This run took 82 seconds.
$ date
--- stdout ---
Tue Jul 7 00:45:57 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-Echo.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
5e3f876e1a0549a5c5c9e05e2b86da726b25052a refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@wdio/mocha-framework": {
"name": "@wdio/mocha-framework",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": ">=7.7.4",
"nodes": [
"node_modules/@wdio/mocha-framework"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "7.7.3",
"isSemVerMajor": true
}
},
"gaze": {
"name": "gaze",
"severity": "high",
"isDirect": false,
"via": [
"globule"
],
"effects": [
"grunt-contrib-watch"
],
"range": ">=0.4.0",
"nodes": [
"node_modules/gaze"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"globule": {
"name": "globule",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"gaze"
],
"range": "*",
"nodes": [
"node_modules/globule"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"grunt": {
"name": "grunt",
"severity": "moderate",
"isDirect": true,
"via": [
"js-yaml"
],
"effects": [
"grunt-eslint"
],
"range": ">=0.4.0-a",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"grunt-contrib-watch": {
"name": "grunt-contrib-watch",
"severity": "high",
"isDirect": true,
"via": [
"gaze"
],
"effects": [],
"range": ">=0.5.0",
"nodes": [
"node_modules/grunt-contrib-watch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"grunt-eslint": {
"name": "grunt-eslint",
"severity": "moderate",
"isDirect": true,
"via": [
"grunt"
],
"effects": [],
"range": "<=1.0.0 || >=18.1.0",
"nodes": [
"node_modules/grunt-eslint"
],
"fixAvailable": {
"name": "grunt-eslint",
"version": "18.0.0",
"isSemVerMajor": true
}
},
"js-yaml": {
"name": "js-yaml",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1121859,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
"url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
"severity": "moderate",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<3.15.0"
},
{
"source": 1121860,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
"url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
"severity": "moderate",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <=4.1.1"
}
],
"effects": [
"grunt"
],
"range": "<=3.14.2 || 4.0.0 - 4.1.1",
"nodes": [
"node_modules/@eslint/eslintrc/node_modules/js-yaml",
"node_modules/cosmiconfig/node_modules/js-yaml",
"node_modules/eslint/node_modules/js-yaml",
"node_modules/js-yaml",
"node_modules/mocha/node_modules/js-yaml"
],
"fixAvailable": {
"name": "grunt",
"version": "0.3.17",
"isSemVerMajor": true
}
},
"linkify-it": {
"name": "linkify-it",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1121797,
"name": "linkify-it",
"dependency": "linkify-it",
"title": "LinkifyIt#match scan loop has quadratic algorithmic complexity",
"url": "https://github.com/advisories/GHSA-22p9-wv53-3rq4",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=5.0.0"
}
],
"effects": [],
"range": "<=5.0.0",
"nodes": [
"node_modules/linkify-it"
],
"fixAvailable": true
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1120820,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations",
"url": "https://github.com/advisories/GHSA-6v5v-wf23-fmfq",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-407"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<=14.1.1"
}
],
"effects": [],
"range": "<=14.1.1",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113459,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.3"
},
{
"source": 1113538,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
"url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
"severity": "high",
"cwe": [
"CWE-407"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.3"
},
{
"source": 1113546,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.1.4"
}
],
"effects": [
"globule"
],
"range": "<=3.1.3",
"nodes": [
"node_modules/globule/node_modules/minimatch"
],
"fixAvailable": {
"name": "grunt-contrib-watch",
"version": "0.4.4",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "moderate",
"isDirect": false,
"via": [
"serialize-javascript"
],
"effects": [
"@wdio/mocha-framework"
],
"range": "8.2.0 - 12.0.0-beta-2",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "7.7.3",
"isSemVerMajor": true
}
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1113686,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
"url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
"severity": "high",
"cwe": [
"CWE-96"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=7.0.2"
},
{
"source": 1119440,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
"url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-834"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.0.0 <7.0.5"
}
],
"effects": [
"mocha"
],
"range": "<=7.0.4",
"nodes": [
"node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "@wdio/mocha-framework",
"version": "7.7.3",
"isSemVerMajor": true
}
},
"undici": {
"name": "undici",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1121187,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent",
"url": "https://github.com/advisories/GHSA-vmh5-mc38-953g",
"severity": "high",
"cwe": [
"CWE-295"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"range": ">=7.23.0 <7.28.0"
},
{
"source": 1121241,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to HTTP header injection via Set-Cookie percent-decoding",
"url": "https://github.com/advisories/GHSA-p88m-4jfj-68fv",
"severity": "moderate",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=7.0.0 <7.28.0"
},
{
"source": 1121242,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to HTTP header injection via Set-Cookie percent-decoding",
"url": "https://github.com/advisories/GHSA-p88m-4jfj-68fv",
"severity": "moderate",
"cwe": [
"CWE-93"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<6.27.0"
},
{
"source": 1121244,
"name": "undici",
"dependency": "undici",
"title": "undici WebSocket client vulnerable to denial of service via fragment count bypass",
"url": "https://github.com/advisories/GHSA-vxpw-j846-p89q",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.28.0"
},
{
"source": 1121245,
"name": "undici",
"dependency": "undici",
"title": "undici WebSocket client vulnerable to denial of service via fragment count bypass",
"url": "https://github.com/advisories/GHSA-vxpw-j846-p89q",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<6.27.0"
},
{
"source": 1121247,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse",
"url": "https://github.com/advisories/GHSA-hm92-r4w5-c3mj",
"severity": "high",
"cwe": [
"CWE-346"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=7.23.0 <7.28.0"
},
{
"source": 1121249,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse",
"url": "https://github.com/advisories/GHSA-35p6-xmwp-9g52",
"severity": "low",
"cwe": [
"CWE-367"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=7.0.0 <7.28.0"
},
{
"source": 1121250,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse",
"url": "https://github.com/advisories/GHSA-35p6-xmwp-9g52",
"severity": "low",
"cwe": [
"CWE-367"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.27.0"
},
{
"source": 1121254,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching",
"url": "https://github.com/advisories/GHSA-g8m3-5g58-fq7m",
"severity": "low",
"cwe": [
"CWE-183"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": ">=7.0.0 <7.28.0"
},
{
"source": 1121255,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching",
"url": "https://github.com/advisories/GHSA-g8m3-5g58-fq7m",
"severity": "low",
"cwe": [
"CWE-183"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.27.0"
},
{
"source": 1121428,
"name": "undici",
"dependency": "undici",
"title": "undici vulnerable to cross-user information disclosure via shared cache whitespace bypass",
"url": "https://github.com/advisories/GHSA-pr7r-676h-xcf6",
"severity": "moderate",
"cwe": [
"CWE-524"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=7.0.0 <7.28.0"
}
],
"effects": [],
"range": "<=6.26.0 || 7.0.0 - 7.27.2",
"nodes": [
"node_modules/cheerio/node_modules/undici",
"node_modules/undici"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1120730,
"name": "ws",
"dependency": "ws",
"title": "ws: Memory exhaustion DoS from tiny fragments and data chunks",
"url": "https://github.com/advisories/GHSA-96hv-2xvq-fx4p",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-770"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=8.0.0 <8.21.0"
}
],
"effects": [],
"range": "8.0.0 - 8.20.1",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 6,
"high": 8,
"critical": 0,
"total": 14
},
"dependencies": {
"prod": 1,
"dev": 911,
"optional": 37,
"peer": 1,
"peerOptional": 0,
"total": 911
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 38 installs, 0 updates, 0 removals
- Locking composer/pcre (3.4.0)
- Locking composer/semver (3.4.4)
- Locking composer/spdx-licenses (1.6.0)
- Locking composer/xdebug-handler (3.0.5)
- Locking danog/advanced-json-rpc (v3.2.3)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
- Locking doctrine/deprecations (1.1.6)
- Locking mediawiki/mediawiki-codesniffer (v51.0.0)
- Locking mediawiki/mediawiki-phan-config (0.20.0)
- Locking mediawiki/minus-x (2.0.1)
- Locking mediawiki/phan-taint-check-plugin (9.1.0)
- Locking netresearch/jsonmapper (v5.0.1)
- Locking phan/phan (6.0.2)
- Locking phan/tolerant-php-parser (v0.2.0)
- Locking phan/var_representation_polyfill (0.1.4)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.5.0)
- Locking phpcsstandards/phpcsutils (1.2.2)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (6.0.3)
- Locking phpdocumentor/type-resolver (2.0.0)
- Locking phpstan/phpdoc-parser (2.3.2)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (6.1.0)
- Locking squizlabs/php_codesniffer (3.13.5)
- Locking symfony/console (v8.1.1)
- Locking symfony/deprecation-contracts (v3.7.1)
- Locking symfony/polyfill-ctype (v1.37.0)
- Locking symfony/polyfill-intl-grapheme (v1.38.1)
- Locking symfony/polyfill-intl-normalizer (v1.38.0)
- Locking symfony/polyfill-mbstring (v1.38.2)
- Locking symfony/polyfill-php85 (v1.38.1)
- Locking symfony/service-contracts (v3.7.1)
- Locking symfony/string (v8.1.0)
- Locking webmozart/assert (2.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 38 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
- Installing composer/pcre (3.4.0): Extracting archive
- Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
- Installing phpcsstandards/phpcsextra (1.5.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.38.2): Extracting archive
- Installing composer/spdx-licenses (1.6.0): Extracting archive
- Installing composer/semver (3.4.4): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v51.0.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.38.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.38.1): Extracting archive
- Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
- Installing symfony/string (v8.1.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.7.1): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.7.1): Extracting archive
- Installing symfony/polyfill-php85 (v1.38.1): Extracting archive
- Installing symfony/console (v8.1.1): Extracting archive
- Installing sabre/event (6.1.0): Extracting archive
- Installing phan/var_representation_polyfill (0.1.4): Extracting archive
- Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
- Installing netresearch/jsonmapper (v5.0.1): Extracting archive
- Installing webmozart/assert (2.4.1): Extracting archive
- Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.6): Extracting archive
- Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
- Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (6.0.2): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
- Installing mediawiki/minus-x (2.0.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
0/36 [>---------------------------] 0%
29/36 [======================>-----] 80%
36/36 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
Upgrading n:grunt-stylelint from 0.20.1 -> 0.21.0
Upgrading n:stylelint-config-wikimedia from 0.18.0 -> 0.19.2
$ /usr/bin/npm install
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-design-tokens@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.1' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'grunt-stylelint@0.21.0',
npm WARN EBADENGINE required: { node: '>=20.19.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated node-domexception@1.0.0: Use your platform's native DOMException instead
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 916 packages, and audited 917 packages in 14s
224 packages are looking for funding
run `npm fund` for details
14 vulnerabilities (6 moderate, 8 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
$ ./node_modules/.bin/grunt stylelint
--- stdout ---
Running "stylelint:all" (stylelint) task
modules/nojs/mw.echo.badge.less
32:3 ⚠ Unexpected browser feature "css-focus-visible" is not supported by Safari 12-15,11.1,12.1,13.1,14.1,15.1,15.2-15.3, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4,14.5-14.8,15.0-15.1,15.2-15.3 plugin/no-unsupported-browser-features
modules/styles/mw.echo.ui.NotificationItemWidget.less
46:4 ⚠ Unexpected browser feature "prefers-color-scheme" is not supported by Safari 12,11.1, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5 plugin/no-unsupported-browser-features
98:16 ✖ Deprecated keyword "break-word" for property "word-break" declaration-property-value-keyword-no-deprecated
118:3 ✖ Expected selector "&-actions" ("-content.mw-echo-ui-notificationItemWidget:is(-actions)") to come before selector "&-header" ("-content.mw-echo-ui-notificationItemWidget:is(-message):is(-header)"), at line 102 no-descending-specificity
✖ 4 problems (2 errors, 2 warnings)
1 error potentially fixable with the "--fix" option.
⚠ 4 warnings
Warning: Task "stylelint:all" failed. Use --force to continue.
Aborted due to warnings.
--- end ---
$ ./node_modules/.bin/stylelint modules/styles/mw.echo.ui.MenuItemWidget.less modules/mobile/notificationsFilterOverlay.less modules/styles/mw.echo.ui.PaginationWidget.less modules/styles/mw.echo.ui.SpecialHelpMenuWidget.less modules/styles/LabelIconWidget.less modules/styles/mw.echo.ui.NotificationsListWidget.less modules/styles/mw.echo.ui.NotificationsInboxWidget.less modules/styles/mw.echo.ui.overlay.minerva.less modules/nojs/mw.echo.alert.less modules/styles/mw.echo.ui.DatedNotificationsWidget.less modules/styles/mw.echo.ui.mobile.less modules/styles/mw.echo.ui.NotificationBadgeController.less modules/styles/mw.echo.ui.NotificationsInboxWidget.minerva.less modules/styles/mw.echo.ui.ActionMenuPopupWidget.less modules/styles/mw.echo.ui.DatedSubGroupListWidget.less modules/styles/mw.echo.ui.ConfirmationPopupWidget.less modules/styles/mw.echo.ui.PageFilterWidget.less modules/styles/mw.echo.ui.NotificationItemWidget.less modules/styles/mw.echo.ui.overlay.vector.less modules/styles/mw.echo.ui.overlay.wikimediaapiportal.less modules/styles/mw.echo.ui.PageNotificationsOptionWidget.less modules/nojs/mw.echo.badge.less modules/styles/mw.echo.ui.CrossWikiUnreadFilterWidget.less modules/styles/mw.echo.ui.overlay.less modules/nojs/mw.echo.special.less modules/styles/mw.echo.ui.SubGroupListWidget.less modules/echo.variables.less modules/nojs/mw.echo.notifications.less modules/styles/mw.echo.ui.overlay.monobook.less modules/styles/mw.echo.ui.CrossWikiNotificationItemWidget.less modules/echo.mixins.less modules/mobile/overlay.less modules/styles/mw.echo.ui.ToggleReadCircleButtonWidget.less modules/nojs/mw.echo.alert.monobook.less modules/styles/mw.echo.ui.NotificationsWrapper.less modules/styles/mw.echo.ui.PlaceholderItemWidget.less --fix
--- stderr ---
modules/styles/mw.echo.ui.NotificationItemWidget.less
46:4 ⚠ Unexpected browser feature "prefers-color-scheme" is not supported by Safari 12,11.1, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5 plugin/no-unsupported-browser-features
98:16 ✖ Deprecated keyword "break-word" for property "word-break" declaration-property-value-keyword-no-deprecated
118:3 ✖ Expected selector "&-actions" ("-content.mw-echo-ui-notificationItemWidget:is(-actions)") to come before selector "&-header" ("-content.mw-echo-ui-notificationItemWidget:is(-message):is(-header)"), at line 102 no-descending-specificity
modules/nojs/mw.echo.badge.less
32:3 ⚠ Unexpected browser feature "css-focus-visible" is not supported by Safari 12-15,11.1,12.1,13.1,14.1,15.1,15.2-15.3, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4,14.5-14.8,15.0-15.1,15.2-15.3 plugin/no-unsupported-browser-features
✖ 4 problems (2 errors, 2 warnings)
1 error potentially fixable with the "--fix" option.
--- stdout ---
--- end ---
$ ./node_modules/.bin/stylelint modules/styles/mw.echo.ui.MenuItemWidget.less modules/mobile/notificationsFilterOverlay.less modules/styles/mw.echo.ui.PaginationWidget.less modules/styles/mw.echo.ui.SpecialHelpMenuWidget.less modules/styles/LabelIconWidget.less modules/styles/mw.echo.ui.NotificationsListWidget.less modules/styles/mw.echo.ui.NotificationsInboxWidget.less modules/styles/mw.echo.ui.overlay.minerva.less modules/nojs/mw.echo.alert.less modules/styles/mw.echo.ui.DatedNotificationsWidget.less modules/styles/mw.echo.ui.mobile.less modules/styles/mw.echo.ui.NotificationBadgeController.less modules/styles/mw.echo.ui.NotificationsInboxWidget.minerva.less modules/styles/mw.echo.ui.ActionMenuPopupWidget.less modules/styles/mw.echo.ui.DatedSubGroupListWidget.less modules/styles/mw.echo.ui.ConfirmationPopupWidget.less modules/styles/mw.echo.ui.PageFilterWidget.less modules/styles/mw.echo.ui.NotificationItemWidget.less modules/styles/mw.echo.ui.overlay.vector.less modules/styles/mw.echo.ui.overlay.wikimediaapiportal.less modules/styles/mw.echo.ui.PageNotificationsOptionWidget.less modules/nojs/mw.echo.badge.less modules/styles/mw.echo.ui.CrossWikiUnreadFilterWidget.less modules/styles/mw.echo.ui.overlay.less modules/nojs/mw.echo.special.less modules/styles/mw.echo.ui.SubGroupListWidget.less modules/echo.variables.less modules/nojs/mw.echo.notifications.less modules/styles/mw.echo.ui.overlay.monobook.less modules/styles/mw.echo.ui.CrossWikiNotificationItemWidget.less modules/echo.mixins.less modules/mobile/overlay.less modules/styles/mw.echo.ui.ToggleReadCircleButtonWidget.less modules/nojs/mw.echo.alert.monobook.less modules/styles/mw.echo.ui.NotificationsWrapper.less modules/styles/mw.echo.ui.PlaceholderItemWidget.less -f json
--- stdout ---
[{"source":"/src/repo/modules/styles/mw.echo.ui.MenuItemWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.PaginationWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.SpecialHelpMenuWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/LabelIconWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.NotificationsListWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.NotificationsInboxWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.overlay.minerva.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.DatedNotificationsWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.mobile.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.NotificationBadgeController.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.NotificationsInboxWidget.minerva.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.ActionMenuPopupWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.DatedSubGroupListWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.ConfirmationPopupWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.PageFilterWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.NotificationItemWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":true,"warnings":[{"line":46,"column":4,"endLine":48,"endColumn":5,"rule":"plugin/no-unsupported-browser-features","severity":"warning","text":"Unexpected browser feature \"prefers-color-scheme\" is not supported by Safari 12,11.1, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5 (plugin/no-unsupported-browser-features)"},{"line":98,"column":16,"endLine":98,"endColumn":26,"rule":"declaration-property-value-keyword-no-deprecated","severity":"error","text":"Deprecated keyword \"break-word\" for property \"word-break\" (declaration-property-value-keyword-no-deprecated)"},{"line":118,"column":3,"endLine":118,"endColumn":12,"rule":"no-descending-specificity","severity":"error","text":"Expected selector \"&-actions\" (\"-content.mw-echo-ui-notificationItemWidget:is(-actions)\") to come before selector \"&-header\" (\"-content.mw-echo-ui-notificationItemWidget:is(-message):is(-header)\"), at line 102 (no-descending-specificity)"}]},{"source":"/src/repo/modules/styles/mw.echo.ui.overlay.vector.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.overlay.wikimediaapiportal.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.PageNotificationsOptionWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.CrossWikiUnreadFilterWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.overlay.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.SubGroupListWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.overlay.monobook.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.CrossWikiNotificationItemWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.ToggleReadCircleButtonWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.NotificationsWrapper.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/styles/mw.echo.ui.PlaceholderItemWidget.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/mobile/notificationsFilterOverlay.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/mobile/overlay.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/nojs/mw.echo.alert.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/nojs/mw.echo.badge.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[{"line":32,"column":3,"endLine":39,"endColumn":4,"rule":"plugin/no-unsupported-browser-features","severity":"warning","text":"Unexpected browser feature \"css-focus-visible\" is not supported by Safari 12-15,11.1,12.1,13.1,14.1,15.1,15.2-15.3, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4,14.5-14.8,15.0-15.1,15.2-15.3 (plugin/no-unsupported-browser-features)"}]},{"source":"/src/repo/modules/nojs/mw.echo.special.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/nojs/mw.echo.notifications.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/nojs/mw.echo.alert.monobook.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/echo.variables.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]},{"source":"/src/repo/modules/echo.mixins.less","deprecations":[],"invalidOptionWarnings":[],"parseErrors":[],"errored":false,"warnings":[]}]
--- end ---
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@wikimedia/codex-design-tokens@2.5.1',
npm WARN EBADENGINE required: { node: '>=20.20.2', npm: '>=10.8.1' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'grunt-stylelint@0.21.0',
npm WARN EBADENGINE required: { node: '>=20.19.5' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated node-domexception@1.0.0: Use your platform's native DOMException instead
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 916 packages, and audited 917 packages in 29s
224 packages are looking for funding
run `npm fund` for details
14 vulnerabilities (6 moderate, 8 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> echo@0.0.1 test
> grunt test
Running "eslint:all" (eslint) task
/src/repo/modules/controller/mw.echo.Controller.js
602:19 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
/src/repo/modules/mobile/overlay.js
49:23 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/modules/model/mw.echo.dm.BundleNotificationItem.js
100:3 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
101:4 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
101:29 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
/src/repo/modules/model/mw.echo.dm.CrossWikiNotificationItem.js
126:4 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
127:5 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
127:30 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
/src/repo/modules/model/mw.echo.dm.NotificationsList.js
245:3 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
246:4 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
246:29 warning Notification is not supported in iOS Safari 11.3-11.4 compat/compat
/src/repo/modules/ui/mw.echo.ui.BundleNotificationItemWidget.js
62:28 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/modules/ui/mw.echo.ui.CrossWikiNotificationItemWidget.js
71:28 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/modules/ui/mw.echo.ui.PaginationWidget.js
45:4 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
49:4 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
/src/repo/modules/ui/mw.echo.ui.SubGroupListWidget.js
55:16 warning OOUI button has no label. Even icon-only buttons should set a label with invisibleLabel set to true mediawiki/no-unlabeled-buttonwidget
✖ 16 problems (0 errors, 16 warnings)
Running "stylelint:all" (stylelint) task
modules/nojs/mw.echo.badge.less
4:1 ✖ Needless disable for "no-descending-specificity" --report-needless-disables
32:3 ⚠ Unexpected browser feature "css-focus-visible" is not supported by Safari 12-15,11.1,12.1,13.1,14.1,15.1,15.2-15.3, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5,13.0-13.1,13.2,13.3,13.4-13.7,14.0-14.4,14.5-14.8,15.0-15.1,15.2-15.3 plugin/no-unsupported-browser-features
modules/styles/mw.echo.ui.NotificationItemWidget.less
46:4 ⚠ Unexpected browser feature "prefers-color-scheme" is not supported by Safari 12,11.1, Safari on iOS 11.3-11.4,12.0-12.1,12.2-12.5 plugin/no-unsupported-browser-features
✖ 3 problems (1 error, 2 warnings)
⚠ 3 warnings
Warning: Task "stylelint:all" failed. Use --force to continue.
Aborted due to warnings.
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1202, in run
self.npm_upgrade(plan)
~~~~~~~~~~~~~~~~^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1064, in npm_upgrade
self.npm_test()
~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 289, in npm_test
self.check_call(["npm", "test"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 66, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 3.