mediawiki/extensions/TimedMediaHandler: REL1_44 (log #2519876)

sourcepatches

This run took 38 seconds.

From eee0db635808e8a92d16d44770bb8ab44d962962 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Mon, 6 Jul 2026 10:47:53 +0000
Subject: [PATCH] build: Updating grunt to 1.6.2

Change-Id: I3dda8cc20846fc392f83cf752231d884cc88306e
---
 package-lock.json | 62 +++++++++++++++++------------------------------
 package.json      |  2 +-
 2 files changed, 23 insertions(+), 41 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5b3efc0..84ea7f6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7,7 +7,7 @@
 			"name": "TimedMediaHandler",
 			"devDependencies": {
 				"eslint-config-wikimedia": "0.29.1",
-				"grunt": "1.6.1",
+				"grunt": "1.6.2",
 				"grunt-banana-checker": "0.13.0",
 				"grunt-eslint": "24.3.0",
 				"grunt-exec": "3.0.0",
@@ -2495,9 +2495,9 @@
 			"dev": true
 		},
 		"node_modules/grunt": {
-			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.1.tgz",
-			"integrity": "sha512-/ABUy3gYWu5iBmrUSRBP97JLpQUm0GgVveDCp6t3yRNIoltIYw7rEj3g5y1o2PGPR2vfTRGa7WC/LZHLTXnEzA==",
+			"version": "1.6.2",
+			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.2.tgz",
+			"integrity": "sha512-bUzh5nA/P5L66ihXTDP6J5BGnMB/8lXJXejYWSbH4Y4TvWM9t2S39sggQDYYQlx06cYcCsmu63HMYHGCIzUVfg==",
 			"dev": true,
 			"dependencies": {
 				"dateformat": "~4.6.2",
@@ -2505,14 +2505,14 @@
 				"exit": "~0.1.2",
 				"findup-sync": "~5.0.0",
 				"glob": "~7.1.6",
-				"grunt-cli": "~1.4.3",
+				"grunt-cli": "^1.4.3",
 				"grunt-known-options": "~2.0.0",
 				"grunt-legacy-log": "~3.0.0",
 				"grunt-legacy-util": "~2.0.1",
 				"iconv-lite": "~0.6.3",
 				"js-yaml": "~3.14.0",
-				"minimatch": "~3.0.4",
-				"nopt": "~3.0.6"
+				"minimatch": "^3.1.5",
+				"nopt": "^5.0.0"
 			},
 			"bin": {
 				"grunt": "bin/grunt"
@@ -2702,18 +2702,6 @@
 				"js-yaml": "bin/js-yaml.js"
 			}
 		},
-		"node_modules/grunt/node_modules/minimatch": {
-			"version": "3.0.8",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-			"integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-			"dev": true,
-			"dependencies": {
-				"brace-expansion": "^1.1.7"
-			},
-			"engines": {
-				"node": "*"
-			}
-		},
 		"node_modules/grunt/node_modules/sprintf-js": {
 			"version": "1.0.3",
 			"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -3560,15 +3548,18 @@
 			"dev": true
 		},
 		"node_modules/nopt": {
-			"version": "3.0.6",
-			"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
-			"integrity": "sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==",
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
+			"integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
 			"dev": true,
 			"dependencies": {
 				"abbrev": "1"
 			},
 			"bin": {
 				"nopt": "bin/nopt.js"
+			},
+			"engines": {
+				"node": ">=6"
 			}
 		},
 		"node_modules/normalize-package-data": {
@@ -7145,9 +7136,9 @@
 			"dev": true
 		},
 		"grunt": {
-			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.1.tgz",
-			"integrity": "sha512-/ABUy3gYWu5iBmrUSRBP97JLpQUm0GgVveDCp6t3yRNIoltIYw7rEj3g5y1o2PGPR2vfTRGa7WC/LZHLTXnEzA==",
+			"version": "1.6.2",
+			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.2.tgz",
+			"integrity": "sha512-bUzh5nA/P5L66ihXTDP6J5BGnMB/8lXJXejYWSbH4Y4TvWM9t2S39sggQDYYQlx06cYcCsmu63HMYHGCIzUVfg==",
 			"dev": true,
 			"requires": {
 				"dateformat": "~4.6.2",
@@ -7155,14 +7146,14 @@
 				"exit": "~0.1.2",
 				"findup-sync": "~5.0.0",
 				"glob": "~7.1.6",
-				"grunt-cli": "~1.4.3",
+				"grunt-cli": "^1.4.3",
 				"grunt-known-options": "~2.0.0",
 				"grunt-legacy-log": "~3.0.0",
 				"grunt-legacy-util": "~2.0.1",
 				"iconv-lite": "~0.6.3",
 				"js-yaml": "~3.14.0",
-				"minimatch": "~3.0.4",
-				"nopt": "~3.0.6"
+				"minimatch": "^3.1.5",
+				"nopt": "^5.0.0"
 			},
 			"dependencies": {
 				"argparse": {
@@ -7184,15 +7175,6 @@
 						"esprima": "^4.0.0"
 					}
 				},
-				"minimatch": {
-					"version": "3.0.8",
-					"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-					"integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-					"dev": true,
-					"requires": {
-						"brace-expansion": "^1.1.7"
-					}
-				},
 				"sprintf-js": {
 					"version": "1.0.3",
 					"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -7934,9 +7916,9 @@
 			"dev": true
 		},
 		"nopt": {
-			"version": "3.0.6",
-			"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
-			"integrity": "sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==",
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
+			"integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
 			"dev": true,
 			"requires": {
 				"abbrev": "1"
diff --git a/package.json b/package.json
index ba99872..0396043 100644
--- a/package.json
+++ b/package.json
@@ -8,7 +8,7 @@
 	},
 	"devDependencies": {
 		"eslint-config-wikimedia": "0.29.1",
-		"grunt": "1.6.1",
+		"grunt": "1.6.2",
 		"grunt-banana-checker": "0.13.0",
 		"grunt-eslint": "24.3.0",
 		"grunt-exec": "3.0.0",
-- 
2.47.3

$ date
--- stdout ---
Mon Jul  6 10:47:25 UTC 2026

--- end ---
$ git clone file:///srv/git/mediawiki-extensions-TimedMediaHandler.git /src/repo --depth=1 -b REL1_44
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/REL1_44
--- stdout ---
8d4c5141a978068d9d9318e978dda65d1799fb0b refs/heads/REL1_44

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "grunt": {
      "name": "grunt",
      "severity": "high",
      "isDirect": true,
      "via": [
        "js-yaml",
        "minimatch"
      ],
      "effects": [],
      "range": ">=0.4.0-a",
      "nodes": [
        "node_modules/grunt"
      ],
      "fixAvailable": {
        "name": "grunt",
        "version": "1.6.2",
        "isSemVerMajor": false
      }
    },
    "js-yaml": {
      "name": "js-yaml",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1121859,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
          "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
          "severity": "moderate",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<3.15.0"
        }
      ],
      "effects": [
        "grunt"
      ],
      "range": "<3.15.0",
      "nodes": [
        "node_modules/grunt/node_modules/js-yaml"
      ],
      "fixAvailable": {
        "name": "grunt",
        "version": "1.6.2",
        "isSemVerMajor": false
      }
    },
    "minimatch": {
      "name": "minimatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1113459,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
          "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113538,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
          "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
          "severity": "high",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113546,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
          "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.4"
        }
      ],
      "effects": [
        "grunt"
      ],
      "range": "<=3.1.3",
      "nodes": [
        "node_modules/grunt/node_modules/minimatch"
      ],
      "fixAvailable": {
        "name": "grunt",
        "version": "1.6.2",
        "isSemVerMajor": false
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 1,
      "high": 2,
      "critical": 0,
      "total": 3
    },
    "dependencies": {
      "prod": 1,
      "dev": 447,
      "optional": 0,
      "peer": 1,
      "peerOptional": 0,
      "total": 447
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 39 installs, 0 updates, 0 removals
  - Locking composer/pcre (3.4.0)
  - Locking composer/semver (3.4.3)
  - Locking composer/spdx-licenses (1.5.10)
  - Locking composer/xdebug-handler (3.0.5)
  - Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
  - Locking doctrine/deprecations (1.1.6)
  - Locking felixfbecker/advanced-json-rpc (v3.2.1)
  - Locking james-heinrich/getid3 (v1.9.25)
  - Locking mediawiki/mediawiki-codesniffer (v46.0.0)
  - Locking mediawiki/mediawiki-phan-config (0.15.1)
  - Locking mediawiki/minus-x (1.1.3)
  - Locking mediawiki/phan-taint-check-plugin (6.1.0)
  - Locking microsoft/tolerant-php-parser (v0.1.2)
  - Locking netresearch/jsonmapper (v4.5.0)
  - Locking phan/phan (5.4.5)
  - Locking php-parallel-lint/php-console-color (v1.0.1)
  - Locking php-parallel-lint/php-console-highlighter (v1.0.0)
  - Locking php-parallel-lint/php-parallel-lint (v1.4.0)
  - Locking phpcsstandards/phpcsextra (1.2.1)
  - Locking phpcsstandards/phpcsutils (1.0.12)
  - Locking phpdocumentor/reflection-common (2.2.0)
  - Locking phpdocumentor/reflection-docblock (5.6.7)
  - Locking phpdocumentor/type-resolver (1.12.0)
  - Locking phpstan/phpdoc-parser (2.3.2)
  - Locking psr/container (2.0.2)
  - Locking psr/log (3.0.2)
  - Locking sabre/event (5.1.8)
  - Locking squizlabs/php_codesniffer (3.11.3)
  - Locking symfony/console (v7.4.14)
  - Locking symfony/deprecation-contracts (v3.7.1)
  - Locking symfony/polyfill-ctype (v1.37.0)
  - Locking symfony/polyfill-intl-grapheme (v1.38.1)
  - Locking symfony/polyfill-intl-normalizer (v1.38.0)
  - Locking symfony/polyfill-mbstring (v1.38.2)
  - Locking symfony/polyfill-php80 (v1.37.0)
  - Locking symfony/service-contracts (v3.7.1)
  - Locking symfony/string (v8.1.0)
  - Locking tysonandre/var_representation_polyfill (0.1.3)
  - Locking webmozart/assert (2.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 39 installs, 0 updates, 0 removals
    0 [>---------------------------]    0 [->--------------------------]
  - Installing squizlabs/php_codesniffer (3.11.3): Extracting archive
  - Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
  - Installing composer/pcre (3.4.0): Extracting archive
  - Installing james-heinrich/getid3 (v1.9.25): Extracting archive
  - Installing symfony/polyfill-php80 (v1.37.0): Extracting archive
  - Installing phpcsstandards/phpcsutils (1.0.12): Extracting archive
  - Installing phpcsstandards/phpcsextra (1.2.1): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.38.2): Extracting archive
  - Installing composer/spdx-licenses (1.5.10): Extracting archive
  - Installing composer/semver (3.4.3): Extracting archive
  - Installing mediawiki/mediawiki-codesniffer (v46.0.0): Extracting archive
  - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.38.0): Extracting archive
  - Installing symfony/polyfill-intl-grapheme (v1.38.1): Extracting archive
  - Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
  - Installing symfony/string (v8.1.0): Extracting archive
  - Installing symfony/deprecation-contracts (v3.7.1): Extracting archive
  - Installing psr/container (2.0.2): Extracting archive
  - Installing symfony/service-contracts (v3.7.1): Extracting archive
  - Installing symfony/console (v7.4.14): Extracting archive
  - Installing sabre/event (5.1.8): Extracting archive
  - Installing netresearch/jsonmapper (v4.5.0): Extracting archive
  - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
  - Installing webmozart/assert (2.4.1): Extracting archive
  - Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
  - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
  - Installing doctrine/deprecations (1.1.6): Extracting archive
  - Installing phpdocumentor/type-resolver (1.12.0): Extracting archive
  - Installing phpdocumentor/reflection-docblock (5.6.7): Extracting archive
  - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
  - Installing psr/log (3.0.2): Extracting archive
  - Installing composer/xdebug-handler (3.0.5): Extracting archive
  - Installing phan/phan (5.4.5): Extracting archive
  - Installing mediawiki/phan-taint-check-plugin (6.1.0): Extracting archive
  - Installing mediawiki/mediawiki-phan-config (0.15.1): Extracting archive
  - Installing mediawiki/minus-x (1.1.3): Extracting archive
  - Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
  - Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
  - Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
  0/37 [>---------------------------]   0%
 28/37 [=====================>------]  75%
 36/37 [===========================>]  97%
 37/37 [============================] 100%
8 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "grunt": {
      "name": "grunt",
      "severity": "high",
      "isDirect": true,
      "via": [
        "js-yaml",
        "minimatch"
      ],
      "effects": [],
      "range": ">=0.4.0-a",
      "nodes": [
        "node_modules/grunt"
      ],
      "fixAvailable": {
        "name": "grunt",
        "version": "1.6.2",
        "isSemVerMajor": false
      }
    },
    "js-yaml": {
      "name": "js-yaml",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1121859,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
          "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
          "severity": "moderate",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<3.15.0"
        }
      ],
      "effects": [
        "grunt"
      ],
      "range": "<3.15.0",
      "nodes": [
        "node_modules/grunt/node_modules/js-yaml"
      ],
      "fixAvailable": {
        "name": "grunt",
        "version": "1.6.2",
        "isSemVerMajor": false
      }
    },
    "minimatch": {
      "name": "minimatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1113459,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
          "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113538,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
          "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
          "severity": "high",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113546,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
          "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.4"
        }
      ],
      "effects": [
        "grunt"
      ],
      "range": "<=3.1.3",
      "nodes": [
        "node_modules/grunt/node_modules/minimatch"
      ],
      "fixAvailable": {
        "name": "grunt",
        "version": "1.6.2",
        "isSemVerMajor": false
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 1,
      "high": 2,
      "critical": 0,
      "total": 3
    },
    "dependencies": {
      "prod": 1,
      "dev": 447,
      "optional": 0,
      "peer": 1,
      "peerOptional": 0,
      "total": 447
    }
  }
}

--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
  "added": 447,
  "removed": 0,
  "changed": 0,
  "audited": 448,
  "funding": 98,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "grunt": {
        "name": "grunt",
        "severity": "high",
        "isDirect": true,
        "via": [
          "js-yaml",
          "minimatch"
        ],
        "effects": [],
        "range": ">=0.4.0-a",
        "nodes": [
          "node_modules/grunt"
        ],
        "fixAvailable": {
          "name": "grunt",
          "version": "1.6.2",
          "isSemVerMajor": false
        }
      },
      "js-yaml": {
        "name": "js-yaml",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          {
            "source": 1121859,
            "name": "js-yaml",
            "dependency": "js-yaml",
            "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
            "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
            "severity": "moderate",
            "cwe": [
              "CWE-407"
            ],
            "cvss": {
              "score": 5.3,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
            },
            "range": "<3.15.0"
          }
        ],
        "effects": [
          "grunt"
        ],
        "range": "<3.15.0",
        "nodes": [
          "node_modules/grunt/node_modules/js-yaml"
        ],
        "fixAvailable": {
          "name": "grunt",
          "version": "1.6.2",
          "isSemVerMajor": false
        }
      },
      "minimatch": {
        "name": "minimatch",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1113459,
            "name": "minimatch",
            "dependency": "minimatch",
            "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
            "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
            "severity": "high",
            "cwe": [
              "CWE-1333"
            ],
            "cvss": {
              "score": 0,
              "vectorString": null
            },
            "range": "<3.1.3"
          },
          {
            "source": 1113538,
            "name": "minimatch",
            "dependency": "minimatch",
            "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
            "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
            "severity": "high",
            "cwe": [
              "CWE-407"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<3.1.3"
          },
          {
            "source": 1113546,
            "name": "minimatch",
            "dependency": "minimatch",
            "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
            "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
            "severity": "high",
            "cwe": [
              "CWE-1333"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<3.1.4"
          }
        ],
        "effects": [
          "grunt"
        ],
        "range": "<=3.1.3",
        "nodes": [
          "node_modules/grunt/node_modules/minimatch"
        ],
        "fixAvailable": {
          "name": "grunt",
          "version": "1.6.2",
          "isSemVerMajor": false
        }
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 0,
        "moderate": 1,
        "high": 2,
        "critical": 0,
        "total": 3
      },
      "dependencies": {
        "prod": 1,
        "dev": 447,
        "optional": 0,
        "peer": 1,
        "peerOptional": 0,
        "total": 447
      }
    }
  }
}

--- end ---
{"added": 447, "removed": 0, "changed": 0, "audited": 448, "funding": 98, "audit": {"auditReportVersion": 2, "vulnerabilities": {"grunt": {"name": "grunt", "severity": "high", "isDirect": true, "via": ["js-yaml", "minimatch"], "effects": [], "range": ">=0.4.0-a", "nodes": ["node_modules/grunt"], "fixAvailable": {"name": "grunt", "version": "1.6.2", "isSemVerMajor": false}}, "js-yaml": {"name": "js-yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1121859, "name": "js-yaml", "dependency": "js-yaml", "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68", "severity": "moderate", "cwe": ["CWE-407"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<3.15.0"}], "effects": ["grunt"], "range": "<3.15.0", "nodes": ["node_modules/grunt/node_modules/js-yaml"], "fixAvailable": {"name": "grunt", "version": "1.6.2", "isSemVerMajor": false}}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}], "effects": ["grunt"], "range": "<=3.1.3", "nodes": ["node_modules/grunt/node_modules/minimatch"], "fixAvailable": {"name": "grunt", "version": "1.6.2", "isSemVerMajor": false}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 1, "high": 2, "critical": 0, "total": 3}, "dependencies": {"prod": 1, "dev": 447, "optional": 0, "peer": 1, "peerOptional": 0, "total": 447}}}}
{}
Upgrading n:grunt from 1.6.1 -> 1.6.2
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---

added 446 packages, and audited 447 packages in 6s

98 packages are looking for funding
  run `npm fund` for details

# npm audit report

js-yaml  <3.15.0
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix --force`
Will install grunt@0.3.17, which is a breaking change
node_modules/grunt/node_modules/js-yaml
  grunt  >=0.4.0-a
  Depends on vulnerable versions of js-yaml
  node_modules/grunt
    grunt-eslint  <=1.0.0 || >=18.1.0
    Depends on vulnerable versions of grunt
    node_modules/grunt-eslint
    grunt-exec  >=0.4.0-rc1
    Depends on vulnerable versions of grunt
    node_modules/grunt-exec

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stdout ---

added 446 packages, and audited 447 packages in 5s

98 packages are looking for funding
  run `npm fund` for details

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

--- end ---
$ /usr/bin/npm test
--- stdout ---

> test
> grunt test

Running "eslint:all" (eslint) task

/src/repo/resources/lib/foreign-resources.yaml
   8:1  warning  This line has a length of 108. Maximum allowed is 100  max-len
  22:1  warning  This line has a length of 108. Maximum allowed is 100  max-len

/src/repo/resources/transcode-table/transcode-table.js
  16:3  warning  Prefer .then to .done  no-jquery/no-done-fail
  35:4  warning  Prefer .then to .done  no-jquery/no-done-fail
  35:4  warning  Prefer .then to .fail  no-jquery/no-done-fail

/src/repo/resources/videojs-resolution-switcher/videojs-resolution-switcher.js
  217:1  warning  This line has a length of 121. Maximum allowed is 100  max-len
  222:1  warning  This line has a length of 104. Maximum allowed is 100  max-len

✖ 7 problems (0 errors, 7 warnings)


Running "stylelint:all" (stylelint) task
>> Linted 6 files without errors

Running "banana:all" (banana) task
>> 2 message directories checked.

Done.

--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
build: Updating grunt to 1.6.2

$ git add .
--- stdout ---

--- end ---
$ git commit -F /tmp/tmphswckdnu
--- stdout ---
[REL1_44 eee0db6] build: Updating grunt to 1.6.2
 2 files changed, 23 insertions(+), 41 deletions(-)

--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From eee0db635808e8a92d16d44770bb8ab44d962962 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Mon, 6 Jul 2026 10:47:53 +0000
Subject: [PATCH] build: Updating grunt to 1.6.2

Change-Id: I3dda8cc20846fc392f83cf752231d884cc88306e
---
 package-lock.json | 62 +++++++++++++++++------------------------------
 package.json      |  2 +-
 2 files changed, 23 insertions(+), 41 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5b3efc0..84ea7f6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7,7 +7,7 @@
 			"name": "TimedMediaHandler",
 			"devDependencies": {
 				"eslint-config-wikimedia": "0.29.1",
-				"grunt": "1.6.1",
+				"grunt": "1.6.2",
 				"grunt-banana-checker": "0.13.0",
 				"grunt-eslint": "24.3.0",
 				"grunt-exec": "3.0.0",
@@ -2495,9 +2495,9 @@
 			"dev": true
 		},
 		"node_modules/grunt": {
-			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.1.tgz",
-			"integrity": "sha512-/ABUy3gYWu5iBmrUSRBP97JLpQUm0GgVveDCp6t3yRNIoltIYw7rEj3g5y1o2PGPR2vfTRGa7WC/LZHLTXnEzA==",
+			"version": "1.6.2",
+			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.2.tgz",
+			"integrity": "sha512-bUzh5nA/P5L66ihXTDP6J5BGnMB/8lXJXejYWSbH4Y4TvWM9t2S39sggQDYYQlx06cYcCsmu63HMYHGCIzUVfg==",
 			"dev": true,
 			"dependencies": {
 				"dateformat": "~4.6.2",
@@ -2505,14 +2505,14 @@
 				"exit": "~0.1.2",
 				"findup-sync": "~5.0.0",
 				"glob": "~7.1.6",
-				"grunt-cli": "~1.4.3",
+				"grunt-cli": "^1.4.3",
 				"grunt-known-options": "~2.0.0",
 				"grunt-legacy-log": "~3.0.0",
 				"grunt-legacy-util": "~2.0.1",
 				"iconv-lite": "~0.6.3",
 				"js-yaml": "~3.14.0",
-				"minimatch": "~3.0.4",
-				"nopt": "~3.0.6"
+				"minimatch": "^3.1.5",
+				"nopt": "^5.0.0"
 			},
 			"bin": {
 				"grunt": "bin/grunt"
@@ -2702,18 +2702,6 @@
 				"js-yaml": "bin/js-yaml.js"
 			}
 		},
-		"node_modules/grunt/node_modules/minimatch": {
-			"version": "3.0.8",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-			"integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-			"dev": true,
-			"dependencies": {
-				"brace-expansion": "^1.1.7"
-			},
-			"engines": {
-				"node": "*"
-			}
-		},
 		"node_modules/grunt/node_modules/sprintf-js": {
 			"version": "1.0.3",
 			"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -3560,15 +3548,18 @@
 			"dev": true
 		},
 		"node_modules/nopt": {
-			"version": "3.0.6",
-			"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
-			"integrity": "sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==",
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
+			"integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
 			"dev": true,
 			"dependencies": {
 				"abbrev": "1"
 			},
 			"bin": {
 				"nopt": "bin/nopt.js"
+			},
+			"engines": {
+				"node": ">=6"
 			}
 		},
 		"node_modules/normalize-package-data": {
@@ -7145,9 +7136,9 @@
 			"dev": true
 		},
 		"grunt": {
-			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.1.tgz",
-			"integrity": "sha512-/ABUy3gYWu5iBmrUSRBP97JLpQUm0GgVveDCp6t3yRNIoltIYw7rEj3g5y1o2PGPR2vfTRGa7WC/LZHLTXnEzA==",
+			"version": "1.6.2",
+			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.2.tgz",
+			"integrity": "sha512-bUzh5nA/P5L66ihXTDP6J5BGnMB/8lXJXejYWSbH4Y4TvWM9t2S39sggQDYYQlx06cYcCsmu63HMYHGCIzUVfg==",
 			"dev": true,
 			"requires": {
 				"dateformat": "~4.6.2",
@@ -7155,14 +7146,14 @@
 				"exit": "~0.1.2",
 				"findup-sync": "~5.0.0",
 				"glob": "~7.1.6",
-				"grunt-cli": "~1.4.3",
+				"grunt-cli": "^1.4.3",
 				"grunt-known-options": "~2.0.0",
 				"grunt-legacy-log": "~3.0.0",
 				"grunt-legacy-util": "~2.0.1",
 				"iconv-lite": "~0.6.3",
 				"js-yaml": "~3.14.0",
-				"minimatch": "~3.0.4",
-				"nopt": "~3.0.6"
+				"minimatch": "^3.1.5",
+				"nopt": "^5.0.0"
 			},
 			"dependencies": {
 				"argparse": {
@@ -7184,15 +7175,6 @@
 						"esprima": "^4.0.0"
 					}
 				},
-				"minimatch": {
-					"version": "3.0.8",
-					"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-					"integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-					"dev": true,
-					"requires": {
-						"brace-expansion": "^1.1.7"
-					}
-				},
 				"sprintf-js": {
 					"version": "1.0.3",
 					"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -7934,9 +7916,9 @@
 			"dev": true
 		},
 		"nopt": {
-			"version": "3.0.6",
-			"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
-			"integrity": "sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==",
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
+			"integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
 			"dev": true,
 			"requires": {
 				"abbrev": "1"
diff --git a/package.json b/package.json
index ba99872..0396043 100644
--- a/package.json
+++ b/package.json
@@ -8,7 +8,7 @@
 	},
 	"devDependencies": {
 		"eslint-config-wikimedia": "0.29.1",
-		"grunt": "1.6.1",
+		"grunt": "1.6.2",
 		"grunt-banana-checker": "0.13.0",
 		"grunt-eslint": "24.3.0",
 		"grunt-exec": "3.0.0",
-- 
2.47.3


--- end ---
Source code is licensed under the AGPL.