This run took 62 seconds.
From a23efb9d35a005a1d59ff3067004b0399b919c05 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Tue, 16 Jun 2026 11:39:11 +0000
Subject: [PATCH] build: Updating @babel/core to 7.29.7, ^7.12.10
* https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
Change-Id: Iee14be770bdf78523cdc0e1301388f44119990d4
---
package-lock.json | 209 ++++++++++++++++++++++++----------------------
1 file changed, 108 insertions(+), 101 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index cd58f46..efa6072 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -33,19 +33,6 @@
"node": ">=0.10.0"
}
},
- "node_modules/@ampproject/remapping": {
- "version": "2.3.0",
- "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
- "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
- "dev": true,
- "dependencies": {
- "@jridgewell/gen-mapping": "^0.3.5",
- "@jridgewell/trace-mapping": "^0.3.24"
- },
- "engines": {
- "node": ">=6.0.0"
- }
- },
"node_modules/@babel/cli": {
"version": "7.24.1",
"resolved": "https://registry.npmjs.org/@babel/cli/-/cli-7.24.1.tgz",
@@ -76,12 +63,12 @@
}
},
"node_modules/@babel/code-frame": {
- "version": "7.29.0",
- "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
- "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz",
+ "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
"dev": true,
"dependencies": {
- "@babel/helper-validator-identifier": "^7.28.5",
+ "@babel/helper-validator-identifier": "^7.29.7",
"js-tokens": "^4.0.0",
"picocolors": "^1.1.1"
},
@@ -90,30 +77,30 @@
}
},
"node_modules/@babel/compat-data": {
- "version": "7.24.1",
- "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.24.1.tgz",
- "integrity": "sha512-Pc65opHDliVpRHuKfzI+gSA4zcgr65O4cl64fFJIWEEh8JoHIHh0Oez1Eo8Arz8zq/JhgKodQaxEwUPRtZylVA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz",
+ "integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==",
"dev": true,
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/core": {
- "version": "7.24.3",
- "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.24.3.tgz",
- "integrity": "sha512-5FcvN1JHw2sHJChotgx8Ek0lyuh4kCKelgMTTqhYJJtloNvUfpAFMeNQUtdlIaktwrSV9LtCdqwk48wL2wBacQ==",
- "dev": true,
- "dependencies": {
- "@ampproject/remapping": "^2.2.0",
- "@babel/code-frame": "^7.24.2",
- "@babel/generator": "^7.24.1",
- "@babel/helper-compilation-targets": "^7.23.6",
- "@babel/helper-module-transforms": "^7.23.3",
- "@babel/helpers": "^7.24.1",
- "@babel/parser": "^7.24.1",
- "@babel/template": "^7.24.0",
- "@babel/traverse": "^7.24.1",
- "@babel/types": "^7.24.0",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.7.tgz",
+ "integrity": "sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==",
+ "dev": true,
+ "dependencies": {
+ "@babel/code-frame": "^7.29.7",
+ "@babel/generator": "^7.29.7",
+ "@babel/helper-compilation-targets": "^7.29.7",
+ "@babel/helper-module-transforms": "^7.29.7",
+ "@babel/helpers": "^7.29.7",
+ "@babel/parser": "^7.29.7",
+ "@babel/template": "^7.29.7",
+ "@babel/traverse": "^7.29.7",
+ "@babel/types": "^7.29.7",
+ "@jridgewell/remapping": "^2.3.5",
"convert-source-map": "^2.0.0",
"debug": "^4.1.0",
"gensync": "^1.0.0-beta.2",
@@ -129,13 +116,13 @@
}
},
"node_modules/@babel/generator": {
- "version": "7.29.1",
- "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
- "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz",
+ "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==",
"dev": true,
"dependencies": {
- "@babel/parser": "^7.29.0",
- "@babel/types": "^7.29.0",
+ "@babel/parser": "^7.29.7",
+ "@babel/types": "^7.29.7",
"@jridgewell/gen-mapping": "^0.3.12",
"@jridgewell/trace-mapping": "^0.3.28",
"jsesc": "^3.0.2"
@@ -169,14 +156,14 @@
}
},
"node_modules/@babel/helper-compilation-targets": {
- "version": "7.23.6",
- "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.23.6.tgz",
- "integrity": "sha512-9JB548GZoQVmzrFgp8o7KxdgkTGm6xs9DW0o/Pim72UDjzr5ObUQ6ZzYPqA+g9OTS2bBQoctLJrky0RDCAWRgQ==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz",
+ "integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==",
"dev": true,
"dependencies": {
- "@babel/compat-data": "^7.23.5",
- "@babel/helper-validator-option": "^7.23.5",
- "browserslist": "^4.22.2",
+ "@babel/compat-data": "^7.29.7",
+ "@babel/helper-validator-option": "^7.29.7",
+ "browserslist": "^4.24.0",
"lru-cache": "^5.1.1",
"semver": "^6.3.1"
},
@@ -263,9 +250,9 @@
}
},
"node_modules/@babel/helper-globals": {
- "version": "7.28.0",
- "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz",
- "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz",
+ "integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==",
"dev": true,
"engines": {
"node": ">=6.9.0"
@@ -284,27 +271,27 @@
}
},
"node_modules/@babel/helper-module-imports": {
- "version": "7.28.6",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
- "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz",
+ "integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==",
"dev": true,
"dependencies": {
- "@babel/traverse": "^7.28.6",
- "@babel/types": "^7.28.6"
+ "@babel/traverse": "^7.29.7",
+ "@babel/types": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-module-transforms": {
- "version": "7.28.6",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
- "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz",
+ "integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==",
"dev": true,
"dependencies": {
- "@babel/helper-module-imports": "^7.28.6",
- "@babel/helper-validator-identifier": "^7.28.5",
- "@babel/traverse": "^7.28.6"
+ "@babel/helper-module-imports": "^7.29.7",
+ "@babel/helper-validator-identifier": "^7.29.7",
+ "@babel/traverse": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
@@ -405,27 +392,27 @@
}
},
"node_modules/@babel/helper-string-parser": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
- "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz",
+ "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==",
"dev": true,
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-validator-identifier": {
- "version": "7.28.5",
- "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
- "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz",
+ "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==",
"dev": true,
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-validator-option": {
- "version": "7.23.5",
- "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.23.5.tgz",
- "integrity": "sha512-85ttAOMLsr53VgXkTbkx8oA6YTfT4q7/HzXSLEYmjcSTJPMPQtvq1BD79Byep5xMUYbGRzEpDsjUf3dyp54IKw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz",
+ "integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==",
"dev": true,
"engines": {
"node": ">=6.9.0"
@@ -446,25 +433,25 @@
}
},
"node_modules/@babel/helpers": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.4.tgz",
- "integrity": "sha512-HFN59MmQXGHVyYadKLVumYsA9dBFun/ldYxipEjzA4196jpLZd8UjEEBLkbEkvfYreDqJhZxYAWFPtrfhNpj4w==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.7.tgz",
+ "integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==",
"dev": true,
"dependencies": {
- "@babel/template": "^7.27.2",
- "@babel/types": "^7.28.4"
+ "@babel/template": "^7.29.7",
+ "@babel/types": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/parser": {
- "version": "7.29.3",
- "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
- "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz",
+ "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==",
"dev": true,
"dependencies": {
- "@babel/types": "^7.29.0"
+ "@babel/types": "^7.29.7"
},
"bin": {
"parser": "bin/babel-parser.js"
@@ -1663,31 +1650,31 @@
}
},
"node_modules/@babel/template": {
- "version": "7.28.6",
- "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
- "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz",
+ "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==",
"dev": true,
"dependencies": {
- "@babel/code-frame": "^7.28.6",
- "@babel/parser": "^7.28.6",
- "@babel/types": "^7.28.6"
+ "@babel/code-frame": "^7.29.7",
+ "@babel/parser": "^7.29.7",
+ "@babel/types": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/traverse": {
- "version": "7.29.0",
- "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
- "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz",
+ "integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==",
"dev": true,
"dependencies": {
- "@babel/code-frame": "^7.29.0",
- "@babel/generator": "^7.29.0",
- "@babel/helper-globals": "^7.28.0",
- "@babel/parser": "^7.29.0",
- "@babel/template": "^7.28.6",
- "@babel/types": "^7.29.0",
+ "@babel/code-frame": "^7.29.7",
+ "@babel/generator": "^7.29.7",
+ "@babel/helper-globals": "^7.29.7",
+ "@babel/parser": "^7.29.7",
+ "@babel/template": "^7.29.7",
+ "@babel/types": "^7.29.7",
"debug": "^4.3.1"
},
"engines": {
@@ -1695,13 +1682,13 @@
}
},
"node_modules/@babel/types": {
- "version": "7.29.0",
- "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
- "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz",
+ "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==",
"dev": true,
"dependencies": {
- "@babel/helper-string-parser": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.28.5"
+ "@babel/helper-string-parser": "^7.29.7",
+ "@babel/helper-validator-identifier": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
@@ -2047,6 +2034,16 @@
"@jridgewell/trace-mapping": "^0.3.24"
}
},
+ "node_modules/@jridgewell/remapping": {
+ "version": "2.3.5",
+ "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+ "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+ "dev": true,
+ "dependencies": {
+ "@jridgewell/gen-mapping": "^0.3.5",
+ "@jridgewell/trace-mapping": "^0.3.24"
+ }
+ },
"node_modules/@jridgewell/resolve-uri": {
"version": "3.1.2",
"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
@@ -6095,10 +6092,20 @@
"dev": true
},
"node_modules/js-yaml": {
- "version": "4.1.1",
- "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
- "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+ "version": "4.2.0",
+ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+ "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
"dev": true,
+ "funding": [
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/puzrin"
+ },
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/nodeca"
+ }
+ ],
"dependencies": {
"argparse": "^2.0.1"
},
--
2.47.3
$ date
--- stdout ---
Tue Jun 16 11:38:28 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-skins-2018.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
68b8998890b4f31402c997f7449abf95fe9d473e refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/core": {
"name": "@babel/core",
"severity": "low",
"isDirect": true,
"via": [
{
"source": 1120793,
"name": "@babel/core",
"dependency": "@babel/core",
"title": "@babel/core: Arbitrary File Read via sourceMappingURL Comment",
"url": "https://github.com/advisories/GHSA-4x5r-pxfx-6jf8",
"severity": "low",
"cwe": [
"CWE-22",
"CWE-200"
],
"cvss": {
"score": 3.2,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"
},
"range": "<=7.29.0"
}
],
"effects": [],
"range": "<=7.29.0",
"nodes": [
"node_modules/@babel/core"
],
"fixAvailable": true
},
"@braintree/sanitize-url": {
"name": "@braintree/sanitize-url",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1088745,
"name": "@braintree/sanitize-url",
"dependency": "@braintree/sanitize-url",
"title": "Cross-site Scripting in sanitize-url",
"url": "https://github.com/advisories/GHSA-hqq7-2q2v-82xq",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<6.0.0"
},
{
"source": 1091262,
"name": "@braintree/sanitize-url",
"dependency": "@braintree/sanitize-url",
"title": "@braintree/sanitize-url Cross-site Scripting vulnerability",
"url": "https://github.com/advisories/GHSA-q8gg-vj6m-hgmj",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<6.0.1"
}
],
"effects": [
"mermaid"
],
"range": "<=6.0.0",
"nodes": [
"node_modules/@braintree/sanitize-url"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3": {
"name": "d3",
"severity": "high",
"isDirect": false,
"via": [
"d3-brush",
"d3-color",
"d3-interpolate",
"d3-scale",
"d3-transition",
"d3-zoom"
],
"effects": [
"dagre-d3"
],
"range": "4.0.0-alpha.1 - 6.7.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3-brush": {
"name": "d3-brush",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.1.0 - 2.1.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-brush"
],
"fixAvailable": true
},
"d3-color": {
"name": "d3-color",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1088594,
"name": "d3-color",
"dependency": "d3-color",
"title": "d3-color vulnerable to ReDoS",
"url": "https://github.com/advisories/GHSA-36jr-mh4h-2g58",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.0"
}
],
"effects": [
"d3",
"d3-interpolate",
"d3-scale-chromatic",
"d3-transition"
],
"range": "<3.1.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-color"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3-interpolate": {
"name": "d3-interpolate",
"severity": "high",
"isDirect": false,
"via": [
"d3-color"
],
"effects": [
"d3-brush",
"d3-scale",
"d3-scale-chromatic",
"d3-transition",
"d3-zoom"
],
"range": "0.1.3 - 2.0.1",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-interpolate"
],
"fixAvailable": true
},
"d3-scale": {
"name": "d3-scale",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate"
],
"effects": [],
"range": "0.1.5 - 3.3.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-scale"
],
"fixAvailable": true
},
"d3-scale-chromatic": {
"name": "d3-scale-chromatic",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [],
"range": "0.1.0 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-scale-chromatic"
],
"fixAvailable": true
},
"d3-transition": {
"name": "d3-transition",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [],
"range": "0.0.7 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-transition"
],
"fixAvailable": true
},
"d3-zoom": {
"name": "d3-zoom",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.0.2 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-zoom"
],
"fixAvailable": true
},
"dagre-d3": {
"name": "dagre-d3",
"severity": "high",
"isDirect": false,
"via": [
"d3"
],
"effects": [
"mermaid"
],
"range": ">=0.5.0",
"nodes": [
"node_modules/dagre-d3"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"dompurify": {
"name": "dompurify",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1099597,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify allows tampering by prototype pollution",
"url": "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
"severity": "high",
"cwe": [
"CWE-1321",
"CWE-1333"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<2.5.4"
},
{
"source": 1105772,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify allows Cross-site Scripting (XSS)",
"url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 4.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<3.2.4"
},
{
"source": 1109546,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify vulnerable to tampering by prototype polution",
"url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<2.4.2"
},
{
"source": 1109555,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMpurify has a nesting-based mXSS",
"url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 10,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"
},
"range": "<2.5.0"
},
{
"source": 1115921,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify ADD_ATTR predicate skips URI validation",
"url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r",
"severity": "moderate",
"cwe": [
"CWE-183"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.1"
},
{
"source": 1115922,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify USE_PROFILES prototype pollution allows event handlers",
"url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.1"
},
{
"source": 1116663,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation",
"url": "https://github.com/advisories/GHSA-39q2-94rc-95cp",
"severity": "moderate",
"cwe": [
"CWE-783"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.3"
},
{
"source": 1117138,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)",
"url": "https://github.com/advisories/GHSA-h7mw-gpvr-xq4m",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-183"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.4.0"
},
{
"source": 1117139,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode",
"url": "https://github.com/advisories/GHSA-crv5-9vww-q3g8",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-1289"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"range": ">=1.0.10 <3.4.0"
},
{
"source": 1117795,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization ",
"url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.3.2"
},
{
"source": 1120800,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects",
"url": "https://github.com/advisories/GHSA-x4vx-rjvf-j5p4",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.6"
},
{
"source": 1120801,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`",
"url": "https://github.com/advisories/GHSA-76mc-f452-cxcm",
"severity": "moderate",
"cwe": [
"CWE-501",
"CWE-693"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<3.4.7"
},
{
"source": 1120802,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks",
"url": "https://github.com/advisories/GHSA-hpcv-96wg-7vj8",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-501",
"CWE-693"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=3.4.5"
},
{
"source": 1120803,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM",
"url": "https://github.com/advisories/GHSA-r47g-fvhr-h676",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-693",
"CWE-1321"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=3.4.5"
},
{
"source": 1120805,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output",
"url": "https://github.com/advisories/GHSA-vxr8-fq34-vvx9",
"severity": "low",
"cwe": [
"CWE-693"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.4.9"
},
{
"source": 1120813,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content",
"url": "https://github.com/advisories/GHSA-rp9w-3fw7-7cwq",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.6"
}
],
"effects": [
"mermaid"
],
"range": "<=3.4.8",
"nodes": [
"node_modules/dompurify"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"grunt": {
"name": "grunt",
"severity": "moderate",
"isDirect": true,
"via": [
"js-yaml"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "moderate",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1120792,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
"url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
"severity": "moderate",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=4.1.1"
}
],
"effects": [
"grunt"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/grunt/node_modules/js-yaml",
"node_modules/js-yaml"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"mermaid": {
"name": "mermaid",
"severity": "high",
"isDirect": true,
"via": [
"@braintree/sanitize-url",
{
"source": 1092622,
"name": "mermaid",
"dependency": "mermaid",
"title": "Possible inject arbitrary `CSS` into the generated graph affecting the container HTML",
"url": "https://github.com/advisories/GHSA-x3vm-38hw-55wf",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-79"
],
"cvss": {
"score": 4.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"
},
"range": ">=8.0.0 <9.1.2"
},
{
"source": 1100231,
"name": "mermaid",
"dependency": "mermaid",
"title": "Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify",
"url": "https://github.com/advisories/GHSA-m4gq-x24j-jpmf",
"severity": "high",
"cwe": [
"CWE-1321",
"CWE-1395"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<=10.9.2"
},
{
"source": 1120137,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection",
"url": "https://github.com/advisories/GHSA-ghcm-xqfw-q4vr",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120139,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection",
"url": "https://github.com/advisories/GHSA-xcj9-5m2h-648r",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120323,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of configuration leads to CSS injection",
"url": "https://github.com/advisories/GHSA-87f9-hvmw-gh4p",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120325,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS",
"url": "https://github.com/advisories/GHSA-6m6c-36f7-fhxh",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=10.9.5"
},
"dagre-d3",
"dompurify"
],
"effects": [],
"range": "<=10.9.5",
"nodes": [
"node_modules/mermaid"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109570,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
},
{
"source": 1117689,
"name": "underscore",
"dependency": "underscore",
"title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw",
"severity": "high",
"cwe": [
"CWE-674",
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=1.13.7"
}
],
"effects": [
"nomnom"
],
"range": "<=1.13.7",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 4,
"high": 10,
"critical": 3,
"total": 18
},
"dependencies": {
"prod": 90,
"dev": 621,
"optional": 7,
"peer": 15,
"peerOptional": 0,
"total": 710
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 38 installs, 0 updates, 0 removals
- Locking composer/pcre (3.4.0)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.6.0)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v51.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.5.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.1.0)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.1.0)
- Locking symfony/deprecation-contracts (v3.7.0)
- Locking symfony/polyfill-ctype (v1.37.0)
- Locking symfony/polyfill-intl-grapheme (v1.38.1)
- Locking symfony/polyfill-intl-normalizer (v1.38.0)
- Locking symfony/polyfill-mbstring (v1.38.2)
- Locking symfony/polyfill-php85 (v1.38.1)
- Locking symfony/service-contracts (v3.7.0)
- Locking symfony/string (v8.1.0)
- Locking webmozart/assert (2.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 38 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
- Installing composer/pcre (3.4.0): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.5.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.38.2): Extracting archive
- Installing composer/spdx-licenses (1.6.0): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v51.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.38.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.38.1): Extracting archive
- Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
- Installing symfony/string (v8.1.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.7.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.7.0): Extracting archive
- Installing symfony/polyfill-php85 (v1.38.1): Extracting archive
- Installing symfony/console (v8.1.0): Extracting archive
- Installing sabre/event (6.1.0): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.4.1): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/36 [>---------------------------] 0%
28/36 [=====================>------] 77%
35/36 [===========================>] 97%
36/36 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/core": {
"name": "@babel/core",
"severity": "low",
"isDirect": true,
"via": [
{
"source": 1120793,
"name": "@babel/core",
"dependency": "@babel/core",
"title": "@babel/core: Arbitrary File Read via sourceMappingURL Comment",
"url": "https://github.com/advisories/GHSA-4x5r-pxfx-6jf8",
"severity": "low",
"cwe": [
"CWE-22",
"CWE-200"
],
"cvss": {
"score": 3.2,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"
},
"range": "<=7.29.0"
}
],
"effects": [],
"range": "<=7.29.0",
"nodes": [
"node_modules/@babel/core"
],
"fixAvailable": true
},
"@braintree/sanitize-url": {
"name": "@braintree/sanitize-url",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1088745,
"name": "@braintree/sanitize-url",
"dependency": "@braintree/sanitize-url",
"title": "Cross-site Scripting in sanitize-url",
"url": "https://github.com/advisories/GHSA-hqq7-2q2v-82xq",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<6.0.0"
},
{
"source": 1091262,
"name": "@braintree/sanitize-url",
"dependency": "@braintree/sanitize-url",
"title": "@braintree/sanitize-url Cross-site Scripting vulnerability",
"url": "https://github.com/advisories/GHSA-q8gg-vj6m-hgmj",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<6.0.1"
}
],
"effects": [
"mermaid"
],
"range": "<=6.0.0",
"nodes": [
"node_modules/@braintree/sanitize-url"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3": {
"name": "d3",
"severity": "high",
"isDirect": false,
"via": [
"d3-brush",
"d3-color",
"d3-interpolate",
"d3-scale",
"d3-transition",
"d3-zoom"
],
"effects": [
"dagre-d3"
],
"range": "4.0.0-alpha.1 - 6.7.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3-brush": {
"name": "d3-brush",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.1.0 - 2.1.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-brush"
],
"fixAvailable": true
},
"d3-color": {
"name": "d3-color",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1088594,
"name": "d3-color",
"dependency": "d3-color",
"title": "d3-color vulnerable to ReDoS",
"url": "https://github.com/advisories/GHSA-36jr-mh4h-2g58",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.0"
}
],
"effects": [
"d3",
"d3-interpolate",
"d3-scale-chromatic",
"d3-transition"
],
"range": "<3.1.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-color"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3-interpolate": {
"name": "d3-interpolate",
"severity": "high",
"isDirect": false,
"via": [
"d3-color"
],
"effects": [
"d3-brush",
"d3-scale",
"d3-scale-chromatic",
"d3-transition",
"d3-zoom"
],
"range": "0.1.3 - 2.0.1",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-interpolate"
],
"fixAvailable": true
},
"d3-scale": {
"name": "d3-scale",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate"
],
"effects": [],
"range": "0.1.5 - 3.3.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-scale"
],
"fixAvailable": true
},
"d3-scale-chromatic": {
"name": "d3-scale-chromatic",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [],
"range": "0.1.0 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-scale-chromatic"
],
"fixAvailable": true
},
"d3-transition": {
"name": "d3-transition",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [],
"range": "0.0.7 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-transition"
],
"fixAvailable": true
},
"d3-zoom": {
"name": "d3-zoom",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.0.2 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-zoom"
],
"fixAvailable": true
},
"dagre-d3": {
"name": "dagre-d3",
"severity": "high",
"isDirect": false,
"via": [
"d3"
],
"effects": [
"mermaid"
],
"range": ">=0.5.0",
"nodes": [
"node_modules/dagre-d3"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"dompurify": {
"name": "dompurify",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1099597,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify allows tampering by prototype pollution",
"url": "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
"severity": "high",
"cwe": [
"CWE-1321",
"CWE-1333"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<2.5.4"
},
{
"source": 1105772,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify allows Cross-site Scripting (XSS)",
"url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 4.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<3.2.4"
},
{
"source": 1109546,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify vulnerable to tampering by prototype polution",
"url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<2.4.2"
},
{
"source": 1109555,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMpurify has a nesting-based mXSS",
"url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 10,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"
},
"range": "<2.5.0"
},
{
"source": 1115921,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify ADD_ATTR predicate skips URI validation",
"url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r",
"severity": "moderate",
"cwe": [
"CWE-183"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.1"
},
{
"source": 1115922,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify USE_PROFILES prototype pollution allows event handlers",
"url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.1"
},
{
"source": 1116663,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation",
"url": "https://github.com/advisories/GHSA-39q2-94rc-95cp",
"severity": "moderate",
"cwe": [
"CWE-783"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.3"
},
{
"source": 1117138,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)",
"url": "https://github.com/advisories/GHSA-h7mw-gpvr-xq4m",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-183"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.4.0"
},
{
"source": 1117139,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode",
"url": "https://github.com/advisories/GHSA-crv5-9vww-q3g8",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-1289"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"range": ">=1.0.10 <3.4.0"
},
{
"source": 1117795,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization ",
"url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.3.2"
},
{
"source": 1120800,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects",
"url": "https://github.com/advisories/GHSA-x4vx-rjvf-j5p4",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.6"
},
{
"source": 1120801,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`",
"url": "https://github.com/advisories/GHSA-76mc-f452-cxcm",
"severity": "moderate",
"cwe": [
"CWE-501",
"CWE-693"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<3.4.7"
},
{
"source": 1120802,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks",
"url": "https://github.com/advisories/GHSA-hpcv-96wg-7vj8",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-501",
"CWE-693"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=3.4.5"
},
{
"source": 1120803,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM",
"url": "https://github.com/advisories/GHSA-r47g-fvhr-h676",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-693",
"CWE-1321"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=3.4.5"
},
{
"source": 1120805,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output",
"url": "https://github.com/advisories/GHSA-vxr8-fq34-vvx9",
"severity": "low",
"cwe": [
"CWE-693"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.4.9"
},
{
"source": 1120813,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content",
"url": "https://github.com/advisories/GHSA-rp9w-3fw7-7cwq",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.6"
}
],
"effects": [
"mermaid"
],
"range": "<=3.4.8",
"nodes": [
"node_modules/dompurify"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"grunt": {
"name": "grunt",
"severity": "moderate",
"isDirect": true,
"via": [
"js-yaml"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "moderate",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1120792,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
"url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
"severity": "moderate",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=4.1.1"
}
],
"effects": [
"grunt"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/grunt/node_modules/js-yaml",
"node_modules/js-yaml"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"mermaid": {
"name": "mermaid",
"severity": "high",
"isDirect": true,
"via": [
"@braintree/sanitize-url",
{
"source": 1092622,
"name": "mermaid",
"dependency": "mermaid",
"title": "Possible inject arbitrary `CSS` into the generated graph affecting the container HTML",
"url": "https://github.com/advisories/GHSA-x3vm-38hw-55wf",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-79"
],
"cvss": {
"score": 4.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"
},
"range": ">=8.0.0 <9.1.2"
},
{
"source": 1100231,
"name": "mermaid",
"dependency": "mermaid",
"title": "Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify",
"url": "https://github.com/advisories/GHSA-m4gq-x24j-jpmf",
"severity": "high",
"cwe": [
"CWE-1321",
"CWE-1395"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<=10.9.2"
},
{
"source": 1120137,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection",
"url": "https://github.com/advisories/GHSA-ghcm-xqfw-q4vr",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120139,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection",
"url": "https://github.com/advisories/GHSA-xcj9-5m2h-648r",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120323,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of configuration leads to CSS injection",
"url": "https://github.com/advisories/GHSA-87f9-hvmw-gh4p",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120325,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS",
"url": "https://github.com/advisories/GHSA-6m6c-36f7-fhxh",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=10.9.5"
},
"dagre-d3",
"dompurify"
],
"effects": [],
"range": "<=10.9.5",
"nodes": [
"node_modules/mermaid"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109570,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
},
{
"source": 1117689,
"name": "underscore",
"dependency": "underscore",
"title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw",
"severity": "high",
"cwe": [
"CWE-674",
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=1.13.7"
}
],
"effects": [
"nomnom"
],
"range": "<=1.13.7",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 4,
"high": 10,
"critical": 3,
"total": 18
},
"dependencies": {
"prod": 90,
"dev": 621,
"optional": 7,
"peer": 15,
"peerOptional": 0,
"total": 710
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'grunt-stylelint@0.21.0',
npm WARN EBADENGINE required: { node: '>=20.19.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
"added": 710,
"removed": 0,
"changed": 0,
"audited": 711,
"funding": 127,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/core": {
"name": "@babel/core",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1120793,
"name": "@babel/core",
"dependency": "@babel/core",
"title": "@babel/core: Arbitrary File Read via sourceMappingURL Comment",
"url": "https://github.com/advisories/GHSA-4x5r-pxfx-6jf8",
"severity": "low",
"cwe": [
"CWE-22",
"CWE-200"
],
"cvss": {
"score": 3.2,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"
},
"range": "<=7.29.0"
}
],
"effects": [],
"range": "<=7.29.0",
"nodes": [
""
],
"fixAvailable": true
},
"@braintree/sanitize-url": {
"name": "@braintree/sanitize-url",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1088745,
"name": "@braintree/sanitize-url",
"dependency": "@braintree/sanitize-url",
"title": "Cross-site Scripting in sanitize-url",
"url": "https://github.com/advisories/GHSA-hqq7-2q2v-82xq",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"range": "<6.0.0"
},
{
"source": 1091262,
"name": "@braintree/sanitize-url",
"dependency": "@braintree/sanitize-url",
"title": "@braintree/sanitize-url Cross-site Scripting vulnerability",
"url": "https://github.com/advisories/GHSA-q8gg-vj6m-hgmj",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<6.0.1"
}
],
"effects": [
"mermaid"
],
"range": "<=6.0.0",
"nodes": [
"node_modules/@braintree/sanitize-url"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3": {
"name": "d3",
"severity": "high",
"isDirect": false,
"via": [
"d3-brush",
"d3-color",
"d3-interpolate",
"d3-scale",
"d3-transition",
"d3-zoom"
],
"effects": [
"dagre-d3"
],
"range": "4.0.0-alpha.1 - 6.7.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3-brush": {
"name": "d3-brush",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.1.0 - 2.1.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-brush"
],
"fixAvailable": true
},
"d3-color": {
"name": "d3-color",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1088594,
"name": "d3-color",
"dependency": "d3-color",
"title": "d3-color vulnerable to ReDoS",
"url": "https://github.com/advisories/GHSA-36jr-mh4h-2g58",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.0"
}
],
"effects": [
"d3",
"d3-interpolate",
"d3-scale-chromatic",
"d3-transition"
],
"range": "<3.1.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-color"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"d3-interpolate": {
"name": "d3-interpolate",
"severity": "high",
"isDirect": false,
"via": [
"d3-color"
],
"effects": [
"d3-scale",
"d3-scale-chromatic",
"d3-transition"
],
"range": "0.1.3 - 2.0.1",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-interpolate"
],
"fixAvailable": true
},
"d3-scale": {
"name": "d3-scale",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate"
],
"effects": [],
"range": "0.1.5 - 3.3.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-scale"
],
"fixAvailable": true
},
"d3-scale-chromatic": {
"name": "d3-scale-chromatic",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [],
"range": "0.1.0 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-scale-chromatic"
],
"fixAvailable": true
},
"d3-transition": {
"name": "d3-transition",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [
"d3-brush",
"d3-zoom"
],
"range": "0.0.7 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-transition"
],
"fixAvailable": true
},
"d3-zoom": {
"name": "d3-zoom",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.0.2 - 2.0.0",
"nodes": [
"node_modules/dagre-d3/node_modules/d3-zoom"
],
"fixAvailable": true
},
"dagre-d3": {
"name": "dagre-d3",
"severity": "high",
"isDirect": false,
"via": [
"d3"
],
"effects": [
"mermaid"
],
"range": ">=0.5.0",
"nodes": [
"node_modules/dagre-d3"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"dompurify": {
"name": "dompurify",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1099597,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify allows tampering by prototype pollution",
"url": "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
"severity": "high",
"cwe": [
"CWE-1321",
"CWE-1333"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<2.5.4"
},
{
"source": 1105772,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify allows Cross-site Scripting (XSS)",
"url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 4.5,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
"range": "<3.2.4"
},
{
"source": 1109546,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify vulnerable to tampering by prototype polution",
"url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": "<2.4.2"
},
{
"source": 1109555,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMpurify has a nesting-based mXSS",
"url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 10,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"
},
"range": "<2.5.0"
},
{
"source": 1115921,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify ADD_ATTR predicate skips URI validation",
"url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r",
"severity": "moderate",
"cwe": [
"CWE-183"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.1"
},
{
"source": 1115922,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify USE_PROFILES prototype pollution allows event handlers",
"url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.1"
},
{
"source": 1116663,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation",
"url": "https://github.com/advisories/GHSA-39q2-94rc-95cp",
"severity": "moderate",
"cwe": [
"CWE-783"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.3.3"
},
{
"source": 1117138,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)",
"url": "https://github.com/advisories/GHSA-h7mw-gpvr-xq4m",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-183"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.4.0"
},
{
"source": 1117139,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode",
"url": "https://github.com/advisories/GHSA-crv5-9vww-q3g8",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-1289"
],
"cvss": {
"score": 6.8,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"range": ">=1.0.10 <3.4.0"
},
{
"source": 1117795,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization ",
"url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.3.2"
},
{
"source": 1120800,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects",
"url": "https://github.com/advisories/GHSA-x4vx-rjvf-j5p4",
"severity": "low",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.6"
},
{
"source": 1120801,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`",
"url": "https://github.com/advisories/GHSA-76mc-f452-cxcm",
"severity": "moderate",
"cwe": [
"CWE-501",
"CWE-693"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<3.4.7"
},
{
"source": 1120802,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks",
"url": "https://github.com/advisories/GHSA-hpcv-96wg-7vj8",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-501",
"CWE-693"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=3.4.5"
},
{
"source": 1120803,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM",
"url": "https://github.com/advisories/GHSA-r47g-fvhr-h676",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-693",
"CWE-1321"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=3.4.5"
},
{
"source": 1120805,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output",
"url": "https://github.com/advisories/GHSA-vxr8-fq34-vvx9",
"severity": "low",
"cwe": [
"CWE-693"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.4.9"
},
{
"source": 1120813,
"name": "dompurify",
"dependency": "dompurify",
"title": "DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content",
"url": "https://github.com/advisories/GHSA-rp9w-3fw7-7cwq",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=3.4.6"
}
],
"effects": [
"mermaid"
],
"range": "<=3.4.8",
"nodes": [
"node_modules/dompurify"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"grunt": {
"name": "grunt",
"severity": "moderate",
"isDirect": true,
"via": [
"js-yaml"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "moderate",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1120792,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
"url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
"severity": "moderate",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=4.1.1"
}
],
"effects": [
"grunt"
],
"range": "<=4.1.1",
"nodes": [
"",
"node_modules/grunt/node_modules/js-yaml"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"mermaid": {
"name": "mermaid",
"severity": "high",
"isDirect": true,
"via": [
"@braintree/sanitize-url",
{
"source": 1092622,
"name": "mermaid",
"dependency": "mermaid",
"title": "Possible inject arbitrary `CSS` into the generated graph affecting the container HTML",
"url": "https://github.com/advisories/GHSA-x3vm-38hw-55wf",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-79"
],
"cvss": {
"score": 4.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"
},
"range": ">=8.0.0 <9.1.2"
},
{
"source": 1100231,
"name": "mermaid",
"dependency": "mermaid",
"title": "Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify",
"url": "https://github.com/advisories/GHSA-m4gq-x24j-jpmf",
"severity": "high",
"cwe": [
"CWE-1321",
"CWE-1395"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
},
"range": "<=10.9.2"
},
{
"source": 1120137,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection",
"url": "https://github.com/advisories/GHSA-ghcm-xqfw-q4vr",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120139,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection",
"url": "https://github.com/advisories/GHSA-xcj9-5m2h-648r",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120323,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid: Improper sanitization of configuration leads to CSS injection",
"url": "https://github.com/advisories/GHSA-87f9-hvmw-gh4p",
"severity": "moderate",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=10.9.5"
},
{
"source": 1120325,
"name": "mermaid",
"dependency": "mermaid",
"title": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS",
"url": "https://github.com/advisories/GHSA-6m6c-36f7-fhxh",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=10.9.5"
},
"dagre-d3",
"dompurify"
],
"effects": [],
"range": "<=10.9.5",
"nodes": [
"node_modules/mermaid"
],
"fixAvailable": {
"name": "mermaid",
"version": "11.15.0",
"isSemVerMajor": true
}
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1109570,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
},
{
"source": 1117689,
"name": "underscore",
"dependency": "underscore",
"title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw",
"severity": "high",
"cwe": [
"CWE-674",
"CWE-770"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<=1.13.7"
}
],
"effects": [
"nomnom"
],
"range": "<=1.13.7",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 4,
"high": 10,
"critical": 3,
"total": 18
},
"dependencies": {
"prod": 90,
"dev": 621,
"optional": 7,
"peer": 15,
"peerOptional": 0,
"total": 710
}
}
}
}
--- end ---
{"added": 710, "removed": 0, "changed": 0, "audited": 711, "funding": 127, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@babel/core": {"name": "@babel/core", "severity": "low", "isDirect": false, "via": [{"source": 1120793, "name": "@babel/core", "dependency": "@babel/core", "title": "@babel/core: Arbitrary File Read via sourceMappingURL Comment", "url": "https://github.com/advisories/GHSA-4x5r-pxfx-6jf8", "severity": "low", "cwe": ["CWE-22", "CWE-200"], "cvss": {"score": 3.2, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"}, "range": "<=7.29.0"}], "effects": [], "range": "<=7.29.0", "nodes": [""], "fixAvailable": true}, "@braintree/sanitize-url": {"name": "@braintree/sanitize-url", "severity": "moderate", "isDirect": false, "via": [{"source": 1088745, "name": "@braintree/sanitize-url", "dependency": "@braintree/sanitize-url", "title": "Cross-site Scripting in sanitize-url", "url": "https://github.com/advisories/GHSA-hqq7-2q2v-82xq", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "range": "<6.0.0"}, {"source": 1091262, "name": "@braintree/sanitize-url", "dependency": "@braintree/sanitize-url", "title": "@braintree/sanitize-url Cross-site Scripting vulnerability", "url": "https://github.com/advisories/GHSA-q8gg-vj6m-hgmj", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<6.0.1"}], "effects": ["mermaid"], "range": "<=6.0.0", "nodes": ["node_modules/@braintree/sanitize-url"], "fixAvailable": {"name": "mermaid", "version": "11.15.0", "isSemVerMajor": true}}, "d3": {"name": "d3", "severity": "high", "isDirect": false, "via": ["d3-brush", "d3-color", "d3-interpolate", "d3-scale", "d3-transition", "d3-zoom"], "effects": ["dagre-d3"], "range": "4.0.0-alpha.1 - 6.7.0", "nodes": ["node_modules/dagre-d3/node_modules/d3"], "fixAvailable": {"name": "mermaid", "version": "11.15.0", "isSemVerMajor": true}}, "d3-brush": {"name": "d3-brush", "severity": "high", "isDirect": false, "via": ["d3-interpolate", "d3-transition"], "effects": [], "range": "0.1.0 - 2.1.0", "nodes": ["node_modules/dagre-d3/node_modules/d3-brush"], "fixAvailable": true}, "d3-color": {"name": "d3-color", "severity": "high", "isDirect": false, "via": [{"source": 1088594, "name": "d3-color", "dependency": "d3-color", "title": "d3-color vulnerable to ReDoS", "url": "https://github.com/advisories/GHSA-36jr-mh4h-2g58", "severity": "high", "cwe": ["CWE-400"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.0"}], "effects": ["d3", "d3-interpolate", "d3-scale-chromatic", "d3-transition"], "range": "<3.1.0", "nodes": ["node_modules/dagre-d3/node_modules/d3-color"], "fixAvailable": {"name": "mermaid", "version": "11.15.0", "isSemVerMajor": true}}, "d3-interpolate": {"name": "d3-interpolate", "severity": "high", "isDirect": false, "via": ["d3-color"], "effects": ["d3-scale", "d3-scale-chromatic", "d3-transition"], "range": "0.1.3 - 2.0.1", "nodes": ["node_modules/dagre-d3/node_modules/d3-interpolate"], "fixAvailable": true}, "d3-scale": {"name": "d3-scale", "severity": "high", "isDirect": false, "via": ["d3-interpolate"], "effects": [], "range": "0.1.5 - 3.3.0", "nodes": ["node_modules/dagre-d3/node_modules/d3-scale"], "fixAvailable": true}, "d3-scale-chromatic": {"name": "d3-scale-chromatic", "severity": "high", "isDirect": false, "via": ["d3-color", "d3-interpolate"], "effects": [], "range": "0.1.0 - 2.0.0", "nodes": ["node_modules/dagre-d3/node_modules/d3-scale-chromatic"], "fixAvailable": true}, "d3-transition": {"name": "d3-transition", "severity": "high", "isDirect": false, "via": ["d3-color", "d3-interpolate"], "effects": ["d3-brush", "d3-zoom"], "range": "0.0.7 - 2.0.0", "nodes": ["node_modules/dagre-d3/node_modules/d3-transition"], "fixAvailable": true}, "d3-zoom": {"name": "d3-zoom", "severity": "high", "isDirect": false, "via": ["d3-interpolate", "d3-transition"], "effects": [], "range": "0.0.2 - 2.0.0", "nodes": ["node_modules/dagre-d3/node_modules/d3-zoom"], "fixAvailable": true}, "dagre-d3": {"name": "dagre-d3", "severity": "high", "isDirect": false, "via": ["d3"], "effects": ["mermaid"], "range": ">=0.5.0", "nodes": ["node_modules/dagre-d3"], "fixAvailable": {"name": "mermaid", "version": "11.15.0", "isSemVerMajor": true}}, "dompurify": {"name": "dompurify", "severity": "critical", "isDirect": false, "via": [{"source": 1099597, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify allows tampering by prototype pollution", "url": "https://github.com/advisories/GHSA-mmhx-hmjr-r674", "severity": "high", "cwe": ["CWE-1321", "CWE-1333"], "cvss": {"score": 7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "range": "<2.5.4"}, {"source": 1105772, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify allows Cross-site Scripting (XSS)", "url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 4.5, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}, "range": "<3.2.4"}, {"source": 1109546, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify vulnerable to tampering by prototype polution", "url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "range": "<2.4.2"}, {"source": 1109555, "name": "dompurify", "dependency": "dompurify", "title": "DOMpurify has a nesting-based mXSS", "url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf", "severity": "high", "cwe": ["CWE-79"], "cvss": {"score": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"}, "range": "<2.5.0"}, {"source": 1115921, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify ADD_ATTR predicate skips URI validation", "url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r", "severity": "moderate", "cwe": ["CWE-183"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.3.1"}, {"source": 1115922, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify USE_PROFILES prototype pollution allows event handlers", "url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.3.1"}, {"source": 1116663, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation", "url": "https://github.com/advisories/GHSA-39q2-94rc-95cp", "severity": "moderate", "cwe": ["CWE-783"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.3.3"}, {"source": 1117138, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)", "url": "https://github.com/advisories/GHSA-h7mw-gpvr-xq4m", "severity": "moderate", "cwe": ["CWE-79", "CWE-183"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.4.0"}, {"source": 1117139, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode", "url": "https://github.com/advisories/GHSA-crv5-9vww-q3g8", "severity": "moderate", "cwe": ["CWE-79", "CWE-1289"], "cvss": {"score": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"}, "range": ">=1.0.10 <3.4.0"}, {"source": 1117795, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization ", "url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.3.2"}, {"source": 1120800, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects", "url": "https://github.com/advisories/GHSA-x4vx-rjvf-j5p4", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.4.6"}, {"source": 1120801, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`", "url": "https://github.com/advisories/GHSA-76mc-f452-cxcm", "severity": "moderate", "cwe": ["CWE-501", "CWE-693"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<3.4.7"}, {"source": 1120802, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks", "url": "https://github.com/advisories/GHSA-hpcv-96wg-7vj8", "severity": "moderate", "cwe": ["CWE-79", "CWE-501", "CWE-693"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=3.4.5"}, {"source": 1120803, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM", "url": "https://github.com/advisories/GHSA-r47g-fvhr-h676", "severity": "moderate", "cwe": ["CWE-79", "CWE-693", "CWE-1321"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=3.4.5"}, {"source": 1120805, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output", "url": "https://github.com/advisories/GHSA-vxr8-fq34-vvx9", "severity": "low", "cwe": ["CWE-693"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.4.9"}, {"source": 1120813, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content", "url": "https://github.com/advisories/GHSA-rp9w-3fw7-7cwq", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.4.6"}], "effects": ["mermaid"], "range": "<=3.4.8", "nodes": ["node_modules/dompurify"], "fixAvailable": {"name": "mermaid", "version": "11.15.0", "isSemVerMajor": true}}, "grunt": {"name": "grunt", "severity": "moderate", "isDirect": true, "via": ["js-yaml"], "effects": ["grunt-eslint"], "range": ">=0.4.0-a", "nodes": ["node_modules/grunt"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "grunt-eslint": {"name": "grunt-eslint", "severity": "moderate", "isDirect": true, "via": ["grunt"], "effects": [], "range": "<=1.0.0 || >=18.1.0", "nodes": ["node_modules/grunt-eslint"], "fixAvailable": {"name": "grunt-eslint", "version": "18.0.0", "isSemVerMajor": true}}, "js-yaml": {"name": "js-yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1120792, "name": "js-yaml", "dependency": "js-yaml", "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68", "severity": "moderate", "cwe": ["CWE-407"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<=4.1.1"}], "effects": ["grunt"], "range": "<=4.1.1", "nodes": ["", "node_modules/grunt/node_modules/js-yaml"], "fixAvailable": {"name": "grunt", "version": "0.3.17", "isSemVerMajor": true}}, "mermaid": {"name": "mermaid", "severity": "high", "isDirect": true, "via": ["@braintree/sanitize-url", {"source": 1092622, "name": "mermaid", "dependency": "mermaid", "title": "Possible inject arbitrary `CSS` into the generated graph affecting the container HTML", "url": "https://github.com/advisories/GHSA-x3vm-38hw-55wf", "severity": "moderate", "cwe": ["CWE-74", "CWE-79"], "cvss": {"score": 4.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"}, "range": ">=8.0.0 <9.1.2"}, {"source": 1100231, "name": "mermaid", "dependency": "mermaid", "title": "Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify", "url": "https://github.com/advisories/GHSA-m4gq-x24j-jpmf", "severity": "high", "cwe": ["CWE-1321", "CWE-1395"], "cvss": {"score": 7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "range": "<=10.9.2"}, {"source": 1120137, "name": "mermaid", "dependency": "mermaid", "title": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection", "url": "https://github.com/advisories/GHSA-ghcm-xqfw-q4vr", "severity": "moderate", "cwe": ["CWE-94"], "cvss": {"score": 0, "vectorString": null}, "range": "<=10.9.5"}, {"source": 1120139, "name": "mermaid", "dependency": "mermaid", "title": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection", "url": "https://github.com/advisories/GHSA-xcj9-5m2h-648r", "severity": "moderate", "cwe": ["CWE-94"], "cvss": {"score": 0, "vectorString": null}, "range": "<=10.9.5"}, {"source": 1120323, "name": "mermaid", "dependency": "mermaid", "title": "Mermaid: Improper sanitization of configuration leads to CSS injection", "url": "https://github.com/advisories/GHSA-87f9-hvmw-gh4p", "severity": "moderate", "cwe": ["CWE-94"], "cvss": {"score": 0, "vectorString": null}, "range": "<=10.9.5"}, {"source": 1120325, "name": "mermaid", "dependency": "mermaid", "title": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS", "url": "https://github.com/advisories/GHSA-6m6c-36f7-fhxh", "severity": "moderate", "cwe": ["CWE-835"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<=10.9.5"}, "dagre-d3", "dompurify"], "effects": [], "range": "<=10.9.5", "nodes": ["node_modules/mermaid"], "fixAvailable": {"name": "mermaid", "version": "11.15.0", "isSemVerMajor": true}}, "nomnom": {"name": "nomnom", "severity": "critical", "isDirect": false, "via": ["underscore"], "effects": [], "range": ">=1.6.0", "nodes": ["node_modules/nomnom"], "fixAvailable": true}, "underscore": {"name": "underscore", "severity": "critical", "isDirect": false, "via": [{"source": 1109570, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": ["CWE-94"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.3.2 <1.12.1"}, {"source": 1117689, "name": "underscore", "dependency": "underscore", "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw", "severity": "high", "cwe": ["CWE-674", "CWE-770"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=1.13.7"}], "effects": ["nomnom"], "range": "<=1.13.7", "nodes": ["node_modules/underscore"], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 1, "moderate": 4, "high": 10, "critical": 3, "total": 18}, "dependencies": {"prod": 90, "dev": 621, "optional": 7, "peer": 15, "peerOptional": 0, "total": 710}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'grunt-stylelint@0.21.0',
npm WARN EBADENGINE required: { node: '>=20.19.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated @braintree/sanitize-url@3.1.0: Potential XSS vulnerability patched in v6.0.0.
npm WARN deprecated nomnom@1.8.1: Package no longer supported. Contact support@npmjs.com for more info.
--- stdout ---
added 709 packages, and audited 710 packages in 9s
127 packages are looking for funding
run `npm fund` for details
# npm audit report
@braintree/sanitize-url <=6.0.0
Severity: moderate
Cross-site Scripting in sanitize-url - https://github.com/advisories/GHSA-hqq7-2q2v-82xq
@braintree/sanitize-url Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-q8gg-vj6m-hgmj
fix available via `npm audit fix --force`
Will install mermaid@11.15.0, which is a breaking change
node_modules/@braintree/sanitize-url
mermaid <=10.9.5
Depends on vulnerable versions of @braintree/sanitize-url
Depends on vulnerable versions of dagre-d3
Depends on vulnerable versions of dompurify
node_modules/mermaid
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install mermaid@11.15.0, which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
d3 4.0.0-alpha.1 - 6.7.0
Depends on vulnerable versions of d3-brush
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-transition
Depends on vulnerable versions of d3-zoom
node_modules/dagre-d3/node_modules/d3
dagre-d3 >=0.5.0
Depends on vulnerable versions of d3
node_modules/dagre-d3
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/dagre-d3/node_modules/d3-interpolate
d3-brush 0.1.0 - 2.1.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-brush
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale
d3-scale-chromatic 0.1.0 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale-chromatic
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-transition
d3-zoom 0.0.2 - 2.0.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-zoom
dompurify <=3.4.8
Severity: critical
DOMPurify allows tampering by prototype pollution - https://github.com/advisories/GHSA-mmhx-hmjr-r674
DOMPurify allows Cross-site Scripting (XSS) - https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
DOMPurify vulnerable to tampering by prototype polution - https://github.com/advisories/GHSA-p3vf-v8qc-cwcr
DOMpurify has a nesting-based mXSS - https://github.com/advisories/GHSA-gx9m-whjm-85jf
DOMPurify ADD_ATTR predicate skips URI validation - https://github.com/advisories/GHSA-cjmm-f4jc-qw8r
DOMPurify USE_PROFILES prototype pollution allows event handlers - https://github.com/advisories/GHSA-cj63-jhhr-wcxv
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation - https://github.com/advisories/GHSA-39q2-94rc-95cp
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) - https://github.com/advisories/GHSA-h7mw-gpvr-xq4m
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - https://github.com/advisories/GHSA-crv5-9vww-q3g8
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization - https://github.com/advisories/GHSA-h8r8-wccr-v5f2
DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects - https://github.com/advisories/GHSA-x4vx-rjvf-j5p4
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR` - https://github.com/advisories/GHSA-76mc-f452-cxcm
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks - https://github.com/advisories/GHSA-hpcv-96wg-7vj8
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM - https://github.com/advisories/GHSA-r47g-fvhr-h676
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output - https://github.com/advisories/GHSA-vxr8-fq34-vvx9
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content - https://github.com/advisories/GHSA-rp9w-3fw7-7cwq
fix available via `npm audit fix --force`
Will install mermaid@11.15.0, which is a breaking change
node_modules/dompurify
js-yaml <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix --force`
Will install grunt@0.3.17, which is a breaking change
node_modules/grunt/node_modules/js-yaml
grunt >=0.4.0-a
Depends on vulnerable versions of js-yaml
node_modules/grunt
grunt-eslint <=1.0.0 || >=18.1.0
Depends on vulnerable versions of grunt
node_modules/grunt-eslint
underscore <=1.13.7
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack - https://github.com/advisories/GHSA-qpx9-hpmf-5gmw
fix available via `npm audit fix`
node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom
17 vulnerabilities (4 moderate, 10 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'grunt-stylelint@0.21.0',
npm WARN EBADENGINE required: { node: '>=20.19.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated @braintree/sanitize-url@3.1.0: Potential XSS vulnerability patched in v6.0.0.
npm WARN deprecated nomnom@1.8.1: Package no longer supported. Contact support@npmjs.com for more info.
--- stdout ---
added 709 packages, and audited 710 packages in 11s
127 packages are looking for funding
run `npm fund` for details
17 vulnerabilities (4 moderate, 10 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> grunt test
Running "eslint:all" (eslint) task
/src/repo/resources/js/src/contentTransformation.js
15:3 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
25:14 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
26:18 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
43:14 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
44:18 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
53:22 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
69:3 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
70:11 warning Prefer DOM building to parsing HTML literals no-jquery/no-parse-html-literal
73:16 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
77:9 warning jQuery collection names must match the variablePattern no-jquery/variable-pattern
129:12 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
141:6 warning jQuery collection names must match the variablePattern no-jquery/variable-pattern
141:13 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
142:3 warning jQuery collection names must match the variablePattern no-jquery/variable-pattern
142:10 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
152:3 warning jQuery collection names must match the variablePattern no-jquery/variable-pattern
161:16 warning Avoid queries which search the entire DOM. Keep DOM nodes in memory where possible no-jquery/no-global-selector
176:7 warning jQuery collection names must match the variablePattern no-jquery/variable-pattern
178:3 warning Prefer .then to .done no-jquery/no-done-fail
178:3 warning Prefer .then to .fail no-jquery/no-done-fail
✖ 20 problems (0 errors, 20 warnings)
Running "jsonlint:all" (jsonlint) task
>> 7 files lint free.
Running "stylelint:all" (stylelint) task
>> Linted 2 files without errors
Running "banana:all" (banana) task
>> 1 message directory checked.
Done.
--- end ---
{"1120793": {"source": 1120793, "name": "@babel/core", "dependency": "@babel/core", "title": "@babel/core: Arbitrary File Read via sourceMappingURL Comment", "url": "https://github.com/advisories/GHSA-4x5r-pxfx-6jf8", "severity": "low", "cwe": ["CWE-22", "CWE-200"], "cvss": {"score": 3.2, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"}, "range": "<=7.29.0"}}
Upgrading n:@babel/core from 7.24.3, ^7.12.10 -> 7.29.7, ^7.12.10
{}
{}
{}
{}
{}
{}
{"1109570": {"source": 1109570, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": ["CWE-94"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.3.2 <1.12.1"}, "1117689": {"source": 1117689, "name": "underscore", "dependency": "underscore", "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw", "severity": "high", "cwe": ["CWE-674", "CWE-770"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=1.13.7"}}
{"1109570": {"source": 1109570, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": ["CWE-94"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.3.2 <1.12.1"}, "1117689": {"source": 1117689, "name": "underscore", "dependency": "underscore", "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw", "severity": "high", "cwe": ["CWE-674", "CWE-770"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=1.13.7"}}
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating @babel/core to 7.29.7, ^7.12.10
* https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmpwplfuya2
--- stdout ---
[master a23efb9] build: Updating @babel/core to 7.29.7, ^7.12.10
1 file changed, 108 insertions(+), 101 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From a23efb9d35a005a1d59ff3067004b0399b919c05 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Tue, 16 Jun 2026 11:39:11 +0000
Subject: [PATCH] build: Updating @babel/core to 7.29.7, ^7.12.10
* https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
Change-Id: Iee14be770bdf78523cdc0e1301388f44119990d4
---
package-lock.json | 209 ++++++++++++++++++++++++----------------------
1 file changed, 108 insertions(+), 101 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index cd58f46..efa6072 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -33,19 +33,6 @@
"node": ">=0.10.0"
}
},
- "node_modules/@ampproject/remapping": {
- "version": "2.3.0",
- "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
- "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
- "dev": true,
- "dependencies": {
- "@jridgewell/gen-mapping": "^0.3.5",
- "@jridgewell/trace-mapping": "^0.3.24"
- },
- "engines": {
- "node": ">=6.0.0"
- }
- },
"node_modules/@babel/cli": {
"version": "7.24.1",
"resolved": "https://registry.npmjs.org/@babel/cli/-/cli-7.24.1.tgz",
@@ -76,12 +63,12 @@
}
},
"node_modules/@babel/code-frame": {
- "version": "7.29.0",
- "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
- "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz",
+ "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
"dev": true,
"dependencies": {
- "@babel/helper-validator-identifier": "^7.28.5",
+ "@babel/helper-validator-identifier": "^7.29.7",
"js-tokens": "^4.0.0",
"picocolors": "^1.1.1"
},
@@ -90,30 +77,30 @@
}
},
"node_modules/@babel/compat-data": {
- "version": "7.24.1",
- "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.24.1.tgz",
- "integrity": "sha512-Pc65opHDliVpRHuKfzI+gSA4zcgr65O4cl64fFJIWEEh8JoHIHh0Oez1Eo8Arz8zq/JhgKodQaxEwUPRtZylVA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz",
+ "integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==",
"dev": true,
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/core": {
- "version": "7.24.3",
- "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.24.3.tgz",
- "integrity": "sha512-5FcvN1JHw2sHJChotgx8Ek0lyuh4kCKelgMTTqhYJJtloNvUfpAFMeNQUtdlIaktwrSV9LtCdqwk48wL2wBacQ==",
- "dev": true,
- "dependencies": {
- "@ampproject/remapping": "^2.2.0",
- "@babel/code-frame": "^7.24.2",
- "@babel/generator": "^7.24.1",
- "@babel/helper-compilation-targets": "^7.23.6",
- "@babel/helper-module-transforms": "^7.23.3",
- "@babel/helpers": "^7.24.1",
- "@babel/parser": "^7.24.1",
- "@babel/template": "^7.24.0",
- "@babel/traverse": "^7.24.1",
- "@babel/types": "^7.24.0",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.7.tgz",
+ "integrity": "sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==",
+ "dev": true,
+ "dependencies": {
+ "@babel/code-frame": "^7.29.7",
+ "@babel/generator": "^7.29.7",
+ "@babel/helper-compilation-targets": "^7.29.7",
+ "@babel/helper-module-transforms": "^7.29.7",
+ "@babel/helpers": "^7.29.7",
+ "@babel/parser": "^7.29.7",
+ "@babel/template": "^7.29.7",
+ "@babel/traverse": "^7.29.7",
+ "@babel/types": "^7.29.7",
+ "@jridgewell/remapping": "^2.3.5",
"convert-source-map": "^2.0.0",
"debug": "^4.1.0",
"gensync": "^1.0.0-beta.2",
@@ -129,13 +116,13 @@
}
},
"node_modules/@babel/generator": {
- "version": "7.29.1",
- "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
- "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz",
+ "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==",
"dev": true,
"dependencies": {
- "@babel/parser": "^7.29.0",
- "@babel/types": "^7.29.0",
+ "@babel/parser": "^7.29.7",
+ "@babel/types": "^7.29.7",
"@jridgewell/gen-mapping": "^0.3.12",
"@jridgewell/trace-mapping": "^0.3.28",
"jsesc": "^3.0.2"
@@ -169,14 +156,14 @@
}
},
"node_modules/@babel/helper-compilation-targets": {
- "version": "7.23.6",
- "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.23.6.tgz",
- "integrity": "sha512-9JB548GZoQVmzrFgp8o7KxdgkTGm6xs9DW0o/Pim72UDjzr5ObUQ6ZzYPqA+g9OTS2bBQoctLJrky0RDCAWRgQ==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz",
+ "integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==",
"dev": true,
"dependencies": {
- "@babel/compat-data": "^7.23.5",
- "@babel/helper-validator-option": "^7.23.5",
- "browserslist": "^4.22.2",
+ "@babel/compat-data": "^7.29.7",
+ "@babel/helper-validator-option": "^7.29.7",
+ "browserslist": "^4.24.0",
"lru-cache": "^5.1.1",
"semver": "^6.3.1"
},
@@ -263,9 +250,9 @@
}
},
"node_modules/@babel/helper-globals": {
- "version": "7.28.0",
- "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz",
- "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz",
+ "integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==",
"dev": true,
"engines": {
"node": ">=6.9.0"
@@ -284,27 +271,27 @@
}
},
"node_modules/@babel/helper-module-imports": {
- "version": "7.28.6",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
- "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz",
+ "integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==",
"dev": true,
"dependencies": {
- "@babel/traverse": "^7.28.6",
- "@babel/types": "^7.28.6"
+ "@babel/traverse": "^7.29.7",
+ "@babel/types": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-module-transforms": {
- "version": "7.28.6",
- "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
- "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz",
+ "integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==",
"dev": true,
"dependencies": {
- "@babel/helper-module-imports": "^7.28.6",
- "@babel/helper-validator-identifier": "^7.28.5",
- "@babel/traverse": "^7.28.6"
+ "@babel/helper-module-imports": "^7.29.7",
+ "@babel/helper-validator-identifier": "^7.29.7",
+ "@babel/traverse": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
@@ -405,27 +392,27 @@
}
},
"node_modules/@babel/helper-string-parser": {
- "version": "7.27.1",
- "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
- "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz",
+ "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==",
"dev": true,
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-validator-identifier": {
- "version": "7.28.5",
- "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
- "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz",
+ "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==",
"dev": true,
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/helper-validator-option": {
- "version": "7.23.5",
- "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.23.5.tgz",
- "integrity": "sha512-85ttAOMLsr53VgXkTbkx8oA6YTfT4q7/HzXSLEYmjcSTJPMPQtvq1BD79Byep5xMUYbGRzEpDsjUf3dyp54IKw==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz",
+ "integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==",
"dev": true,
"engines": {
"node": ">=6.9.0"
@@ -446,25 +433,25 @@
}
},
"node_modules/@babel/helpers": {
- "version": "7.28.4",
- "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.4.tgz",
- "integrity": "sha512-HFN59MmQXGHVyYadKLVumYsA9dBFun/ldYxipEjzA4196jpLZd8UjEEBLkbEkvfYreDqJhZxYAWFPtrfhNpj4w==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.7.tgz",
+ "integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==",
"dev": true,
"dependencies": {
- "@babel/template": "^7.27.2",
- "@babel/types": "^7.28.4"
+ "@babel/template": "^7.29.7",
+ "@babel/types": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/parser": {
- "version": "7.29.3",
- "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
- "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz",
+ "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==",
"dev": true,
"dependencies": {
- "@babel/types": "^7.29.0"
+ "@babel/types": "^7.29.7"
},
"bin": {
"parser": "bin/babel-parser.js"
@@ -1663,31 +1650,31 @@
}
},
"node_modules/@babel/template": {
- "version": "7.28.6",
- "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
- "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz",
+ "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==",
"dev": true,
"dependencies": {
- "@babel/code-frame": "^7.28.6",
- "@babel/parser": "^7.28.6",
- "@babel/types": "^7.28.6"
+ "@babel/code-frame": "^7.29.7",
+ "@babel/parser": "^7.29.7",
+ "@babel/types": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/traverse": {
- "version": "7.29.0",
- "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
- "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz",
+ "integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==",
"dev": true,
"dependencies": {
- "@babel/code-frame": "^7.29.0",
- "@babel/generator": "^7.29.0",
- "@babel/helper-globals": "^7.28.0",
- "@babel/parser": "^7.29.0",
- "@babel/template": "^7.28.6",
- "@babel/types": "^7.29.0",
+ "@babel/code-frame": "^7.29.7",
+ "@babel/generator": "^7.29.7",
+ "@babel/helper-globals": "^7.29.7",
+ "@babel/parser": "^7.29.7",
+ "@babel/template": "^7.29.7",
+ "@babel/types": "^7.29.7",
"debug": "^4.3.1"
},
"engines": {
@@ -1695,13 +1682,13 @@
}
},
"node_modules/@babel/types": {
- "version": "7.29.0",
- "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
- "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+ "version": "7.29.7",
+ "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz",
+ "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==",
"dev": true,
"dependencies": {
- "@babel/helper-string-parser": "^7.27.1",
- "@babel/helper-validator-identifier": "^7.28.5"
+ "@babel/helper-string-parser": "^7.29.7",
+ "@babel/helper-validator-identifier": "^7.29.7"
},
"engines": {
"node": ">=6.9.0"
@@ -2047,6 +2034,16 @@
"@jridgewell/trace-mapping": "^0.3.24"
}
},
+ "node_modules/@jridgewell/remapping": {
+ "version": "2.3.5",
+ "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+ "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+ "dev": true,
+ "dependencies": {
+ "@jridgewell/gen-mapping": "^0.3.5",
+ "@jridgewell/trace-mapping": "^0.3.24"
+ }
+ },
"node_modules/@jridgewell/resolve-uri": {
"version": "3.1.2",
"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
@@ -6095,10 +6092,20 @@
"dev": true
},
"node_modules/js-yaml": {
- "version": "4.1.1",
- "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
- "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+ "version": "4.2.0",
+ "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+ "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
"dev": true,
+ "funding": [
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/puzrin"
+ },
+ {
+ "type": "github",
+ "url": "https://github.com/sponsors/nodeca"
+ }
+ ],
"dependencies": {
"argparse": "^2.0.1"
},
--
2.47.3
--- end ---