vector skin (7 ms)
error handling
✓ shows error notification when createEntry rejects on Vector skin (4 ms)
✓ shows error notification when deleteEntryByPageTitle rejects with unexpected error on Vector skin (5 ms)
initOnboardingPopover
✓ returns early if anchor element not found in DOM (4 ms)
✓ returns early if storage key already set (5 ms)
✓ loads onboarding popover module after timer and idle callback (28 ms)
✓ defers loading onboarding popover if the homepage tour hasn't been seen yet (7 ms)
PASS tests/jest/ext.readingLists.onboarding/mountApp.test.js
mountApp
onboarding popover mounting
✓ mounts the popover with correct component and props and sets local storage key (5 ms)
✓ bannerImagePath is passed as prop when provided (19 ms)
popover not in viewport
✓ does not mount when target is above the viewport (1 ms)
PASS tests/jest/ext.readingLists.bookmark.confirmPopover/index.test.js
confirmUnsaveFromCustomList
✓ mounts the app with the anchor element and isMinerva prop (3 ms)
✓ resolves with true and unmounts when onConfirm is called (2 ms)
✓ resolves with false and unmounts when onCancel is called
PASS tests/jest/ext.readingLists.bookmark.anonymous/index.test.js
Anonymous bookmark button
✓ throws error when bookmark element is not found (359 ms)
✓ mounts CtaDialog when bookmark is clicked (9 ms)
PASS tests/jest/ext.readingLists.bookmark.anonymous/CtaDialog.test.js
CtaDialog
✓ matches the snapshot (77 ms)
PASS tests/jest/ext.readingLists.special/Lists.test.js
Lists
✓ renders with toolbar disabled (389 ms)
✓ renders with toolbar enabled (162 ms)
PASS tests/jest/ext.readingLists.special/Entries.test.js
Entries
✓ renders with toolbar disabled (582 ms)
✓ renders with toolbar enabled (114 ms)
✓ renders all items from all lists on special page (76 ms)
Test Suites: 12 passed, 12 total
Tests: 85 passed, 85 total
Snapshots: 10 passed, 10 total
Time: 4.929 s
Ran all test suites.
--- stdout ---
> test
> npm run lint && npm run test:unit
> lint
> npm run lint:i18n && npm run lint:scripts && npm run lint:scripts:tests && npm run lint:styles
> lint:i18n
> banana-checker i18n/ i18n/api/
Checked 2 message directories.
> lint:scripts
> eslint --cache --ignore-pattern tests/api-testing .
> lint:scripts:tests
> eslint --cache --no-ignore --config tests/api-testing/.eslintrc.json tests/api-testing
> lint:styles
> stylelint --cache -f verbose "resources/**/*.{css,less,vue}"
> test:unit
> jest --verbose
------------------------------------------|---------|----------|---------|---------|--------------------------------------------------------------
File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
------------------------------------------|---------|----------|---------|---------|--------------------------------------------------------------
All files | 82.1 | 67.6 | 76.43 | 81.8 |
ext.readingLists.api | 100 | 93.5 | 100 | 100 |
index.js | 100 | 93.5 | 100 | 100 | 107,246-258
ext.readingLists.bookmark | 91.5 | 85 | 100 | 91.42 |
bookmark.js | 91.5 | 85 | 100 | 91.42 | 13-17,83,159,240,265-270,369
ext.readingLists.bookmark.anonymous | 77.27 | 51.72 | 58.06 | 75 |
CtaDialog.vue | 81.25 | 38.88 | 65 | 77.5 | 54-55,66-76,115,128-134
index.js | 85.71 | 75 | 60 | 85.71 | 23,28-29
pulsatingDot.js | 57.89 | 71.42 | 33.33 | 57.89 | 11,21-24,38-43
ext.readingLists.bookmark.confirmPopover | 100 | 100 | 100 | 100 |
ConfirmUnsavePopover.vue | 100 | 100 | 100 | 100 |
index.js | 100 | 100 | 100 | 100 |
ext.readingLists.onboarding | 64.28 | 66.66 | 42.85 | 64.28 |
index.js | 100 | 100 | 100 | 100 |
mountApp.js | 63.63 | 66.66 | 42.85 | 63.63 | 15,23,45,49,53,57,61,65,69,73,104-105,112-126
ext.readingLists.onboarding.desktop | 97.29 | 75 | 90.9 | 97.14 |
OnboardingPopover.vue | 96.96 | 75 | 90 | 96.77 | 93
index.js | 100 | 100 | 100 | 100 |
ext.readingLists.onboarding.mobile | 96.66 | 75 | 90 | 96.29 |
MobileOnboardingPopover.vue | 96.15 | 75 | 88.88 | 95.65 | 68
index.js | 100 | 100 | 100 | 100 |
ext.readingLists.special/components | 75.73 | 45.65 | 64.1 | 76.86 |
DisplayButton.vue | 51.51 | 25 | 62.5 | 54.83 | 73-89,110
EmptyList.vue | 81.81 | 100 | 0 | 81.81 | 4,27
EntryItem.vue | 91.66 | 100 | 75 | 91.66 | 13
ImportDialog.vue | 45.83 | 0 | 0 | 45.83 | 19-41,56-77
ListItem.vue | 100 | 66.66 | 100 | 100 | 34,36-58,70
Survey.vue | 97.5 | 87.5 | 92.3 | 97.5 | 68
ext.readingLists.special/pages | 69.14 | 52.89 | 62.5 | 69.54 |
Entries.vue | 63.24 | 54.02 | 61.9 | 63.79 | 74-86,95,105,119-127,136,143-144,155-158,170-180,191-207,259
Lists.vue | 81.03 | 50 | 63.63 | 81.03 | 42-46,72,78,88-89,98-99,130
------------------------------------------|---------|----------|---------|---------|--------------------------------------------------------------
--- end ---
{"1119459": {"source": 1119459, "name": "js-cookie", "dependency": "js-cookie", "title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection", "url": "https://github.com/advisories/GHSA-qjx8-664m-686j", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.0.5"}}
Upgrading n:js-cookie from 3.0.5 -> 3.0.7
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating js-cookie to 3.0.7
* https://github.com/advisories/GHSA-qjx8-664m-686j
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmp1braiuwk
--- stdout ---
[master 51a50f8] build: Updating js-cookie to 3.0.7
1 file changed, 4 insertions(+), 5 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 51a50f8d59a0da41567281760f0c9ca8ad42da11 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Fri, 22 May 2026 14:05:37 +0000
Subject: [PATCH] build: Updating js-cookie to 3.0.7
* https://github.com/advisories/GHSA-qjx8-664m-686j
Change-Id: I84f94295a4c1a5077621facfd8743b1923d8eaee
---
package-lock.json | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index b5862df..950ac7a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -8011,13 +8011,12 @@
}
},
"node_modules/js-cookie": {
- "version": "3.0.5",
- "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz",
- "integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==",
+ "version": "3.0.7",
+ "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.7.tgz",
+ "integrity": "sha512-z/wZZgDrkNV1eA0ULjM/F9/50Ya8fbzgKneSpoPsXSGd0KnpdtHfOZWK+GcwLk+EZbS4F9RBhU+K2RgzuDaItw==",
"dev": true,
- "license": "MIT",
"engines": {
- "node": ">=14"
+ "node": ">=20"
}
},
"node_modules/js-tokens": {
--
2.47.3
--- end ---