design/codex (main)

sourcepatches
$ date
--- stdout ---
Sat Aug 30 00:07:27 UTC 2025

--- end ---
$ git clone file:///srv/git/design-codex.git repo --depth=1 -b main
--- stderr ---
Cloning into 'repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/main
--- stdout ---
4c4e1622dabd0aa5ded18d86760f216db8a78d67 refs/heads/main

--- end ---
$ /usr/bin/npm i --package-lock-only
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: undefined,
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@isaacs/balanced-match@4.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@isaacs/brace-expansion@5.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.3',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'svglint@4.1.0',
npm WARN EBADENGINE   required: { node: '>=20.0.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.3',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.1.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.1.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.3',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.3.1',
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-design-tokens@2.3.1',
npm WARN EBADENGINE   required: { npm: '>=10.8.1', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'rimraf@6.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: undefined,
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@vitejs/plugin-vue@6.0.0',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'vite@7.0.4',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.3.1',
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'vite@7.0.4',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@vitejs/plugin-vue@6.0.0',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'vite@7.0.4',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.3.1',
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-design-tokens@2.3.1',
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.3.1',
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: undefined,
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---

up to date, audited 2713 packages in 6s

473 packages are looking for funding
  run `npm fund` for details

33 vulnerabilities (9 low, 19 moderate, 4 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

--- end ---
Editing .gitignore to remove package-lock.json
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@babel/helpers": {
      "name": "@babel/helpers",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1104001,
          "name": "@babel/helpers",
          "dependency": "@babel/helpers",
          "title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
          "url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 6.2,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<7.26.10"
        }
      ],
      "effects": [],
      "range": "<7.26.10",
      "nodes": [
        "node_modules/@babel/helpers"
      ],
      "fixAvailable": true
    },
    "@bundled-es-modules/glob": {
      "name": "@bundled-es-modules/glob",
      "severity": "low",
      "isDirect": false,
      "via": [
        "patch-package"
      ],
      "effects": [],
      "range": "10.3.4 - 10.4.2",
      "nodes": [
        "node_modules/@bundled-es-modules/glob"
      ],
      "fixAvailable": true
    },
    "@netlify/build": {
      "name": "@netlify/build",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@netlify/edge-bundler",
        "@netlify/zip-it-and-ship-it"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "0.0.24 - 0.0.26 || 9.1.0 - 11.17.0 || 11.37.2 - 12.1.2 || 29.20.8 - 32.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/build"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@netlify/edge-bundler": {
      "name": "@netlify/edge-bundler",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "esbuild"
      ],
      "effects": [
        "@netlify/build",
        "netlify-cli"
      ],
      "range": "8.20.0 - 11.4.0 || 12.0.0 - 13.0.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/edge-bundler"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@netlify/functions-utils": {
      "name": "@netlify/functions-utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@netlify/zip-it-and-ship-it"
      ],
      "effects": [],
      "range": "1.3.14 - 1.3.29 || 1.3.41 || 5.2.24 - 5.3.16",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/functions-utils"
      ],
      "fixAvailable": true
    },
    "@netlify/zip-it-and-ship-it": {
      "name": "@netlify/zip-it-and-ship-it",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "esbuild"
      ],
      "effects": [
        "@netlify/build",
        "@netlify/functions-utils",
        "netlify-cli"
      ],
      "range": "2.2.0 - 4.2.7 || 9.17.0 - 10.0.7",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/zip-it-and-ship-it"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@octokit/endpoint": {
      "name": "@octokit/endpoint",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102258,
          "name": "@octokit/endpoint",
          "dependency": "@octokit/endpoint",
          "title": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-x4c5-c7rf-jjgv",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=9.0.5 <9.0.6"
        }
      ],
      "effects": [],
      "range": "9.0.5",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/endpoint"
      ],
      "fixAvailable": true
    },
    "@octokit/plugin-paginate-rest": {
      "name": "@octokit/plugin-paginate-rest",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102899,
          "name": "@octokit/plugin-paginate-rest",
          "dependency": "@octokit/plugin-paginate-rest",
          "title": "@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-h5c3-5r3r-rr8q",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=9.3.0-beta.1 <11.4.1"
        }
      ],
      "effects": [
        "@octokit/rest"
      ],
      "range": "9.3.0-beta.1 - 11.4.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/plugin-paginate-rest"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@octokit/request": {
      "name": "@octokit/request",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102896,
          "name": "@octokit/request",
          "dependency": "@octokit/request",
          "title": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-rmvr-2pp2-xj38",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=1.0.0 <8.4.1"
        }
      ],
      "effects": [],
      "range": "<=8.4.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/request"
      ],
      "fixAvailable": true
    },
    "@octokit/request-error": {
      "name": "@octokit/request-error",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102256,
          "name": "@octokit/request-error",
          "dependency": "@octokit/request-error",
          "title": "@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-xx4v-prfh-6cgc",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=1.0.0 <5.1.1"
        }
      ],
      "effects": [],
      "range": "<=5.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/request-error"
      ],
      "fixAvailable": true
    },
    "@octokit/rest": {
      "name": "@octokit/rest",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@octokit/plugin-paginate-rest"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "20.1.1 || 21.0.0-beta.1 - 21.0.0-beta.4",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/rest"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "axios": {
      "name": "axios",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1097679,
          "name": "axios",
          "dependency": "axios",
          "title": "Axios Cross-Site Request Forgery Vulnerability",
          "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
          "severity": "moderate",
          "cwe": [
            "CWE-352"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=0.8.1 <0.28.0"
        },
        {
          "source": 1103617,
          "name": "axios",
          "dependency": "axios",
          "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
          "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
          "severity": "high",
          "cwe": [
            "CWE-918"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<0.30.0"
        }
      ],
      "effects": [
        "wait-on"
      ],
      "range": "<=0.29.0",
      "nodes": [
        "node_modules/wait-on/node_modules/axios"
      ],
      "fixAvailable": {
        "name": "start-server-and-test",
        "version": "2.0.13",
        "isSemVerMajor": true
      }
    },
    "brace-expansion": {
      "name": "brace-expansion",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1105443,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion Regular Expression Denial of Service vulnerability",
          "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
          "severity": "low",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 3.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=1.0.0 <=1.1.11"
        },
        {
          "source": 1105444,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion Regular Expression Denial of Service vulnerability",
          "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
          "severity": "low",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 3.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=2.0.0 <=2.0.1"
        }
      ],
      "effects": [],
      "range": "1.0.0 - 1.1.11 || 2.0.0 - 2.0.1",
      "nodes": [
        "node_modules/@bundled-es-modules/glob/node_modules/brace-expansion",
        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
        "node_modules/brace-expansion",
        "node_modules/editorconfig/node_modules/brace-expansion",
        "node_modules/eslint-plugin-n/node_modules/brace-expansion",
        "node_modules/filelist/node_modules/brace-expansion",
        "node_modules/js-beautify/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@fastify/static/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@netlify/build-info/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@netlify/build/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@netlify/zip-it-and-ship-it/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/archiver-utils/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/readdir-glob/node_modules/brace-expansion",
        "packages/codex-design-tokens/node_modules/brace-expansion",
        "packages/codex-docs/node_modules/brace-expansion",
        "packages/codex-icons/node_modules/brace-expansion"
      ],
      "fixAvailable": true
    },
    "esbuild": {
      "name": "esbuild",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102341,
          "name": "esbuild",
          "dependency": "esbuild",
          "title": "esbuild enables any website to send any requests to the development server and read the response",
          "url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99",
          "severity": "moderate",
          "cwe": [
            "CWE-346"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": "<=0.24.2"
        }
      ],
      "effects": [
        "@netlify/edge-bundler",
        "@netlify/zip-it-and-ship-it",
        "tsx",
        "vite"
      ],
      "range": "<=0.24.2",
      "nodes": [
        "node_modules/esbuild",
        "node_modules/netlify-cli/node_modules/@netlify/edge-bundler/node_modules/esbuild",
        "node_modules/netlify-cli/node_modules/esbuild",
        "node_modules/vite/node_modules/esbuild",
        "node_modules/vitepress/node_modules/esbuild"
      ],
      "fixAvailable": {
        "name": "vitepress",
        "version": "0.1.1",
        "isSemVerMajor": true
      }
    },
    "external-editor": {
      "name": "external-editor",
      "severity": "low",
      "isDirect": false,
      "via": [
        "tmp"
      ],
      "effects": [
        "inquirer"
      ],
      "range": ">=1.1.1",
      "nodes": [
        "node_modules/netlify-cli/node_modules/external-editor"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "form-data": {
      "name": "form-data",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1106507,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=4.0.0 <4.0.4"
        }
      ],
      "effects": [],
      "range": "4.0.0 - 4.0.3",
      "nodes": [
        "node_modules/form-data"
      ],
      "fixAvailable": true
    },
    "http-proxy-middleware": {
      "name": "http-proxy-middleware",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1104105,
          "name": "http-proxy-middleware",
          "dependency": "http-proxy-middleware",
          "title": "http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed",
          "url": "https://github.com/advisories/GHSA-9gqv-wp59-fq42",
          "severity": "moderate",
          "cwe": [
            "CWE-754"
          ],
          "cvss": {
            "score": 4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
          },
          "range": ">=1.3.0 <2.0.9"
        },
        {
          "source": 1104106,
          "name": "http-proxy-middleware",
          "dependency": "http-proxy-middleware",
          "title": "http-proxy-middleware can call writeBody twice because \"else if\" is not used",
          "url": "https://github.com/advisories/GHSA-4www-5p9h-95mh",
          "severity": "moderate",
          "cwe": [
            "CWE-670"
          ],
          "cvss": {
            "score": 4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
          },
          "range": ">=1.3.0 <2.0.8"
        }
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "1.3.0 - 2.0.8",
      "nodes": [
        "node_modules/netlify-cli/node_modules/http-proxy-middleware"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "inquirer": {
      "name": "inquirer",
      "severity": "low",
      "isDirect": false,
      "via": [
        "external-editor"
      ],
      "effects": [
        "netlify-cli",
        "tabtab"
      ],
      "range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7",
      "nodes": [
        "node_modules/netlify-cli/node_modules/inquirer"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "ipx": {
      "name": "ipx",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1106842,
          "name": "ipx",
          "dependency": "ipx",
          "title": "IPX Allows Path Traversal via Prefix Matching Bypass",
          "url": "https://github.com/advisories/GHSA-mm3p-j368-7jcr",
          "severity": "moderate",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=2.0.0-0 <2.1.1"
        }
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "2.0.0-0 - 2.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/ipx"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "netlify-cli": {
      "name": "netlify-cli",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "@netlify/build",
        "@netlify/edge-bundler",
        "@netlify/zip-it-and-ship-it",
        "@octokit/rest",
        "http-proxy-middleware",
        "inquirer",
        "ipx",
        "tabtab"
      ],
      "effects": [],
      "range": ">=2.0.0-alpha.1",
      "nodes": [
        "node_modules/netlify-cli"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "on-headers": {
      "name": "on-headers",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1106812,
          "name": "on-headers",
          "dependency": "on-headers",
          "title": "on-headers is vulnerable to http response header manipulation",
          "url": "https://github.com/advisories/GHSA-76c9-3jph-rj3q",
          "severity": "low",
          "cwe": [
            "CWE-241"
          ],
          "cvss": {
            "score": 3.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<1.1.0"
        }
      ],
      "effects": [],
      "range": "<1.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/on-headers"
      ],
      "fixAvailable": true
    },
    "patch-package": {
      "name": "patch-package",
      "severity": "low",
      "isDirect": false,
      "via": [
        "tmp"
      ],
      "effects": [
        "@bundled-es-modules/glob",
        "style-dictionary"
      ],
      "range": "*",
      "nodes": [
        "node_modules/patch-package"
      ],
      "fixAvailable": {
        "name": "style-dictionary",
        "version": "5.0.4",
        "isSemVerMajor": true
      }
    },
    "prismjs": {
      "name": "prismjs",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        {
          "source": 1105770,
          "name": "prismjs",
          "dependency": "prismjs",
          "title": "PrismJS DOM Clobbering vulnerability",
          "url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg",
          "severity": "moderate",
          "cwe": [
            "CWE-79",
            "CWE-94"
          ],
          "cvss": {
            "score": 4.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
          },
          "range": "<1.30.0"
        }
      ],
      "effects": [],
      "range": "<1.30.0",
      "nodes": [
        "node_modules/prismjs"
      ],
      "fixAvailable": {
        "name": "prismjs",
        "version": "1.30.0",
        "isSemVerMajor": false
      }
    },
    "start-server-and-test": {
      "name": "start-server-and-test",
      "severity": "high",
      "isDirect": true,
      "via": [
        "wait-on"
      ],
      "effects": [],
      "range": "1.11.1 - 2.0.2",
      "nodes": [
        "node_modules/start-server-and-test"
      ],
      "fixAvailable": {
        "name": "start-server-and-test",
        "version": "2.0.13",
        "isSemVerMajor": true
      }
    },
    "style-dictionary": {
      "name": "style-dictionary",
      "severity": "low",
      "isDirect": true,
      "via": [
        "@bundled-es-modules/glob",
        "patch-package"
      ],
      "effects": [],
      "range": "4.0.0-prerelease.0 - 5.0.2",
      "nodes": [
        "node_modules/style-dictionary"
      ],
      "fixAvailable": {
        "name": "style-dictionary",
        "version": "5.0.4",
        "isSemVerMajor": true
      }
    },
    "tabtab": {
      "name": "tabtab",
      "severity": "low",
      "isDirect": false,
      "via": [
        "inquirer"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": ">=3.0.0-beta",
      "nodes": [
        "node_modules/netlify-cli/node_modules/tabtab"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "tar-fs": {
      "name": "tar-fs",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1104676,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
          "url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=3.0.0 <3.0.7"
        },
        {
          "source": 1104677,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
          "url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=2.0.0 <2.1.2"
        },
        {
          "source": 1106929,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs can extract outside the specified dir with a specific tarball",
          "url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=3.0.0 <3.0.9"
        },
        {
          "source": 1106930,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs can extract outside the specified dir with a specific tarball",
          "url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=2.0.0 <2.1.3"
        }
      ],
      "effects": [],
      "range": "2.0.0 - 2.1.2 || 3.0.0 - 3.0.8",
      "nodes": [
        "node_modules/netlify-cli/node_modules/prebuild-install/node_modules/tar-fs",
        "node_modules/netlify-cli/node_modules/tar-fs"
      ],
      "fixAvailable": true
    },
    "tmp": {
      "name": "tmp",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1106849,
          "name": "tmp",
          "dependency": "tmp",
          "title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
          "url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
          "severity": "low",
          "cwe": [
            "CWE-59"
          ],
          "cvss": {
            "score": 2.5,
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<=0.2.3"
        }
      ],
      "effects": [
        "external-editor",
        "patch-package"
      ],
      "range": "<=0.2.3",
      "nodes": [
        "node_modules/netlify-cli/node_modules/tmp",
        "node_modules/netlify-cli/node_modules/tmp-promise/node_modules/tmp",
        "node_modules/patch-package/node_modules/tmp",
        "node_modules/tmp"
      ],
      "fixAvailable": {
        "name": "style-dictionary",
        "version": "5.0.4",
        "isSemVerMajor": true
      }
    },
    "tsx": {
      "name": "tsx",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "esbuild"
      ],
      "effects": [],
      "range": "3.13.0 - 4.19.2",
      "nodes": [
        "node_modules/tsx"
      ],
      "fixAvailable": {
        "name": "tsx",
        "version": "4.20.5",
        "isSemVerMajor": false
      }
    },
    "undici": {
      "name": "undici",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1101609,
          "name": "undici",
          "dependency": "undici",
          "title": "Use of Insufficiently Random Values in undici",
          "url": "https://github.com/advisories/GHSA-c76h-2ccp-4975",
          "severity": "moderate",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 6.8,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
          },
          "range": ">=6.0.0 <6.21.1"
        },
        {
          "source": 1104500,
          "name": "undici",
          "dependency": "undici",
          "title": "undici Denial of Service attack via bad certificate data",
          "url": "https://github.com/advisories/GHSA-cxrh-j4jr-qwg3",
          "severity": "low",
          "cwe": [
            "CWE-401"
          ],
          "cvss": {
            "score": 3.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=6.0.0 <6.21.2"
        }
      ],
      "effects": [],
      "range": "6.0.0 - 6.21.1",
      "nodes": [
        "node_modules/undici"
      ],
      "fixAvailable": true
    },
    "vite": {
      "name": "vite",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102438,
          "name": "vite",
          "dependency": "vite",
          "title": "Websites were able to send any requests to the development server and read the response in vite",
          "url": "https://github.com/advisories/GHSA-vg6x-rcgg-rjx6",
          "severity": "moderate",
          "cwe": [
            "CWE-346",
            "CWE-350",
            "CWE-1385"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <=6.0.8"
        },
        {
          "source": 1103518,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite bypasses server.fs.deny when using ?raw??",
          "url": "https://github.com/advisories/GHSA-x574-m823-4x7w",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <6.0.12"
        },
        {
          "source": 1103629,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
          "url": "https://github.com/advisories/GHSA-4r4m-qw57-chr8",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <6.0.13"
        },
        {
          "source": 1103885,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
          "url": "https://github.com/advisories/GHSA-356w-63v5-8wf4",
          "severity": "moderate",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=6.0.0 <6.0.15"
        },
        {
          "source": 1104174,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite's server.fs.deny bypassed with /. for files under project root",
          "url": "https://github.com/advisories/GHSA-859w-5945-r5v3",
          "severity": "moderate",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=6.0.0 <=6.1.5"
        },
        {
          "source": 1104203,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
          "url": "https://github.com/advisories/GHSA-xcj6-pq6g-qj4x",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <6.0.14"
        },
        "esbuild"
      ],
      "effects": [
        "vitepress"
      ],
      "range": "0.11.0 - 6.1.6",
      "nodes": [
        "node_modules/vite",
        "node_modules/vitepress/node_modules/vite"
      ],
      "fixAvailable": {
        "name": "vitepress",
        "version": "0.1.1",
        "isSemVerMajor": true
      }
    },
    "vitepress": {
      "name": "vitepress",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "vite"
      ],
      "effects": [],
      "range": "0.2.0 - 1.6.4",
      "nodes": [
        "node_modules/vitepress"
      ],
      "fixAvailable": {
        "name": "vitepress",
        "version": "0.1.1",
        "isSemVerMajor": true
      }
    },
    "wait-on": {
      "name": "wait-on",
      "severity": "high",
      "isDirect": false,
      "via": [
        "axios"
      ],
      "effects": [
        "start-server-and-test"
      ],
      "range": "5.0.0-rc.0 - 7.1.0",
      "nodes": [
        "node_modules/wait-on"
      ],
      "fixAvailable": {
        "name": "start-server-and-test",
        "version": "2.0.13",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 9,
      "moderate": 19,
      "high": 4,
      "critical": 1,
      "total": 33
    },
    "dependencies": {
      "prod": 141,
      "dev": 2572,
      "optional": 281,
      "peer": 81,
      "peerOptional": 0,
      "total": 2712
    }
  }
}

--- end ---
$ /usr/bin/npm i --package-lock-only
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: undefined,
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@isaacs/balanced-match@4.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@isaacs/brace-expansion@5.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.3',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'svglint@4.1.0',
npm WARN EBADENGINE   required: { node: '>=20.0.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.3',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.1.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.1.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.3',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.3.1',
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-design-tokens@2.3.1',
npm WARN EBADENGINE   required: { npm: '>=10.8.1', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'rimraf@6.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: undefined,
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@vitejs/plugin-vue@6.0.0',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'vite@7.0.4',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.3.1',
npm WARN EBADENGINE   required: { npm: '>=10.8.2', node: '>=20.19.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'glob@11.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'jackspeak@4.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'lru-cache@11.0.2',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'minimatch@10.0.1',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'path-scurry@2.0.0',
npm WARN EBADENGINE   required: { node: '20 || >=22' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'vite@7.0.4',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@vitejs/plugin-vue@6.0.0',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'vite@7.0.4',
npm WARN EBADENGINE   required: { node: '^20.19.0 || >=22.12.0' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.3.1',
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-design-tokens@2.3.1',
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.1' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.3.1',
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: undefined,
npm WARN EBADENGINE   required: { node: '>=20.19.1', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v18.19.0', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---

up to date, audited 2713 packages in 4s

473 packages are looking for funding
  run `npm fund` for details

33 vulnerabilities (9 low, 19 moderate, 4 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

--- end ---
Editing .gitignore to remove package-lock.json
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@babel/helpers": {
      "name": "@babel/helpers",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1104001,
          "name": "@babel/helpers",
          "dependency": "@babel/helpers",
          "title": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups",
          "url": "https://github.com/advisories/GHSA-968p-4wvh-cqc8",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 6.2,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<7.26.10"
        }
      ],
      "effects": [],
      "range": "<7.26.10",
      "nodes": [
        "node_modules/@babel/helpers"
      ],
      "fixAvailable": true
    },
    "@bundled-es-modules/glob": {
      "name": "@bundled-es-modules/glob",
      "severity": "low",
      "isDirect": false,
      "via": [
        "patch-package"
      ],
      "effects": [],
      "range": "10.3.4 - 10.4.2",
      "nodes": [
        "node_modules/@bundled-es-modules/glob"
      ],
      "fixAvailable": true
    },
    "@netlify/build": {
      "name": "@netlify/build",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@netlify/edge-bundler",
        "@netlify/zip-it-and-ship-it"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "0.0.24 - 0.0.26 || 9.1.0 - 11.17.0 || 11.37.2 - 12.1.2 || 29.20.8 - 32.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/build"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@netlify/edge-bundler": {
      "name": "@netlify/edge-bundler",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "esbuild"
      ],
      "effects": [
        "@netlify/build",
        "netlify-cli"
      ],
      "range": "8.20.0 - 11.4.0 || 12.0.0 - 13.0.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/edge-bundler"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@netlify/functions-utils": {
      "name": "@netlify/functions-utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@netlify/zip-it-and-ship-it"
      ],
      "effects": [],
      "range": "1.3.14 - 1.3.29 || 1.3.41 || 5.2.24 - 5.3.16",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/functions-utils"
      ],
      "fixAvailable": true
    },
    "@netlify/zip-it-and-ship-it": {
      "name": "@netlify/zip-it-and-ship-it",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "esbuild"
      ],
      "effects": [
        "@netlify/build",
        "@netlify/functions-utils",
        "netlify-cli"
      ],
      "range": "2.2.0 - 4.2.7 || 9.17.0 - 10.0.7",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@netlify/zip-it-and-ship-it"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@octokit/endpoint": {
      "name": "@octokit/endpoint",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102258,
          "name": "@octokit/endpoint",
          "dependency": "@octokit/endpoint",
          "title": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-x4c5-c7rf-jjgv",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=9.0.5 <9.0.6"
        }
      ],
      "effects": [],
      "range": "9.0.5",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/endpoint"
      ],
      "fixAvailable": true
    },
    "@octokit/plugin-paginate-rest": {
      "name": "@octokit/plugin-paginate-rest",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102899,
          "name": "@octokit/plugin-paginate-rest",
          "dependency": "@octokit/plugin-paginate-rest",
          "title": "@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-h5c3-5r3r-rr8q",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=9.3.0-beta.1 <11.4.1"
        }
      ],
      "effects": [
        "@octokit/rest"
      ],
      "range": "9.3.0-beta.1 - 11.4.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/plugin-paginate-rest"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "@octokit/request": {
      "name": "@octokit/request",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102896,
          "name": "@octokit/request",
          "dependency": "@octokit/request",
          "title": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-rmvr-2pp2-xj38",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=1.0.0 <8.4.1"
        }
      ],
      "effects": [],
      "range": "<=8.4.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/request"
      ],
      "fixAvailable": true
    },
    "@octokit/request-error": {
      "name": "@octokit/request-error",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102256,
          "name": "@octokit/request-error",
          "dependency": "@octokit/request-error",
          "title": "@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking",
          "url": "https://github.com/advisories/GHSA-xx4v-prfh-6cgc",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=1.0.0 <5.1.1"
        }
      ],
      "effects": [],
      "range": "<=5.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/request-error"
      ],
      "fixAvailable": true
    },
    "@octokit/rest": {
      "name": "@octokit/rest",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "@octokit/plugin-paginate-rest"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "20.1.1 || 21.0.0-beta.1 - 21.0.0-beta.4",
      "nodes": [
        "node_modules/netlify-cli/node_modules/@octokit/rest"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "axios": {
      "name": "axios",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1097679,
          "name": "axios",
          "dependency": "axios",
          "title": "Axios Cross-Site Request Forgery Vulnerability",
          "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
          "severity": "moderate",
          "cwe": [
            "CWE-352"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=0.8.1 <0.28.0"
        },
        {
          "source": 1103617,
          "name": "axios",
          "dependency": "axios",
          "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL",
          "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6",
          "severity": "high",
          "cwe": [
            "CWE-918"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<0.30.0"
        }
      ],
      "effects": [
        "wait-on"
      ],
      "range": "<=0.29.0",
      "nodes": [
        "node_modules/wait-on/node_modules/axios"
      ],
      "fixAvailable": {
        "name": "start-server-and-test",
        "version": "2.0.13",
        "isSemVerMajor": true
      }
    },
    "brace-expansion": {
      "name": "brace-expansion",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1105443,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion Regular Expression Denial of Service vulnerability",
          "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
          "severity": "low",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 3.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=1.0.0 <=1.1.11"
        },
        {
          "source": 1105444,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion Regular Expression Denial of Service vulnerability",
          "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
          "severity": "low",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 3.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=2.0.0 <=2.0.1"
        }
      ],
      "effects": [],
      "range": "1.0.0 - 1.1.11 || 2.0.0 - 2.0.1",
      "nodes": [
        "node_modules/@bundled-es-modules/glob/node_modules/brace-expansion",
        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
        "node_modules/brace-expansion",
        "node_modules/editorconfig/node_modules/brace-expansion",
        "node_modules/eslint-plugin-n/node_modules/brace-expansion",
        "node_modules/filelist/node_modules/brace-expansion",
        "node_modules/js-beautify/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@fastify/static/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@netlify/build-info/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@netlify/build/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/@netlify/zip-it-and-ship-it/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/archiver-utils/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/brace-expansion",
        "node_modules/netlify-cli/node_modules/readdir-glob/node_modules/brace-expansion",
        "packages/codex-design-tokens/node_modules/brace-expansion",
        "packages/codex-docs/node_modules/brace-expansion",
        "packages/codex-icons/node_modules/brace-expansion"
      ],
      "fixAvailable": true
    },
    "esbuild": {
      "name": "esbuild",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102341,
          "name": "esbuild",
          "dependency": "esbuild",
          "title": "esbuild enables any website to send any requests to the development server and read the response",
          "url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99",
          "severity": "moderate",
          "cwe": [
            "CWE-346"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": "<=0.24.2"
        }
      ],
      "effects": [
        "@netlify/edge-bundler",
        "@netlify/zip-it-and-ship-it",
        "tsx",
        "vite"
      ],
      "range": "<=0.24.2",
      "nodes": [
        "node_modules/esbuild",
        "node_modules/netlify-cli/node_modules/@netlify/edge-bundler/node_modules/esbuild",
        "node_modules/netlify-cli/node_modules/esbuild",
        "node_modules/vite/node_modules/esbuild",
        "node_modules/vitepress/node_modules/esbuild"
      ],
      "fixAvailable": {
        "name": "vitepress",
        "version": "0.1.1",
        "isSemVerMajor": true
      }
    },
    "external-editor": {
      "name": "external-editor",
      "severity": "low",
      "isDirect": false,
      "via": [
        "tmp"
      ],
      "effects": [
        "inquirer"
      ],
      "range": ">=1.1.1",
      "nodes": [
        "node_modules/netlify-cli/node_modules/external-editor"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "form-data": {
      "name": "form-data",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1106507,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=4.0.0 <4.0.4"
        }
      ],
      "effects": [],
      "range": "4.0.0 - 4.0.3",
      "nodes": [
        "node_modules/form-data"
      ],
      "fixAvailable": true
    },
    "http-proxy-middleware": {
      "name": "http-proxy-middleware",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1104105,
          "name": "http-proxy-middleware",
          "dependency": "http-proxy-middleware",
          "title": "http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed",
          "url": "https://github.com/advisories/GHSA-9gqv-wp59-fq42",
          "severity": "moderate",
          "cwe": [
            "CWE-754"
          ],
          "cvss": {
            "score": 4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
          },
          "range": ">=1.3.0 <2.0.9"
        },
        {
          "source": 1104106,
          "name": "http-proxy-middleware",
          "dependency": "http-proxy-middleware",
          "title": "http-proxy-middleware can call writeBody twice because \"else if\" is not used",
          "url": "https://github.com/advisories/GHSA-4www-5p9h-95mh",
          "severity": "moderate",
          "cwe": [
            "CWE-670"
          ],
          "cvss": {
            "score": 4,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
          },
          "range": ">=1.3.0 <2.0.8"
        }
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "1.3.0 - 2.0.8",
      "nodes": [
        "node_modules/netlify-cli/node_modules/http-proxy-middleware"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "inquirer": {
      "name": "inquirer",
      "severity": "low",
      "isDirect": false,
      "via": [
        "external-editor"
      ],
      "effects": [
        "netlify-cli",
        "tabtab"
      ],
      "range": "3.0.0 - 8.2.6 || 9.0.0 - 9.3.7",
      "nodes": [
        "node_modules/netlify-cli/node_modules/inquirer"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "ipx": {
      "name": "ipx",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1106842,
          "name": "ipx",
          "dependency": "ipx",
          "title": "IPX Allows Path Traversal via Prefix Matching Bypass",
          "url": "https://github.com/advisories/GHSA-mm3p-j368-7jcr",
          "severity": "moderate",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=2.0.0-0 <2.1.1"
        }
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": "2.0.0-0 - 2.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/ipx"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "netlify-cli": {
      "name": "netlify-cli",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "@netlify/build",
        "@netlify/edge-bundler",
        "@netlify/zip-it-and-ship-it",
        "@octokit/rest",
        "http-proxy-middleware",
        "inquirer",
        "ipx",
        "tabtab"
      ],
      "effects": [],
      "range": ">=2.0.0-alpha.1",
      "nodes": [
        "node_modules/netlify-cli"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "on-headers": {
      "name": "on-headers",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1106812,
          "name": "on-headers",
          "dependency": "on-headers",
          "title": "on-headers is vulnerable to http response header manipulation",
          "url": "https://github.com/advisories/GHSA-76c9-3jph-rj3q",
          "severity": "low",
          "cwe": [
            "CWE-241"
          ],
          "cvss": {
            "score": 3.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<1.1.0"
        }
      ],
      "effects": [],
      "range": "<1.1.0",
      "nodes": [
        "node_modules/netlify-cli/node_modules/on-headers"
      ],
      "fixAvailable": true
    },
    "patch-package": {
      "name": "patch-package",
      "severity": "low",
      "isDirect": false,
      "via": [
        "tmp"
      ],
      "effects": [
        "@bundled-es-modules/glob",
        "style-dictionary"
      ],
      "range": "*",
      "nodes": [
        "node_modules/patch-package"
      ],
      "fixAvailable": {
        "name": "style-dictionary",
        "version": "5.0.4",
        "isSemVerMajor": true
      }
    },
    "prismjs": {
      "name": "prismjs",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        {
          "source": 1105770,
          "name": "prismjs",
          "dependency": "prismjs",
          "title": "PrismJS DOM Clobbering vulnerability",
          "url": "https://github.com/advisories/GHSA-x7hr-w5r2-h6wg",
          "severity": "moderate",
          "cwe": [
            "CWE-79",
            "CWE-94"
          ],
          "cvss": {
            "score": 4.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
          },
          "range": "<1.30.0"
        }
      ],
      "effects": [],
      "range": "<1.30.0",
      "nodes": [
        "node_modules/prismjs"
      ],
      "fixAvailable": {
        "name": "prismjs",
        "version": "1.30.0",
        "isSemVerMajor": false
      }
    },
    "start-server-and-test": {
      "name": "start-server-and-test",
      "severity": "high",
      "isDirect": true,
      "via": [
        "wait-on"
      ],
      "effects": [],
      "range": "1.11.1 - 2.0.2",
      "nodes": [
        "node_modules/start-server-and-test"
      ],
      "fixAvailable": {
        "name": "start-server-and-test",
        "version": "2.0.13",
        "isSemVerMajor": true
      }
    },
    "style-dictionary": {
      "name": "style-dictionary",
      "severity": "low",
      "isDirect": true,
      "via": [
        "@bundled-es-modules/glob",
        "patch-package"
      ],
      "effects": [],
      "range": "4.0.0-prerelease.0 - 5.0.2",
      "nodes": [
        "node_modules/style-dictionary"
      ],
      "fixAvailable": {
        "name": "style-dictionary",
        "version": "5.0.4",
        "isSemVerMajor": true
      }
    },
    "tabtab": {
      "name": "tabtab",
      "severity": "low",
      "isDirect": false,
      "via": [
        "inquirer"
      ],
      "effects": [
        "netlify-cli"
      ],
      "range": ">=3.0.0-beta",
      "nodes": [
        "node_modules/netlify-cli/node_modules/tabtab"
      ],
      "fixAvailable": {
        "name": "netlify-cli",
        "version": "23.4.2",
        "isSemVerMajor": true
      }
    },
    "tar-fs": {
      "name": "tar-fs",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1104676,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
          "url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=3.0.0 <3.0.7"
        },
        {
          "source": 1104677,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",
          "url": "https://github.com/advisories/GHSA-pq67-2wwv-3xjx",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=2.0.0 <2.1.2"
        },
        {
          "source": 1106929,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs can extract outside the specified dir with a specific tarball",
          "url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=3.0.0 <3.0.9"
        },
        {
          "source": 1106930,
          "name": "tar-fs",
          "dependency": "tar-fs",
          "title": "tar-fs can extract outside the specified dir with a specific tarball",
          "url": "https://github.com/advisories/GHSA-8cj5-5rvv-wf4v",
          "severity": "high",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=2.0.0 <2.1.3"
        }
      ],
      "effects": [],
      "range": "2.0.0 - 2.1.2 || 3.0.0 - 3.0.8",
      "nodes": [
        "node_modules/netlify-cli/node_modules/prebuild-install/node_modules/tar-fs",
        "node_modules/netlify-cli/node_modules/tar-fs"
      ],
      "fixAvailable": true
    },
    "tmp": {
      "name": "tmp",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1106849,
          "name": "tmp",
          "dependency": "tmp",
          "title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
          "url": "https://github.com/advisories/GHSA-52f5-9888-hmc6",
          "severity": "low",
          "cwe": [
            "CWE-59"
          ],
          "cvss": {
            "score": 2.5,
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<=0.2.3"
        }
      ],
      "effects": [
        "external-editor",
        "patch-package"
      ],
      "range": "<=0.2.3",
      "nodes": [
        "node_modules/netlify-cli/node_modules/tmp",
        "node_modules/netlify-cli/node_modules/tmp-promise/node_modules/tmp",
        "node_modules/patch-package/node_modules/tmp",
        "node_modules/tmp"
      ],
      "fixAvailable": {
        "name": "style-dictionary",
        "version": "5.0.4",
        "isSemVerMajor": true
      }
    },
    "tsx": {
      "name": "tsx",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "esbuild"
      ],
      "effects": [],
      "range": "3.13.0 - 4.19.2",
      "nodes": [
        "node_modules/tsx"
      ],
      "fixAvailable": {
        "name": "tsx",
        "version": "4.20.5",
        "isSemVerMajor": false
      }
    },
    "undici": {
      "name": "undici",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1101609,
          "name": "undici",
          "dependency": "undici",
          "title": "Use of Insufficiently Random Values in undici",
          "url": "https://github.com/advisories/GHSA-c76h-2ccp-4975",
          "severity": "moderate",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 6.8,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
          },
          "range": ">=6.0.0 <6.21.1"
        },
        {
          "source": 1104500,
          "name": "undici",
          "dependency": "undici",
          "title": "undici Denial of Service attack via bad certificate data",
          "url": "https://github.com/advisories/GHSA-cxrh-j4jr-qwg3",
          "severity": "low",
          "cwe": [
            "CWE-401"
          ],
          "cvss": {
            "score": 3.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=6.0.0 <6.21.2"
        }
      ],
      "effects": [],
      "range": "6.0.0 - 6.21.1",
      "nodes": [
        "node_modules/undici"
      ],
      "fixAvailable": true
    },
    "vite": {
      "name": "vite",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1102438,
          "name": "vite",
          "dependency": "vite",
          "title": "Websites were able to send any requests to the development server and read the response in vite",
          "url": "https://github.com/advisories/GHSA-vg6x-rcgg-rjx6",
          "severity": "moderate",
          "cwe": [
            "CWE-346",
            "CWE-350",
            "CWE-1385"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <=6.0.8"
        },
        {
          "source": 1103518,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite bypasses server.fs.deny when using ?raw??",
          "url": "https://github.com/advisories/GHSA-x574-m823-4x7w",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <6.0.12"
        },
        {
          "source": 1103629,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
          "url": "https://github.com/advisories/GHSA-4r4m-qw57-chr8",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <6.0.13"
        },
        {
          "source": 1103885,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
          "url": "https://github.com/advisories/GHSA-356w-63v5-8wf4",
          "severity": "moderate",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=6.0.0 <6.0.15"
        },
        {
          "source": 1104174,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite's server.fs.deny bypassed with /. for files under project root",
          "url": "https://github.com/advisories/GHSA-859w-5945-r5v3",
          "severity": "moderate",
          "cwe": [
            "CWE-22"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": ">=6.0.0 <=6.1.5"
        },
        {
          "source": 1104203,
          "name": "vite",
          "dependency": "vite",
          "title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
          "url": "https://github.com/advisories/GHSA-xcj6-pq6g-qj4x",
          "severity": "moderate",
          "cwe": [
            "CWE-200",
            "CWE-284"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
          },
          "range": ">=6.0.0 <6.0.14"
        },
        "esbuild"
      ],
      "effects": [
        "vitepress"
      ],
      "range": "0.11.0 - 6.1.6",
      "nodes": [
        "node_modules/vite",
        "node_modules/vitepress/node_modules/vite"
      ],
      "fixAvailable": {
        "name": "vitepress",
        "version": "0.1.1",
        "isSemVerMajor": true
      }
    },
    "vitepress": {
      "name": "vitepress",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "vite"
      ],
      "effects": [],
      "range": "0.2.0 - 1.6.4",
      "nodes": [
        "node_modules/vitepress"
      ],
      "fixAvailable": {
        "name": "vitepress",
        "version": "0.1.1",
        "isSemVerMajor": true
      }
    },
    "wait-on": {
      "name": "wait-on",
      "severity": "high",
      "isDirect": false,
      "via": [
        "axios"
      ],
      "effects": [
        "start-server-and-test"
      ],
      "range": "5.0.0-rc.0 - 7.1.0",
      "nodes": [
        "node_modules/wait-on"
      ],
      "fixAvailable": {
        "name": "start-server-and-test",
        "version": "2.0.13",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 9,
      "moderate": 19,
      "high": 4,
      "critical": 1,
      "total": 33
    },
    "dependencies": {
      "prod": 141,
      "dev": 2572,
      "optional": 281,
      "peer": 81,
      "peerOptional": 0,
      "total": 2712
    }
  }
}

--- end ---
Attempting to npm audit fix
Traceback (most recent call last):
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 2031, in main
    libup.run(args.repo, args.output, args.branch)
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1973, in run
    self.npm_audit_fix(new_npm_audit)
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 209, in npm_audit_fix
    prior_lock = PackageLockJson()
                 ^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/files.py", line 89, in __init__
    self.data = load_ordered_json(self.fname)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/files.py", line 33, in load_ordered_json
    with open(fname) as f:
         ^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'package-lock.json'

npm dependencies

Development dependencies

Logs

Source code is licensed under the AGPL.